Edit tour

Windows Analysis Report
RSLMZxqebl.exe

Overview

General Information

Sample name:	RSLMZxqebl.exe renamed because original name is a hash value
Original sample name:	8c1abbfb1664d990fc963b506dee588c18ed4c286c4ed0d4d5e75b74175e1af0.exe
Analysis ID:	1587605
MD5:	3fc2b24484dda073e49d5185f1b4d623
SHA1:	205ba4e3999d60014125a2d1ebb801d8eb3fea16
SHA256:	8c1abbfb1664d990fc963b506dee588c18ed4c286c4ed0d4d5e75b74175e1af0
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

RSLMZxqebl.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\RSLMZxqebl.exe" MD5: 3FC2B24484DDA073E49D5185F1B4D623)

svchost.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\RSLMZxqebl.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

svchost.exe (PID: 7696 cmdline: "C:\Windows\SysWOW64\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cmd.exe (PID: 7736 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.2creativedesign.online/ud04/"], "decoy": ["oum7.pro", "ovonordisk.online", "akrzus.pro", "tendmtedcpsa.site", "mm.foo", "animevyhgsft29817.click", "digdxxb.info", "1130.vip", "uy-now-pay-later-74776.bond", "ybzert.online", "edcn.link", "rime-flow-bay.xyz", "nd777id.beauty", "otoyama.shop", "lranchomx.xyz", "unluoren.top", "uglesang-troms.net", "udulbet88.net", "raquewear.shop", "ijanarko.net", "iuxy.host", "itaxia.dev", "hisewntbqg.makeup", "talianfood.store", "22gxx.app", "tandkite.fun", "rovideoeditor.shop", "ires-86307.bond", "elitjatarjoukset.click", "rofilern.net", "uycarpaylater-02-t1e-01.today", "futurum.xyz", "inance15.site", "alance-ton-budget.net", "tpuniplay.shop", "dlpli.xyz", "riteon.online", "rippyshaker.shop", "rn10.top", "linko1win.icu", "ugeniolopez.art", "raphic-design-degree-68380.bond", "narchists.info", "uy-now-pay-later-25573.bond", "gzvmt.info", "df.clinic", "onesome.store", "imba-168.net", "ayef.xyz", "64axyozkgl.top", "dult-diapers-53774.bond", "ec.baby", "el-radu-easy4y.one", "asik-eye-surgery-63293.bond", "p-inbox4.click", "0417.one", "ualitystore.shop", "partments-for-rent-61932.bond", "enobscotlobster.online", "fhou.link", "eo56a3oouu.top", "cweb.cyou", "hoe-organizer-za.today", "p806.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: RSLMZxqebl.exe PID: 7596	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1986b9:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 7660	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2fc8e:$a1: 3C 30 50 4F 53 54 74 09 40 0x10de51:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: svchost.exe PID: 7696	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x25a9:$a1: 3C 30 50 4F 53 54 74 09 40 0x40e79:$a1: 3C 30 50 4F 53 54 74 09 40 0xc7e42:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a29:$sqlite3step: 68 34 1C 7B E1 0x17b3c:$sqlite3step: 68 34 1C 7B E1 0x17a58:$sqlite3text: 68 38 2A 90 C5 0x17b7d:$sqlite3text: 68 38 2A 90 C5 0x17a6b:$sqlite3blob: 68 53 D8 7F 8C 0x17b93:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
0.2.RSLMZxqebl.exe.33e0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.RSLMZxqebl.exe.33e0000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.RSLMZxqebl.exe.33e0000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bda0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.RSLMZxqebl.exe.33e0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb0a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.RSLMZxqebl.exe.33e0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a29:$sqlite3step: 68 34 1C 7B E1 0x17b3c:$sqlite3step: 68 34 1C 7B E1 0x17a58:$sqlite3text: 68 38 2A 90 C5 0x17b7d:$sqlite3text: 68 38 2A 90 C5 0x17a6b:$sqlite3blob: 68 53 D8 7F 8C 0x17b93:$sqlite3blob: 68 53 D8 7F 8C
0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cba0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18829:$sqlite3step: 68 34 1C 7B E1 0x1893c:$sqlite3step: 68 34 1C 7B E1 0x18858:$sqlite3text: 68 38 2A 90 C5 0x1897d:$sqlite3text: 68 38 2A 90 C5 0x1886b:$sqlite3blob: 68 53 D8 7F 8C 0x18993:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RSLMZxqebl.exe", CommandLine: "C:\Users\user\Desktop\RSLMZxqebl.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RSLMZxqebl.exe", ParentImage: C:\Users\user\Desktop\RSLMZxqebl.exe, ParentProcessId: 7596, ParentProcessName: RSLMZxqebl.exe, ProcessCommandLine: "C:\Users\user\Desktop\RSLMZxqebl.exe", ProcessId: 7660, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\RSLMZxqebl.exe", CommandLine: "C:\Users\user\Desktop\RSLMZxqebl.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RSLMZxqebl.exe", ParentImage: C:\Users\user\Desktop\RSLMZxqebl.exe, ParentProcessId: 7596, ParentProcessName: RSLMZxqebl.exe, ProcessCommandLine: "C:\Users\user\Desktop\RSLMZxqebl.exe", ProcessId: 7660, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.64axyozkgl.top/ud04/www.rime-flow-bay.xyz	Avira URL Cloud: Label: malware
Source: http://www.64axyozkgl.top	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.2creativedesign.online/ud04/"], "decoy": ["oum7.pro", "ovonordisk.online", "akrzus.pro", "tendmtedcpsa.site", "mm.foo", "animevyhgsft29817.click", "digdxxb.info", "1130.vip", "uy-now-pay-later-74776.bond", "ybzert.online", "edcn.link", "rime-flow-bay.xyz", "nd777id.beauty", "otoyama.shop", "lranchomx.xyz", "unluoren.top", "uglesang-troms.net", "udulbet88.net", "raquewear.shop", "ijanarko.net", "iuxy.host", "itaxia.dev", "hisewntbqg.makeup", "talianfood.store", "22gxx.app", "tandkite.fun", "rovideoeditor.shop", "ires-86307.bond", "elitjatarjoukset.click", "rofilern.net", "uycarpaylater-02-t1e-01.today", "futurum.xyz", "inance15.site", "alance-ton-budget.net", "tpuniplay.shop", "dlpli.xyz", "riteon.online", "rippyshaker.shop", "rn10.top", "linko1win.icu", "ugeniolopez.art", "raphic-design-degree-68380.bond", "narchists.info", "uy-now-pay-later-25573.bond", "gzvmt.info", "df.clinic", "onesome.store", "imba-168.net", "ayef.xyz", "64axyozkgl.top", "dult-diapers-53774.bond", "ec.baby", "el-radu-easy4y.one", "asik-eye-surgery-63293.bond", "p-inbox4.click", "0417.one", "ualitystore.shop", "partments-for-rent-61932.bond", "enobscotlobster.online", "fhou.link", "eo56a3oouu.top", "cweb.cyou", "hoe-organizer-za.today", "p806.top"]}

Multi AV Scanner detection for submitted file

Source: RSLMZxqebl.exe	Virustotal: Detection: 64%			Perma Link
Source: RSLMZxqebl.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RSLMZxqebl.exe

Joe Sandbox ML: detected

Source: RSLMZxqebl.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: RSLMZxqebl.exe, 00000000.00000003.1368682181.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, RSLMZxqebl.exe, 00000000.00000003.1362630421.0000000003970000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1369364925.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1425684530.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1425684530.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1370973017.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1426703840.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1425139985.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.000000000379E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000004.00000003.1426703840.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1425139985.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.000000000379E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000004.00000002.3818391053.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3816298824.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3829128293.0000000003B4F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000003.1424431831.000000000341C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1424627223.0000000003426000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426230710.0000000003DB0000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3844712665.0000000010C9F000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3818391053.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3816298824.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3829128293.0000000003B4F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D16CA9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00D160DD
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00D163F9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D1EB60
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D1F5FA
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1F56F FindFirstFileW,FindClose,	0_2_00D1F56F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D21B2F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D21C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D21C8A
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D21F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D21F94

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx		2_2_00407B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx		4_2_00B07B28

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.2creativedesign.online/ud04/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.rime-flow-bay.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.2creativedesign.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ijanarko.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.dult-diapers-53774.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hoe-organizer-za.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.rime-flow-bay.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.udulbet88.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.asik-eye-surgery-63293.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.unluoren.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mm.foo replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.64axyozkgl.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ovonordisk.online replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D24EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00D24EB5

Source: global traffic	DNS traffic detected: DNS query: www.ijanarko.net
Source: global traffic	DNS traffic detected: DNS query: www.asik-eye-surgery-63293.bond
Source: global traffic	DNS traffic detected: DNS query: www.64axyozkgl.top
Source: global traffic	DNS traffic detected: DNS query: www.rime-flow-bay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mm.foo
Source: global traffic	DNS traffic detected: DNS query: www.2creativedesign.online
Source: global traffic	DNS traffic detected: DNS query: www.hoe-organizer-za.today
Source: global traffic	DNS traffic detected: DNS query: www.udulbet88.net
Source: global traffic	DNS traffic detected: DNS query: www.dult-diapers-53774.bond
Source: global traffic	DNS traffic detected: DNS query: www.ovonordisk.online
Source: global traffic	DNS traffic detected: DNS query: www.unluoren.top

Source: explorer.exe, 00000003.00000003.3083861477.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000003.3083861477.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000003.3083861477.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000003.3083861477.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.00000000087BB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3821354616.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1377612448.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1376779154.0000000007670000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.online/ud04/www.hoe-organizer-za.today
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2creativedesign.onlineReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.64axyozkgl.top
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.64axyozkgl.top/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.64axyozkgl.top/ud04/www.rime-flow-bay.xyz
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.64axyozkgl.topReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.akrzus.pro
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.akrzus.pro/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.akrzus.pro/ud04/www.edcn.link
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.akrzus.proReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asik-eye-surgery-63293.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asik-eye-surgery-63293.bond/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asik-eye-surgery-63293.bond/ud04/www.64axyozkgl.top
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asik-eye-surgery-63293.bondReferer:
Source: explorer.exe, 00000003.00000000.1378145800.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292225792.00000000085DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834919184.00000000085E3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dult-diapers-53774.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dult-diapers-53774.bond/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dult-diapers-53774.bond/ud04/www.ovonordisk.online
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dult-diapers-53774.bondReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edcn.link
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edcn.link/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edcn.link/ud04/www.uy-now-pay-later-25573.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.edcn.linkReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hoe-organizer-za.today
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hoe-organizer-za.today/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hoe-organizer-za.today/ud04/www.udulbet88.net
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hoe-organizer-za.todayReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.net/ud04/www.asik-eye-surgery-63293.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ijanarko.netReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ires-86307.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ires-86307.bond/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ires-86307.bond/ud04/www.akrzus.pro
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ires-86307.bondReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mm.foo
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mm.foo/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mm.foo/ud04/www.2creativedesign.online
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mm.fooReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.online/ud04/www.unluoren.top
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ovonordisk.onlineReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rime-flow-bay.xyz
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rime-flow-bay.xyz/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rime-flow-bay.xyz/ud04/www.mm.foo
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rime-flow-bay.xyzReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udulbet88.net
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udulbet88.net/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udulbet88.net/ud04/www.dult-diapers-53774.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udulbet88.netReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unluoren.top
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unluoren.top/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unluoren.top/ud04/www.ires-86307.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.unluoren.topReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uy-now-pay-later-25573.bond
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uy-now-pay-later-25573.bond/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uy-now-pay-later-25573.bond/ud04/o
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uy-now-pay-later-25573.bondReferer:
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online/ud04/
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.online/ud04/www.ijanarko.net
Source: explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ybzert.onlineReferer:
Source: explorer.exe, 00000003.00000000.1385494317.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2293597525.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSJM
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSZM
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 00000003.00000000.1378546111.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3091224502.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/rT
Source: explorer.exe, 00000003.00000000.1378546111.000000000862F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
Source: explorer.exe, 00000003.00000000.1378546111.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3091224502.0000000008796000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/~T
Source: explorer.exe, 00000003.00000000.1374717579.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3081345944.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1378546111.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835887298.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2296963252.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082474486.000000000899E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D26B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D26B0C

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D26D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D26D07

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

0_2_00D26B0C

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D12B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00D12B37

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D3F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D3F7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RSLMZxqebl.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00CD3D19
Source: RSLMZxqebl.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RSLMZxqebl.exe, 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2addbb63-3
Source: RSLMZxqebl.exe, 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d6cb2ec0-1
Source: RSLMZxqebl.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_85fa105b-9
Source: RSLMZxqebl.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_750396f6-f

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A340 NtCreateFile,	2_2_0041A340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A3F0 NtReadFile,	2_2_0041A3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A470 NtClose,	2_2_0041A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A520 NtAllocateVirtualMemory,	2_2_0041A520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A3EB NtReadFile,	2_2_0041A3EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A392 NtCreateFile,NtReadFile,	2_2_0041A392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A51C NtAllocateVirtualMemory,	2_2_0041A51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B60 NtClose,LdrInitializeThunk,	2_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AD0 NtReadFile,LdrInitializeThunk,	2_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FB0 NtResumeThread,LdrInitializeThunk,	2_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FE0 NtCreateFile,LdrInitializeThunk,	2_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F30 NtCreateSection,LdrInitializeThunk,	2_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74340 NtSetContextThread,	2_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74650 NtSuspendThread,	2_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BA0 NtEnumerateValueKey,	2_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B80 NtQueryInformationFile,	2_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BE0 NtQueryValueKey,	2_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AB0 NtWaitForSingleObject,	2_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AF0 NtWriteFile,	2_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FA0 NtQuerySection,	2_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F60 NtCreateProcessEx,	2_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EE0 NtQueueApcThread,	2_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E30 NtWriteVirtualMemory,	2_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DB0 NtEnumerateKey,	2_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D00 NtSetInformationFile,	2_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CF0 NtOpenProcess,	2_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CC0 NtQueryVirtualMemory,	2_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C00 NtQueryInformationProcess,	2_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C60 NtCreateKey,	2_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C70 NtFreeVirtualMemory,	2_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73090 NtSetValueKey,	2_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73010 NtOpenDirectoryObject,	2_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A735C0 NtCreateMutant,	2_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A739B0 NtGetContextThread,	2_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D10 NtOpenProcessToken,	2_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D70 NtOpenThread,	2_2_03A73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_03EBA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBA042 NtQueryInformationProcess,	2_2_03EBA042
Source: C:\Windows\explorer.exe	Code function: 3_2_104ADE12 NtProtectVirtualMemory,	3_2_104ADE12
Source: C:\Windows\explorer.exe	Code function: 3_2_104AC232 NtCreateFile,	3_2_104AC232
Source: C:\Windows\explorer.exe	Code function: 3_2_104ADE0A NtProtectVirtualMemory,	3_2_104ADE0A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB2720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	4_2_00BB2720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB3540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	4_2_00BB3540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB33C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	4_2_00BB33C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672B60 NtClose,LdrInitializeThunk,	4_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672AD0 NtReadFile,LdrInitializeThunk,	4_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672F30 NtCreateSection,LdrInitializeThunk,	4_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672FE0 NtCreateFile,LdrInitializeThunk,	4_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672DD0 NtDelayExecution,LdrInitializeThunk,	4_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672C60 NtCreateKey,LdrInitializeThunk,	4_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036735C0 NtCreateMutant,LdrInitializeThunk,	4_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03674340 NtSetContextThread,	4_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03674650 NtSuspendThread,	4_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672BA0 NtEnumerateValueKey,	4_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672B80 NtQueryInformationFile,	4_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672AF0 NtWriteFile,	4_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672AB0 NtWaitForSingleObject,	4_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672F60 NtCreateProcessEx,	4_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672FA0 NtQuerySection,	4_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672FB0 NtResumeThread,	4_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672F90 NtProtectVirtualMemory,	4_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672E30 NtWriteVirtualMemory,	4_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672EE0 NtQueueApcThread,	4_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672E80 NtReadVirtualMemory,	4_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672D30 NtUnmapViewOfSection,	4_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672D00 NtSetInformationFile,	4_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672DB0 NtEnumerateKey,	4_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672C00 NtQueryInformationProcess,	4_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672CF0 NtOpenProcess,	4_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03672CC0 NtQueryVirtualMemory,	4_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03673010 NtOpenDirectoryObject,	4_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03673090 NtSetValueKey,	4_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036739B0 NtGetContextThread,	4_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03673D70 NtOpenThread,	4_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03673D10 NtOpenProcessToken,	4_2_03673D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A3F0 NtReadFile,	4_2_00B1A3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A340 NtCreateFile,	4_2_00B1A340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A470 NtClose,	4_2_00B1A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A520 NtAllocateVirtualMemory,	4_2_00B1A520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A392 NtCreateFile,NtReadFile,	4_2_00B1A392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A3EB NtReadFile,	4_2_00B1A3EB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1A51C NtAllocateVirtualMemory,	4_2_00B1A51C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_034A9BAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_034AA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_034A9BB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034AA042 NtQueryInformationProcess,	4_2_034AA042

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D16685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D16685

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D0ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D0ACC5

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D179D3

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CDE3B0	0_2_00CDE3B0
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CFB043	0_2_00CFB043
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CE3200	0_2_00CE3200
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CE3B70	0_2_00CE3B70
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D0410F	0_2_00D0410F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF02A4	0_2_00CF02A4
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D0038E	0_2_00D0038E
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF06D9	0_2_00CF06D9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D0467F	0_2_00D0467F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D3AACE	0_2_00D3AACE
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D04BEF	0_2_00D04BEF
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CFCCC1	0_2_00CFCCC1
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CDAF50	0_2_00CDAF50
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD6F07	0_2_00CD6F07
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D331BC	0_2_00D331BC
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CFD1B9	0_2_00CFD1B9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CEB11F	0_2_00CEB11F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D0724D	0_2_00D0724D
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF123A	0_2_00CF123A
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D113CA	0_2_00D113CA
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD93F0	0_2_00CD93F0
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CEF563	0_2_00CEF563
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD96C0	0_2_00CD96C0
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1B6CC	0_2_00D1B6CC
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D3F7FF	0_2_00D3F7FF
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD77B0	0_2_00CD77B0
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D079C9	0_2_00D079C9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CEFA57	0_2_00CEFA57
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD9B60	0_2_00CD9B60
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD7D19	0_2_00CD7D19
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF9ED0	0_2_00CF9ED0
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CEFE6F	0_2_00CEFE6F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CD7FA3	0_2_00CD7FA3
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_01117740	0_2_01117740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401026	2_2_00401026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E1B7	2_2_0041E1B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DA08	2_2_0041DA08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E5B	2_2_00409E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B003E6	2_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC02C0	2_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF41A2	2_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B001AA	2_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF81CC	2_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30100	2_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64750	2_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C6E0	2_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B00591	2_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEE4F6	2_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4420	2_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF2446	2_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF6BD7	2_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0A9A6	2_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A268B8	2_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E8F0	2_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4A840	2_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A42840	2_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABEFA0	2_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A82F28	2_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60F30	2_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE2F30	2_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52E90	2_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFCE93	2_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEEDB	2_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEE26	2_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40E59	2_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A58DBF	2_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3ADE0	2_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4AD00	2_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADCD1F	2_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0CB5	2_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30CF2	2_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40C00	2_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A8739A	2_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF132D	2_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2D34C	2_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A452A0	2_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE12ED	2_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B2C0	2_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4B1B0	2_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7516C	2_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2F172	2_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0B16B	2_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF70E9	2_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF0E0	2_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEF0CC	2_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A470C0	2_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF7B0	2_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF16CC	2_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85630	2_2_03A85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADD5B0	2_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B095C3	2_2_03B095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7571	2_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF43F	2_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A31460	2_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FB80	2_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB5BF0	2_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7DBF9	2_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFB76	2_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADDAAC	2_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85AA0	2_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE1AA3	2_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEDAC6	2_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB3A6C	2_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFA49	2_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7A46	2_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD5910	2_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49950	2_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B950	2_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A438E0	2_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAD800	2_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFFB1	2_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A41F92	2_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFF09	2_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49EB0	2_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FDC0	2_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7D73	2_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A43D40	2_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF1D5A	2_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFCF2	2_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB9C32	2_2_03AB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBA036	2_2_03EBA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBB232	2_2_03EBB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EB1082	2_2_03EB1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBE5CD	2_2_03EBE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EB5B32	2_2_03EB5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EB5B30	2_2_03EB5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EB8912	2_2_03EB8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EB2D02	2_2_03EB2D02
Source: C:\Windows\explorer.exe	Code function: 3_2_104AC232	3_2_104AC232
Source: C:\Windows\explorer.exe	Code function: 3_2_104AB036	3_2_104AB036
Source: C:\Windows\explorer.exe	Code function: 3_2_104A2082	3_2_104A2082
Source: C:\Windows\explorer.exe	Code function: 3_2_104A3D02	3_2_104A3D02
Source: C:\Windows\explorer.exe	Code function: 3_2_104A9912	3_2_104A9912
Source: C:\Windows\explorer.exe	Code function: 3_2_104A6B32	3_2_104A6B32
Source: C:\Windows\explorer.exe	Code function: 3_2_104A6B30	3_2_104A6B30
Source: C:\Windows\explorer.exe	Code function: 3_2_104AF5CD	3_2_104AF5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_109ED082	3_2_109ED082
Source: C:\Windows\explorer.exe	Code function: 3_2_109F6036	3_2_109F6036
Source: C:\Windows\explorer.exe	Code function: 3_2_109FA5CD	3_2_109FA5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_109F4912	3_2_109F4912
Source: C:\Windows\explorer.exe	Code function: 3_2_109EED02	3_2_109EED02
Source: C:\Windows\explorer.exe	Code function: 3_2_109F7232	3_2_109F7232
Source: C:\Windows\explorer.exe	Code function: 3_2_109F1B32	3_2_109F1B32
Source: C:\Windows\explorer.exe	Code function: 3_2_109F1B30	3_2_109F1B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB2720	4_2_00BB2720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FA352	4_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0364E3F0	4_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_037003E6	4_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036E0274	4_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036C02C0	4_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036C8158	4_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03630100	4_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036DA118	4_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F81CC	4_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F41A2	4_2_036F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_037001AA	4_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036D2000	4_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03640770	4_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03664750	4_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0363C7C0	4_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0365C6E0	4_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03640535	4_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03700591	4_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F2446	4_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036E4420	4_2_036E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036EE4F6	4_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FAB40	4_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F6BD7	4_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0363EA80	4_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03656962	4_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036429A0	4_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0370A9A6	4_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0364A840	4_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03642840	4_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0366E8F0	4_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036268B8	4_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036B4F40	4_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03682F28	4_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03660F30	4_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036E2F30	4_2_036E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0364CFE0	4_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03632FC8	4_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036BEFA0	4_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03640E59	4_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FEE26	4_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FEEDB	4_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03652E90	4_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FCE93	4_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0364AD00	4_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036DCD1F	4_2_036DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0363ADE0	4_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03658DBF	4_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03640C00	4_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03630CF2	4_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036E0CB5	4_2_036E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0362D34C	4_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F132D	4_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0368739A	4_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036E12ED	4_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0365B2C0	4_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036452A0	4_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0367516C	4_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0362F172	4_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0370B16B	4_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0364B1B0	4_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F70E9	4_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FF0E0	4_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036EF0CC	4_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036470C0	4_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FF7B0	4_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F16CC	4_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F7571	4_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036DD5B0	4_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03631460	4_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FF43F	4_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FFB76	4_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036B5BF0	4_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0367DBF9	4_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0365FB80	4_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036B3A6C	4_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FFA49	4_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F7A46	4_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036EDAC6	4_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036DDAAC	4_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03685AA0	4_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036E1AA3	4_2_036E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03649950	4_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0365B950	4_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036D5910	4_2_036D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036AD800	4_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036438E0	4_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FFF09	4_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FFFB1	4_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03641F92	4_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03649EB0	4_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F7D73	4_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_03643D40	4_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036F1D5A	4_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_0365FDC0	4_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036B9C32	4_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036FFCF2	4_2_036FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1DA08	4_2_00B1DA08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B02D90	4_2_00B02D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B02D87	4_2_00B02D87
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B09E60	4_2_00B09E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B09E5B	4_2_00B09E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B02FB0	4_2_00B02FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034AA036	4_2_034AA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A5B32	4_2_034A5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A5B30	4_2_034A5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034AB232	4_2_034AB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A8912	4_2_034A8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A1082	4_2_034A1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034A2D02	4_2_034A2D02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_034AE5CD	4_2_034AE5CD

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 101 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 280 times
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: String function: 00CF6AC0 appears 42 times
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: String function: 00CFF8A0 appears 35 times
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: String function: 00CEEC2F appears 68 times

Source: RSLMZxqebl.exe, 00000000.00000003.1368682181.00000000038F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RSLMZxqebl.exe
Source: RSLMZxqebl.exe, 00000000.00000003.1368832903.0000000003A9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RSLMZxqebl.exe

Source: RSLMZxqebl.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RSLMZxqebl.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@12/0

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D1CE7A GetLastError,FormatMessageW,

0_2_00D1CE7A

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D0AB84 AdjustTokenPrivileges,CloseHandle,		0_2_00D0AB84
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D0B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D0B134

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D1E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D1E1FD

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D16532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00D16532

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D2C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00D2C18C

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CD406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CD406B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4_2_00BB3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

4_2_00BB3360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4_2_00BB3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

4_2_00BB3360

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

File created: C:\Users\user\AppData\Local\Temp\aut5A67.tmp

Jump to behavior

Source: RSLMZxqebl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RSLMZxqebl.exe	Virustotal: Detection: 64%
Source: RSLMZxqebl.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\RSLMZxqebl.exe "C:\Users\user\Desktop\RSLMZxqebl.exe"
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RSLMZxqebl.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RSLMZxqebl.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: RSLMZxqebl.exe

Static file information: File size 1247232 > 1048576

Source: RSLMZxqebl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RSLMZxqebl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RSLMZxqebl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RSLMZxqebl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RSLMZxqebl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RSLMZxqebl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RSLMZxqebl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: RSLMZxqebl.exe, 00000000.00000003.1368682181.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, RSLMZxqebl.exe, 00000000.00000003.1362630421.0000000003970000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1369364925.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1425684530.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1425684530.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1370973017.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1426703840.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1425139985.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.000000000379E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000004.00000003.1426703840.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1425139985.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3820270213.000000000379E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000004.00000002.3818391053.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3816298824.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3829128293.0000000003B4F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000002.00000003.1424431831.000000000341C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1424627223.0000000003426000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426230710.0000000003DB0000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3844712665.0000000010C9F000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3818391053.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3816298824.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000004.00000002.3829128293.0000000003B4F000.00000004.10000000.00040000.00000000.sdmp

Source: RSLMZxqebl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RSLMZxqebl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RSLMZxqebl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RSLMZxqebl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RSLMZxqebl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CEE01E LoadLibraryA,GetProcAddress,

0_2_00CEE01E

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF6B05 push ecx; ret	0_2_00CF6B18
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF0C5B push es; iretd	0_2_00CF0C65
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF0C66 push es; iretd	0_2_00CF0C75
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404905 push eax; iretd	2_2_0040490C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417AD0 push ecx; ret	2_2_00417AD1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416431 push 00000063h; ret	2_2_00416438
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4E2 push eax; ret	2_2_0041D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4EB push eax; ret	2_2_0041D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409C84 push esi; ret	2_2_00409C85
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D495 push eax; ret	2_2_0041D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D54C push eax; ret	2_2_0041D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041973C push esi; retf	2_2_0041973D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx	2_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBEB02 push esp; retn 0000h	2_2_03EBEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBEB1E push esp; retn 0000h	2_2_03EBEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03EBE9B5 push esp; retn 0000h	2_2_03EBEAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_104AFB02 push esp; retn 0000h	3_2_104AFB03
Source: C:\Windows\explorer.exe	Code function: 3_2_104AFB1E push esp; retn 0000h	3_2_104AFB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_104AF9B5 push esp; retn 0000h	3_2_104AFAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_109FA9B5 push esp; retn 0000h	3_2_109FAAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_109FAB1E push esp; retn 0000h	3_2_109FAB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_109FAB02 push esp; retn 0000h	3_2_109FAB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_036309AD push ecx; mov dword ptr [esp], ecx	4_2_036309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1D495 push eax; ret	4_2_00B1D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1D4E2 push eax; ret	4_2_00B1D4E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1D4EB push eax; ret	4_2_00B1D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B16431 push 00000063h; ret	4_2_00B16438
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1D54C push eax; ret	4_2_00B1D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B1973C push esi; retf	4_2_00B1973D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B04905 push eax; iretd	4_2_00B0490C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00B17AD0 push ecx; ret	4_2_00B17AD1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4_2_00BB3360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

4_2_00BB3360

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D38111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D38111
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CEEB42

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CF123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00CF123A

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	API/Special instruction interceptor: Address: 1117364
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF908190774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D544

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: B09904 second address: B0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: B09B7E second address: B09B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2566	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7379	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 885	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 865	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 473	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 9497	Jump to behavior

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Evaded block: after key decision

graph_0-95105

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-96583

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	API coverage: 6.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 1.9 %

Source: C:\Windows\explorer.exe TID: 8064	Thread sleep count: 2566 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8064	Thread sleep time: -5132000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8064	Thread sleep count: 7379 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8064	Thread sleep time: -14758000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7804	Thread sleep count: 473 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7804	Thread sleep time: -946000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7804	Thread sleep count: 9497 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7804	Thread sleep time: -18994000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D16CA9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00D160DD
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00D163F9
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D1EB60
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D1F5FA
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D1F56F FindFirstFileW,FindClose,	0_2_00D1F56F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D21B2F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D21C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D21C8A
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D21F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D21F94

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CEDDC0

Source: explorer.exe, 00000003.00000002.3835163726.000000000888E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000003.00000003.2296963252.0000000008979000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00`
Source: explorer.exe, 00000003.00000000.1378546111.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000003.00000000.1378546111.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3091224502.0000000008796000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWe
Source: explorer.exe, 00000003.00000003.3083861477.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1373377380.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
Source: explorer.exe, 00000003.00000000.1378546111.00000000087C0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
Source: explorer.exe, 00000003.00000003.3082474486.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000003.3082474486.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
Source: explorer.exe, 00000003.00000000.1373377380.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: RSLMZxqebl.exe, 00000000.00000003.1346444562.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, RSLMZxqebl.exe, 00000000.00000002.1370390408.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QeMu6
Source: explorer.exe, 00000003.00000003.3082474486.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.3082474486.00000000088E6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000003.00000000.1373377380.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D26AAF BlockInput,

0_2_00D26AAF

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CD3D19

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D03920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00D03920

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CEE01E LoadLibraryA,GetProcAddress,

0_2_00CEE01E

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_011175D0 mov eax, dword ptr fs:[00000030h]	0_2_011175D0
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_01117630 mov eax, dword ptr fs:[00000030h]	0_2_01117630
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_01115FC0 mov eax, dword ptr fs:[00000030h]	0_2_01115FC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]	2_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]	2_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]	2_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]	2_2_03B0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]	2_2_03B062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]	2_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]	2_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]	2_2_03B0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]	2_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]	2_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]	2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]	2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]	2_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]	2_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]	2_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]	2_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]	2_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]	2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]	2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]	2_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]	2_2_03A280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]	2_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]	2_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]	2_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]	2_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]	2_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]	2_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]	2_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]	2_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]	2_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]	2_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]	2_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]	2_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]	2_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]	2_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]	2_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]	2_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]	2_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]	2_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]	2_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]	2_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]	2_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]	2_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]	2_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]	2_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]	2_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]	2_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]	2_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]	2_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]	2_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]	2_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]	2_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]	2_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]	2_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]	2_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]	2_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]	2_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]	2_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	2_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]	2_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]	2_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]	2_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]	2_2_03B04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]	2_2_03A28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]	2_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]	2_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]	2_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	2_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]	2_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]	2_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]	2_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]	2_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]	2_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]	2_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]	2_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]	2_2_03B04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]	2_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]	2_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]	2_2_03B008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]	2_2_03A52835

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D0A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00D0A66C

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF8189 SetUnhandledExceptionFilter,	0_2_00CF8189
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00CF81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CF81AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB5848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00BB5848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB33C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	4_2_00BB33C0

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3504			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3504			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FCD008

Jump to behavior

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D0B106 LogonUserW,

0_2_00D0B106

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CD3D19

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D1411C SendInput,keybd_event,

0_2_00D1411C

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D174E7 mouse_event,

0_2_00D174E7

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RSLMZxqebl.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

0_2_00D0A66C

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D171FA

Source: explorer.exe, 00000003.00000000.1374027195.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3818737164.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: RSLMZxqebl.exe, explorer.exe, 00000003.00000003.3083861477.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375688554.0000000004480000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.1374027195.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3818737164.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RSLMZxqebl.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.1374027195.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3818737164.0000000001071000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.3816337685.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1373377380.0000000000A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanq

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CF65C4 cpuid

0_2_00CF65C4

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D2091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00D2091D

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D4B340 GetUserNameW,

0_2_00D4B340

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00D01E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D01E8E

Source: C:\Users\user\Desktop\RSLMZxqebl.exe

Code function: 0_2_00CEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CEDDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: RSLMZxqebl.exe	Binary or memory string: WIN_81
Source: RSLMZxqebl.exe	Binary or memory string: WIN_XP
Source: RSLMZxqebl.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: RSLMZxqebl.exe	Binary or memory string: WIN_XPe
Source: RSLMZxqebl.exe	Binary or memory string: WIN_VISTA
Source: RSLMZxqebl.exe	Binary or memory string: WIN_7
Source: RSLMZxqebl.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RSLMZxqebl.exe.33e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D28C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00D28C4F
Source: C:\Users\user\Desktop\RSLMZxqebl.exe	Code function: 0_2_00D2923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00D2923B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB6BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	4_2_00BB6BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB6AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	4_2_00BB6AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4_2_00BB6B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	4_2_00BB6B60

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	215 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	2 Valid Accounts	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RSLMZxqebl.exe	65%	Virustotal		Browse
RSLMZxqebl.exe	75%	ReversingLabs	Win32.Trojan.AutoitInject
RSLMZxqebl.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.unluoren.top	0%	Avira URL Cloud	safe
http://www.dult-diapers-53774.bondReferer:	0%	Avira URL Cloud	safe
http://www.ires-86307.bond/ud04/www.akrzus.pro	0%	Avira URL Cloud	safe
http://www.hoe-organizer-za.today	0%	Avira URL Cloud	safe
http://www.akrzus.pro	0%	Avira URL Cloud	safe
http://www.akrzus.pro/ud04/www.edcn.link	0%	Avira URL Cloud	safe
https://www.stacker.com/arizona/phoenix	0%	Avira URL Cloud	safe
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOSp	0%	Avira URL Cloud	safe
http://www.udulbet88.net	0%	Avira URL Cloud	safe
http://www.hoe-organizer-za.today/ud04/	0%	Avira URL Cloud	safe
http://www.ovonordisk.online/ud04/	0%	Avira URL Cloud	safe
http://www.unluoren.top/ud04/www.ires-86307.bond	0%	Avira URL Cloud	safe
http://www.hoe-organizer-za.todayReferer:	0%	Avira URL Cloud	safe
http://www.uy-now-pay-later-25573.bond/ud04/	0%	Avira URL Cloud	safe
http://www.mm.foo/ud04/www.2creativedesign.online	0%	Avira URL Cloud	safe
http://www.ovonordisk.online/ud04/www.unluoren.top	0%	Avira URL Cloud	safe
http://www.asik-eye-surgery-63293.bond/ud04/www.64axyozkgl.top	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOSJM	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark	0%	Avira URL Cloud	safe
http://www.uy-now-pay-later-25573.bondReferer:	0%	Avira URL Cloud	safe
http://www.ijanarko.net/ud04/www.asik-eye-surgery-63293.bond	0%	Avira URL Cloud	safe
http://www.2creativedesign.online/ud04/www.hoe-organizer-za.today	0%	Avira URL Cloud	safe
http://www.asik-eye-surgery-63293.bondReferer:	0%	Avira URL Cloud	safe
http://www.edcn.link	0%	Avira URL Cloud	safe
http://www.akrzus.proReferer:	0%	Avira URL Cloud	safe
http://www.ires-86307.bond	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOSZM	0%	Avira URL Cloud	safe
http://www.edcn.link/ud04/www.uy-now-pay-later-25573.bond	0%	Avira URL Cloud	safe
http://www.ybzert.online/ud04/www.ijanarko.net	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark	0%	Avira URL Cloud	safe
http://www.rime-flow-bay.xyz/ud04/www.mm.foo	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark	0%	Avira URL Cloud	safe
http://www.asik-eye-surgery-63293.bond	0%	Avira URL Cloud	safe
http://www.mm.fooReferer:	0%	Avira URL Cloud	safe
http://www.64axyozkgl.top/ud04/www.rime-flow-bay.xyz	100%	Avira URL Cloud	malware
http://www.ovonordisk.onlineReferer:	0%	Avira URL Cloud	safe
http://www.unluoren.top/ud04/	0%	Avira URL Cloud	safe
http://www.unluoren.topReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb	0%	Avira URL Cloud	safe
http://www.hoe-organizer-za.today/ud04/www.udulbet88.net	0%	Avira URL Cloud	safe
http://www.udulbet88.net/ud04/	0%	Avira URL Cloud	safe
http://www.mm.foo	0%	Avira URL Cloud	safe
http://www.rime-flow-bay.xyz/ud04/	0%	Avira URL Cloud	safe
http://www.ijanarko.netReferer:	0%	Avira URL Cloud	safe
http://www.ijanarko.net/ud04/	0%	Avira URL Cloud	safe
http://www.dult-diapers-53774.bond/ud04/www.ovonordisk.online	0%	Avira URL Cloud	safe
http://www.64axyozkgl.top	100%	Avira URL Cloud	malware
http://www.ovonordisk.online	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv	0%	Avira URL Cloud	safe
http://www.asik-eye-surgery-63293.bond/ud04/	0%	Avira URL Cloud	safe
http://www.akrzus.pro/ud04/	0%	Avira URL Cloud	safe
http://www.udulbet88.net/ud04/www.dult-diapers-53774.bond	0%	Avira URL Cloud	safe
http://www.ijanarko.net	0%	Avira URL Cloud	safe
http://www.mm.foo/ud04/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.ovonordisk.online	unknown	unknown	true	unknown
www.unluoren.top	unknown	unknown	true	unknown
www.ijanarko.net	unknown	unknown	true	unknown
www.dult-diapers-53774.bond	unknown	unknown	true	unknown
www.rime-flow-bay.xyz	unknown	unknown	true	unknown
www.asik-eye-surgery-63293.bond	unknown	unknown	true	unknown
www.mm.foo	unknown	unknown	true	unknown
www.64axyozkgl.top	unknown	unknown	true	unknown
www.hoe-organizer-za.today	unknown	unknown	true	unknown
www.2creativedesign.online	unknown	unknown	false	high
www.udulbet88.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.2creativedesign.online/ud04/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.2creativedesign.online/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/bat	explorer.exe, 00000003.00000000.1378546111.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835887298.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2296963252.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3082474486.000000000899E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.stacker.com/arizona/phoenix	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000000.1374717579.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3081345944.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(	explorer.exe, 00000003.00000000.1385494317.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2293597525.000000000BD22000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.akrzus.pro	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dult-diapers-53774.bondReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.akrzus.pro/ud04/www.edcn.link	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unluoren.top	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hoe-organizer-za.today	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.udulbet88.net	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ires-86307.bond/ud04/www.akrzus.pro	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSp	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hoe-organizer-za.today/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ovonordisk.online/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hoe-organizer-za.todayReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/rT	explorer.exe, 00000003.00000000.1378546111.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3091224502.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mm.foo/ud04/www.2creativedesign.online	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ovonordisk.online/ud04/www.unluoren.top	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ybzert.online/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.1378145800.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2292225792.00000000085DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3834919184.00000000085E3000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.uy-now-pay-later-25573.bond/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ybzert.online	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.unluoren.top/ud04/www.ires-86307.bond	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSJM	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.asik-eye-surgery-63293.bond/ud04/www.64axyozkgl.top	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2creativedesign.online/ud04/www.hoe-organizer-za.today	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ijanarko.net/ud04/www.asik-eye-surgery-63293.bond	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.uy-now-pay-later-25573.bondReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.edcn.link	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSZM	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ires-86307.bond	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.yelp.com	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.asik-eye-surgery-63293.bondReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.akrzus.proReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.edcn.link/ud04/www.uy-now-pay-later-25573.bond	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ybzert.online/ud04/www.ijanarko.net	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rime-flow-bay.xyz/ud04/www.mm.foo	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?z$	explorer.exe, 00000003.00000003.3083861477.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1378546111.0000000008685000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mm.fooReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ybzert.onlineReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.64axyozkgl.top/ud04/www.rime-flow-bay.xyz	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.asik-eye-surgery-63293.bond	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3821354616.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1377612448.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1376779154.0000000007670000.00000002.00000001.00040000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://parade.com/61481/toriavey/where-did-hamburgers-originate	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ovonordisk.onlineReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unluoren.top/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/~T	explorer.exe, 00000003.00000000.1378546111.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3835163726.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3091224502.0000000008796000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unluoren.topReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mm.foo	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.udulbet88.net/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2creativedesign.online	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hoe-organizer-za.today/ud04/www.udulbet88.net	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ijanarko.net/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rime-flow-bay.xyz/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2creativedesign.onlineReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ijanarko.netReferer:	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dult-diapers-53774.bond/ud04/www.ovonordisk.online	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.64axyozkgl.top	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.akrzus.pro/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asik-eye-surgery-63293.bond/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ovonordisk.online	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mm.foo/ud04/	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ijanarko.net	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.udulbet88.net/ud04/www.dult-diapers-53774.bond	explorer.exe, 00000003.00000002.3842100043.000000000C275000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3089443354.000000000C280000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298328570.000000000C274000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298199351.000000000C219000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2298492409.000000000C280000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.com	explorer.exe, 00000003.00000003.2293597525.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1385494317.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3839394234.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000003.00000003.2298578452.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375866455.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3831746497.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3087367359.0000000007065000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587605
Start date and time:	2025-01-10 15:33:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	RSLMZxqebl.exe renamed because original name is a hash value
Original Sample Name:	8c1abbfb1664d990fc963b506dee588c18ed4c286c4ed0d4d5e75b74175e1af0.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@12/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 288
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:34:26	API Interceptor	6783827x Sleep call for process: explorer.exe modified
09:34:52	API Interceptor	6152586x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	nRNzqQOQwk.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
	Shipping Document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
	1712226379134618467.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.ch	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\RSLMZxqebl.exe
File Type:	data
Category:	dropped
Size (bytes):	181514
Entropy (8bit):	7.985956933900176
Encrypted:	false
SSDEEP:	3072:JfCvS5tr2JzkrcODIEQAfRbVDHmraj6p+nGHblXKu+iXgiyDPeNTaIq7K4O6JlM:i6S5wcjETBpQaj0+nolXKHiQti4I6BJq
MD5:	A9A4A8D4F9953CD4E7DF0B079FBB95D0
SHA1:	54983F80181543CC5AAAB4D4299EEF8907BC1D98
SHA-256:	D2E5F4808A984B677EADD7F300C5061BF2FF97920F3E249520BEC4735E93D74B
SHA-512:	5973D6BFFD31529082DEC4C39CF092F65119B9F14C9ABD09BA2AE703DB885D7FB21F7DE61C795E60FB72021CCD2BDB37F7173B38CE86E6B893FA8B9C0878FDC6
Malicious:	false
Reputation:	low
Preview:	EA06.......1....D..9..W3....7UZ.c...Q.;..".9...:.2cU.Vj..P.CX...H.P.V.t............=.....m6.Mm....U,..s...C .K'.K.^9..J$.k..y_..(g9........m..7.I..}E..s.YN.oG.~.........;...c,... ...N.D..i...V.....kGG.P.T..V....ZsmE..k.....Q..&..B.D..).....E...coF..i....Qb<Y.b.9...<..V.I.x...1.......l.m>..x.h..3.0....j.L..@(?...O....\.S..............?...g....z8..J..T#.(5.).....J.k!B....N.1.a!.9..#b..,../.3H.{..L...H....Z.ck...j<^..a.....}.U..L^..O....-...7......R;..d5...^k..s!uloj...x.:W..?..1ZG.gP...^IM{...k..p.C....4.....R.g..M..y...h.m}/........#....;..\|...f4..*...../r.....g..5.l.5....!.m. .......z..n..A.e.X.6...S1.M?.ta.M...0..p.#....L.......y...S...p.N..]..)..%f....a4.[....U,F....._m."e..ep[:....et..l......Y,6....Zj}.M[...B...w..........M..n9.j.....q..~t...O{.>....hy.j...O.D.P...!..FvW..kw......./.M..:Y..E....K...J.C7...[...pb...~...0..c.t..[.^.u..P...._~..w.M+..x../...r4Q......yn.?........o...t.3.....x........[..J...vaZ..v.....}.B.u.Uy../n)

C:\Users\user\AppData\Local\Temp\snaith

Download File

Process:	C:\Users\user\Desktop\RSLMZxqebl.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.864223852004465
Encrypted:	false
SSDEEP:	3072:QOGNsR6aQDHummQEt62IyJ+U3hnGaH5QM7vIiEQDXZ/EykX7TQ6Q2xcGuQqS9+Xb:QOhYDH2QSJRo0Jvdpcz7ELGjqS9i4E
MD5:	A355CE6B39EB05A8FDB8832A5F888A21
SHA1:	FBE6B325940DEE3645011DF31E7A0F4E96E184D7
SHA-256:	F9E0E32F6082D26BFD3A9E66618B34D2E838A6BC85E6F295F9EADD2C71E69181
SHA-512:	A21AD76BB14BBBC58C1A1AF5015E7618E49B5B886B20E128609D4A554676BA34BD0A7BF4C34706056C8033B1E71A30FCE657A1274909B60DF4CF6403F52D5C9E
Malicious:	false
Reputation:	low
Preview:	.....EQD7...J...p.UQ..bFY...O9CGDCYL1URYTNJEQD7XO9CGDCYL1U.YTNDZ.J7.F.b.E..me=;t>866V5oZ")*,-lS0r+! j,?ds....( &wA<_vYTNJEQD..G.."...W..2..E....)..G....W.Y....7.e1,Q..".YL1URYTNJEQD7XO9..DC.M0U.F.pJEQD7XO9.GFBRM;UR.VNJEQD7XO9C.ECY\1UR.VNJE.D7HO9CEDC\L0URYTNOEPD7XO9C.FCYN1URYTNHE..7X_9CWDCYL!URITNJEQD'XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1U\|-16>EQDS.M9CWDCY.3URITNJEQD7XO9CGDCyL15RYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1URYTNJEQD7XO9CGDCYL1U

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.492276328017688
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RSLMZxqebl.exe
File size:	1'247'232 bytes
MD5:	3fc2b24484dda073e49d5185f1b4d623
SHA1:	205ba4e3999d60014125a2d1ebb801d8eb3fea16
SHA256:	8c1abbfb1664d990fc963b506dee588c18ed4c286c4ed0d4d5e75b74175e1af0
SHA512:	b52fbe98d9a3b6ad20923155f073f60f1e15ddbcfd89b2bdaf588cc8242929545bb07dea772c9c49fe624951d84266a8333b126ecbe763ba665c0722a243c049
SSDEEP:	24576:Ftb20pkaCqT5TBWgNQ7adfDaeVq4v8T7r96A:2Vg5tQ7adfDaL4v8nJ5
TLSH:	0245AD12239D8260C7B16273BF65F7316F7B7C6909A1F46B2FD40D3FBA64122121A663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	4bd8d4d2d3dcd84f

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67467A68 [Wed Nov 27 01:48:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F769D14E84Fh
jmp 00007F769D141864h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F769D1419EAh
cmp edi, eax
jc 00007F769D141D4Eh
bt dword ptr [004C0158h], 01h
jnc 00007F769D1419E9h
rep movsb
jmp 00007F769D141CFCh
cmp ecx, 00000080h
jc 00007F769D141BB4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F769D1419F0h
bt dword ptr [004BA370h], 01h
jc 00007F769D141EC0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F769D141B8Dh
test edi, 00000003h
jne 00007F769D141B9Eh
test esi, 00000003h
jne 00007F769D141B7Dh
bt edi, 02h
jnc 00007F769D1419EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F769D1419F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F769D141A45h
bt esi, 03h
jnc 00007F769D141A98h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x67764	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12c000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x67764	0x67800	60aaf23a5511b1c34e7ce2bef40b8d5c	False	0.6201313405797102	data	6.03228970261965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12c000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc4700	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc4828	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4950	0xc33	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9250720461095101
RT_ICON	0xc5584	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.0289246421388856
RT_ICON	0xd5dac	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	Great Britain	0.055943872188354005
RT_ICON	0xdf254	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	Great Britain	0.0688539741219963
RT_ICON	0xe46dc	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.06500944733112896
RT_ICON	0xe8904	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.10093360995850623
RT_ICON	0xeaeac	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.14165103189493433
RT_ICON	0xebf54	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	Great Britain	0.19508196721311474
RT_ICON	0xec8dc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.26063829787234044
RT_MENU	0xecd44	0x50	data	English	Great Britain	0.9
RT_STRING	0xecd94	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xed328	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xed9b4	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xede44	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xee440	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xeea9c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xeef04	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xef05c	0x3c1b9	data			1.0003493080856698
RT_GROUP_ICON	0x12b218	0x84	data	English	Great Britain	0.7348484848484849
RT_GROUP_ICON	0x12b29c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12b2b0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12b2c4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12b2d8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12b3b4	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:35:26.300801992 CET	59874	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:26.305598974 CET	53	59874	1.1.1.1	192.168.2.9
Jan 10, 2025 15:35:26.305663109 CET	59874	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:26.305727005 CET	59874	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:26.310483932 CET	53	59874	1.1.1.1	192.168.2.9
Jan 10, 2025 15:35:26.782628059 CET	53	59874	1.1.1.1	192.168.2.9
Jan 10, 2025 15:35:26.783376932 CET	59874	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:26.788413048 CET	53	59874	1.1.1.1	192.168.2.9
Jan 10, 2025 15:35:26.788463116 CET	59874	53	192.168.2.9	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:35:06.045257092 CET	56494	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:06.054486036 CET	53	56494	1.1.1.1	192.168.2.9
Jan 10, 2025 15:35:26.293715000 CET	56130	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:26.300350904 CET	53	56130	1.1.1.1	192.168.2.9
Jan 10, 2025 15:35:46.684765100 CET	60231	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:35:46.865088940 CET	53	60231	1.1.1.1	192.168.2.9
Jan 10, 2025 15:36:07.556634903 CET	61614	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:36:07.570704937 CET	53	61614	1.1.1.1	192.168.2.9
Jan 10, 2025 15:36:29.166697025 CET	63952	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:36:29.186110973 CET	53	63952	1.1.1.1	192.168.2.9
Jan 10, 2025 15:36:50.842006922 CET	52447	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:36:50.852123976 CET	53	52447	1.1.1.1	192.168.2.9
Jan 10, 2025 15:37:11.918083906 CET	61935	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:37:11.927504063 CET	53	61935	1.1.1.1	192.168.2.9
Jan 10, 2025 15:37:33.420572996 CET	59512	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:37:33.431081057 CET	53	59512	1.1.1.1	192.168.2.9
Jan 10, 2025 15:37:54.805144072 CET	62912	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:37:54.814100027 CET	53	62912	1.1.1.1	192.168.2.9
Jan 10, 2025 15:38:19.695444107 CET	61954	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:38:19.704071999 CET	53	61954	1.1.1.1	192.168.2.9
Jan 10, 2025 15:38:37.840995073 CET	52658	53	192.168.2.9	1.1.1.1
Jan 10, 2025 15:38:38.014378071 CET	53	52658	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:35:06.045257092 CET	192.168.2.9	1.1.1.1	0x508e	Standard query (0)	www.ijanarko.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:35:26.293715000 CET	192.168.2.9	1.1.1.1	0xee84	Standard query (0)	www.asik-eye-surgery-63293.bond	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:35:26.305727005 CET	192.168.2.9	1.1.1.1	0x1	Standard query (0)	www.asik-eye-surgery-63293.bond	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:35:46.684765100 CET	192.168.2.9	1.1.1.1	0x66e1	Standard query (0)	www.64axyozkgl.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:36:07.556634903 CET	192.168.2.9	1.1.1.1	0xb80d	Standard query (0)	www.rime-flow-bay.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:36:29.166697025 CET	192.168.2.9	1.1.1.1	0x8115	Standard query (0)	www.mm.foo	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:36:50.842006922 CET	192.168.2.9	1.1.1.1	0xde91	Standard query (0)	www.2creativedesign.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:11.918083906 CET	192.168.2.9	1.1.1.1	0x5a54	Standard query (0)	www.hoe-organizer-za.today	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:33.420572996 CET	192.168.2.9	1.1.1.1	0x2c8c	Standard query (0)	www.udulbet88.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:54.805144072 CET	192.168.2.9	1.1.1.1	0x7db2	Standard query (0)	www.dult-diapers-53774.bond	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:38:19.695444107 CET	192.168.2.9	1.1.1.1	0xce3c	Standard query (0)	www.ovonordisk.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:38:37.840995073 CET	192.168.2.9	1.1.1.1	0x80a3	Standard query (0)	www.unluoren.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:34:04.566540956 CET	1.1.1.1	192.168.2.9	0xda60	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:34:04.566540956 CET	1.1.1.1	192.168.2.9	0xda60	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:35:06.054486036 CET	1.1.1.1	192.168.2.9	0x508e	Name error (3)	www.ijanarko.net	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:35:26.782628059 CET	1.1.1.1	192.168.2.9	0x1	Name error (3)	www.asik-eye-surgery-63293.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:35:46.865088940 CET	1.1.1.1	192.168.2.9	0x66e1	Name error (3)	www.64axyozkgl.top	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:36:07.570704937 CET	1.1.1.1	192.168.2.9	0xb80d	Name error (3)	www.rime-flow-bay.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:36:29.186110973 CET	1.1.1.1	192.168.2.9	0x8115	Name error (3)	www.mm.foo	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:36:50.852123976 CET	1.1.1.1	192.168.2.9	0xde91	Name error (3)	www.2creativedesign.online	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:11.927504063 CET	1.1.1.1	192.168.2.9	0x5a54	Name error (3)	www.hoe-organizer-za.today	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:33.431081057 CET	1.1.1.1	192.168.2.9	0x2c8c	Name error (3)	www.udulbet88.net	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:37:54.814100027 CET	1.1.1.1	192.168.2.9	0x7db2	Name error (3)	www.dult-diapers-53774.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:38:19.704071999 CET	1.1.1.1	192.168.2.9	0xce3c	Name error (3)	www.ovonordisk.online	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:38:38.014378071 CET	1.1.1.1	192.168.2.9	0x80a3	Name error (3)	www.unluoren.top	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:34:07
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\RSLMZxqebl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RSLMZxqebl.exe"
Imagebase:	0xcd0000
File size:	1'247'232 bytes
MD5 hash:	3FC2B24484DDA073E49D5185F1B4D623
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1370562503.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:34:09
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RSLMZxqebl.exe"
Imagebase:	0xbb0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1426177186.0000000003D80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1426130337.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1424906360.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:34:10
Start date:	10/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff633410000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:34:12
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xbb0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3818731276.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3818649368.0000000003190000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3813556628.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:34:16
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:34:16
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	10.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00CFB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89084605c895dccdbbf4016f7a6e36c074ece780fa5608faa44372e447893f8e
Instruction ID: 5136b5d480a0d818ab295972f2331ee188fe2d801e25d0ab375e7bec0199145e
Opcode Fuzzy Hash: 89084605c895dccdbbf4016f7a6e36c074ece780fa5608faa44372e447893f8e
Instruction Fuzzy Hash: 1B326C75A022288FCB649F14DD81AE9B7B5FF46310F1841D9E91AE7A81D7309E80CF63

Function 00CD3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00CD3AA3,?), ref: 00CD3D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00CD3AA3,?), ref: 00CD3D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00D91148,00D91130,?,?,?,?,00CD3AA3,?), ref: 00CD3DC8

Part of subcall function 00CD6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00CD3DEE,00D91148,?,?,?,?,?,00CD3AA3,?), ref: 00CD6471

SetCurrentDirectoryW.KERNEL32(?,?,?,00CD3AA3,?), ref: 00CD3E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D828F4,00000010), ref: 00D41CCE
SetCurrentDirectoryW.KERNEL32(?,00D91148,?,?,?,?,?,00CD3AA3,?), ref: 00D41D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D6DAB4,00D91148,?,?,?,?,?,00CD3AA3,?), ref: 00D41D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00CD3AA3), ref: 00D41D90

Part of subcall function 00CD3E6E: GetSysColorBrush.USER32(0000000F), ref: 00CD3E79
Part of subcall function 00CD3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00CD3E88
Part of subcall function 00CD3E6E: LoadIconW.USER32(00000063), ref: 00CD3E9E
Part of subcall function 00CD3E6E: LoadIconW.USER32(000000A4), ref: 00CD3EB0
Part of subcall function 00CD3E6E: LoadIconW.USER32(000000A2), ref: 00CD3EC2
Part of subcall function 00CD3E6E: RegisterClassExW.USER32(?), ref: 00CD3F30

Part of subcall function 00CD36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CD36E6
Part of subcall function 00CD36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CD3707
Part of subcall function 00CD36B8: ShowWindow.USER32(00000000,?,?,?,?,00CD3AA3,?), ref: 00CD371B
Part of subcall function 00CD36B8: ShowWindow.USER32(00000000,?,?,?,?,00CD3AA3,?), ref: 00CD3724

Part of subcall function 00CD4FFC: _memset.LIBCMT ref: 00CD5022
Part of subcall function 00CD4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CD50CB

Strings

runas, xrefs: 00D41D84
This is a third-party compiled AutoIt script., xrefs: 00D41CC8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 72e263dad3a09e2f05e48d55af548bff2654ec0abb07c7f3572ae85ba775269b
Instruction ID: 4e4efea059699adc1d6f3396e38384c446ca8c3d48fbb7237b0a1590944e6e18
Opcode Fuzzy Hash: 72e263dad3a09e2f05e48d55af548bff2654ec0abb07c7f3572ae85ba775269b
Instruction Fuzzy Hash: CC51C535A44386BECF11ABF0DC41EAD7B759B15740F044067F711A63E2DA744A49DB32

Function 00CEDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CEDDEC
GetCurrentProcess.KERNEL32(00000000,00D6DC38,?,?), ref: 00CEDEAC
GetNativeSystemInfo.KERNELBASE(?,00D6DC38,?,?), ref: 00CEDF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CEDF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CEDF1F
GetSystemInfo.KERNEL32(?,00D6DC38,?,?), ref: 00CEDF29
GetSystemInfo.KERNEL32(?,00D6DC38,?,?), ref: 00CEDF35

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 33d80c4e87978a4b8617d935729bd13d13c5ca8e503880cddc195f34a67a087c
Instruction ID: 919d8db9cde9901c4f74eb4d8e348942aadc759def8b93c1001fd3a6868f7e1c
Opcode Fuzzy Hash: 33d80c4e87978a4b8617d935729bd13d13c5ca8e503880cddc195f34a67a087c
Instruction Fuzzy Hash: 6261A3B180A3C4CFCF15CFA998C55E97FB4AF39300B1949D9D84A9F247C624CA49CB65

Function 00CD406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CD449E,?,?,00000000,00000001), ref: 00CD407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CD449E,?,?,00000000,00000001), ref: 00CD4092
LoadResource.KERNEL32(?,00000000,?,?,00CD449E,?,?,00000000,00000001,?,?,?,?,?,?,00CD41FB), ref: 00D44F1A
SizeofResource.KERNEL32(?,00000000,?,?,00CD449E,?,?,00000000,00000001,?,?,?,?,?,?,00CD41FB), ref: 00D44F2F
LockResource.KERNEL32(00CD449E,?,?,00CD449E,?,?,00000000,00000001,?,?,?,?,?,?,00CD41FB,00000000), ref: 00D44F42

Strings

SCRIPT, xrefs: 00CD4088

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 405aa759977c3f968d53cef65997764acb410b46c6bdd9a51ff51dc02551a1ae
Instruction ID: c9a990ad30b0d985829228efd9a23038aac0969cac288149cb570fad34e13bf9
Opcode Fuzzy Hash: 405aa759977c3f968d53cef65997764acb410b46c6bdd9a51ff51dc02551a1ae
Instruction Fuzzy Hash: FA114C70240701AFE7258B25DC89F277BBAEBC5B51F10456DB612C6350DA71EC408A31

Function 00D16CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00D42F49), ref: 00D16CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00D16CCA
FindClose.KERNEL32(00000000), ref: 00D16CDA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: cd08d09b4650dc5a1980d9ae3824d9ebb875c5507cfd26440ba3e74b259518e3
Instruction ID: 4382fdbcc95cb20d47dd14f82aa9a41066e24f9396baaedeef1a647d057f9c29
Opcode Fuzzy Hash: cd08d09b4650dc5a1980d9ae3824d9ebb875c5507cfd26440ba3e74b259518e3
Instruction Fuzzy Hash: A0E04831815B156B82206738FC0D8E97F6EDB0533AF104715F975C12D0EB70D98445F5

Function 00CE3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 00CE4176

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: a36f542194f73422f34153aa6109d1615e6a7493383d38986de7c7050c5f64f1
Instruction ID: 4c6f812abf220cfeceef8407607c776e09851fbb66deb8c8a974ff946c9761a8
Opcode Fuzzy Hash: a36f542194f73422f34153aa6109d1615e6a7493383d38986de7c7050c5f64f1
Instruction Fuzzy Hash: 2272CF30E04288EFCF14DF96C885ABEB7B5EF48300F18805AE915AB351D771AE45CBA1

Function 00CE3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 7c11b3806999ed25d5d05875c9926c6be3fa42afc800edc472666d21838bb98f
Instruction ID: 91891d28fb00e48703a09f808581ac041eb86989c7c7bdccf7558d64cbcdabd4
Opcode Fuzzy Hash: 7c11b3806999ed25d5d05875c9926c6be3fa42afc800edc472666d21838bb98f
Instruction Fuzzy Hash: 3C928B706083819FD724DF1AC494B6AB7E1BF88304F14885DF99A8B3A2D771ED45CB62

Function 00CDE3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acc705952fc96b4af7b6055043c873bf4c4e2c440bb084740cae0b50c081c1c
Instruction ID: 149b6d2b91b4b9e21019e9aaa1d0267c64d2d41e91f67fb18ef50336db4aa1a1
Opcode Fuzzy Hash: 9acc705952fc96b4af7b6055043c873bf4c4e2c440bb084740cae0b50c081c1c
Instruction Fuzzy Hash: 02229070904209DFDB24EF59C481AAEB7F1FF14304F14816AEA5A9F351E731AD82DBA1

Function 00CDE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CDE959
timeGetTime.WINMM ref: 00CDEBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CDED2E
TranslateMessage.USER32(?), ref: 00CDED3F
DispatchMessageW.USER32(?), ref: 00CDED4A
LockWindowUpdate.USER32(00000000), ref: 00CDED79
DestroyWindow.USER32 ref: 00CDED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CDED9F
Sleep.KERNEL32(0000000A), ref: 00D45270
TranslateMessage.USER32(?), ref: 00D459F7
DispatchMessageW.USER32(?), ref: 00D45A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D45A19

Strings

@GUI_CTRLHANDLE, xrefs: 00D453AC
@GUI_WINHANDLE, xrefs: 00D45360
@GUI_CTRLID, xrefs: 00D45314
@TRAY_ID, xrefs: 00D454C9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 88f9bbb4df8b968de84509f6ed7cc98ce9f43fdad296f0a7d30c05c8bc839449
Instruction ID: 0fc375361a9cea924768bcbd4e14a79795f0029decf1d4b1f594bd7fe8685ccd
Opcode Fuzzy Hash: 88f9bbb4df8b968de84509f6ed7cc98ce9f43fdad296f0a7d30c05c8bc839449
Instruction Fuzzy Hash: 3462B0705043419FDB20EF24D885BAA77E5BF44304F18496EFA8A8B396DB71E844DB72

Function 00D05C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00D05EC3
___createFile.LIBCMT ref: 00D05F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00D05F2D
__dosmaperr.LIBCMT ref: 00D05F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00D05F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00D05F6A
__dosmaperr.LIBCMT ref: 00D05F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00D05F7C
__set_osfhnd.LIBCMT ref: 00D05FAC
__lseeki64_nolock.LIBCMT ref: 00D06016
__close_nolock.LIBCMT ref: 00D0603C
__chsize_nolock.LIBCMT ref: 00D0606C
__lseeki64_nolock.LIBCMT ref: 00D0607E
__lseeki64_nolock.LIBCMT ref: 00D06176
__lseeki64_nolock.LIBCMT ref: 00D0618B
__close_nolock.LIBCMT ref: 00D061EB

Part of subcall function 00CFEA9C: CloseHandle.KERNELBASE(00000000,00D7EEF4,00000000,?,00D06041,00D7EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CFEAEC
Part of subcall function 00CFEA9C: GetLastError.KERNEL32(?,00D06041,00D7EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00CFEAF6
Part of subcall function 00CFEA9C: __free_osfhnd.LIBCMT ref: 00CFEB03
Part of subcall function 00CFEA9C: __dosmaperr.LIBCMT ref: 00CFEB25

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

__lseeki64_nolock.LIBCMT ref: 00D0620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00D06342
___createFile.LIBCMT ref: 00D06361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00D0636E
__dosmaperr.LIBCMT ref: 00D06375
__free_osfhnd.LIBCMT ref: 00D06395
__invoke_watson.LIBCMT ref: 00D063C3
__wsopen_helper.LIBCMT ref: 00D063DD

Strings

@, xrefs: 00D05F98

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: f9d11c669b6141df44e3517e721f2f24a5ab77716ced535462c55e3da3a8d3a2
Instruction ID: 659a96826bf63856db0ad715a3621ffcbe921eda33764bf32ea2e698606d7b8e
Opcode Fuzzy Hash: f9d11c669b6141df44e3517e721f2f24a5ab77716ced535462c55e3da3a8d3a2
Instruction Fuzzy Hash: 5422357190060A9FEF259F68EC45BBE7B61EF01320F2C4229E959972D5C235CD60DBB2

Function 00CFEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 4110b2090429326f6a7002e877f002ade1a603bc202e29c3a4b8561710755e84
Instruction ID: 80ddc2805b37341d30d5b167667a807329e6c31f137673e51779c17b7d2b3db6
Opcode Fuzzy Hash: 4110b2090429326f6a7002e877f002ade1a603bc202e29c3a4b8561710755e84
Instruction Fuzzy Hash: C3324871A0425DDFDB618F68D840BBD7BB1EF45310F28416EEAA59B392C7309943CB62

Function 00D1FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 00D1FA96
_wcschr.LIBCMT ref: 00D1FAA4
_wcscpy.LIBCMT ref: 00D1FABB
_wcscat.LIBCMT ref: 00D1FACA
_wcscat.LIBCMT ref: 00D1FAE8
_wcscpy.LIBCMT ref: 00D1FB09
__wsplitpath.LIBCMT ref: 00D1FBE6
_wcscpy.LIBCMT ref: 00D1FC0B
_wcscpy.LIBCMT ref: 00D1FC1D
_wcscpy.LIBCMT ref: 00D1FC32
_wcscat.LIBCMT ref: 00D1FC47
_wcscat.LIBCMT ref: 00D1FC59
_wcscat.LIBCMT ref: 00D1FC6E

Part of subcall function 00D1BFA4: _wcscmp.LIBCMT ref: 00D1C03E
Part of subcall function 00D1BFA4: __wsplitpath.LIBCMT ref: 00D1C083
Part of subcall function 00D1BFA4: _wcscpy.LIBCMT ref: 00D1C096
Part of subcall function 00D1BFA4: _wcscat.LIBCMT ref: 00D1C0A9
Part of subcall function 00D1BFA4: __wsplitpath.LIBCMT ref: 00D1C0CE
Part of subcall function 00D1BFA4: _wcscat.LIBCMT ref: 00D1C0E4
Part of subcall function 00D1BFA4: _wcscat.LIBCMT ref: 00D1C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00D1FA61

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 61dd1b83b60c61fa91994eb5167e166a9e7d57caceab9ea681e8381bdd4c9c3d
Instruction ID: 537a6d40e0084f879629a8444919db6e5e4bf4eca7032e8d386dd53b53e9f186
Opcode Fuzzy Hash: 61dd1b83b60c61fa91994eb5167e166a9e7d57caceab9ea681e8381bdd4c9c3d
Instruction Fuzzy Hash: BB91A272504305AFDB20EF54D951FABB3E8FF94710F044869FA49972A2DB30E944DBA2

Function 00CD3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CD3F86
RegisterClassExW.USER32(00000030), ref: 00CD3FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD3FC1
InitCommonControlsEx.COMCTL32(?), ref: 00CD3FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CD3FEE
LoadIconW.USER32(000000A9), ref: 00CD4004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CD4013

Strings

AutoIt v3 GUI, xrefs: 00CD3FA2
+, xrefs: 00CD3F6F
0, xrefs: 00CD3F68
TaskbarCreated, xrefs: 00CD3FB6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2819e3b0b73a8ef6593acec5a146241253e4f243e8c1f525aa64298c15b819d3
Instruction ID: 2ad595db9fed6705b715c30279d5bbacbd6fae659fa62d9b0cef3ac33d7d6f87
Opcode Fuzzy Hash: 2819e3b0b73a8ef6593acec5a146241253e4f243e8c1f525aa64298c15b819d3
Instruction Fuzzy Hash: C62194B9D00319AFDB109FA5EC89B9DBBB5FB08711F00421AF915E63A0D7B545448FB1

Function 00D1BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D1BDB4: __time64.LIBCMT ref: 00D1BDBE

Part of subcall function 00CD4517: _fseek.LIBCMT ref: 00CD452F

__wsplitpath.LIBCMT ref: 00D1C083

Part of subcall function 00CF1DFC: __wsplitpath_helper.LIBCMT ref: 00CF1E3C

_wcscpy.LIBCMT ref: 00D1C096
_wcscat.LIBCMT ref: 00D1C0A9
__wsplitpath.LIBCMT ref: 00D1C0CE
_wcscat.LIBCMT ref: 00D1C0E4
_wcscat.LIBCMT ref: 00D1C0F7
_wcscmp.LIBCMT ref: 00D1C03E

Part of subcall function 00D1C56D: _wcscmp.LIBCMT ref: 00D1C65D
Part of subcall function 00D1C56D: _wcscmp.LIBCMT ref: 00D1C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D1C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D1C338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D1C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D1C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D1C371

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 599c63268021e697356249838977d87492e97e37d1a1747c17478cc07fd3700f
Instruction ID: 23b0242fd1d732d8b8651aa8d8058172259c613df02a92a16e51a0c8b9271bab
Opcode Fuzzy Hash: 599c63268021e697356249838977d87492e97e37d1a1747c17478cc07fd3700f
Instruction Fuzzy Hash: 3DC13CB1940219AFDF25DF95DC81EEEB7BDEF49310F0040A6F609E6251DB309A849F61

Function 00CD3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00CD37B3
KillTimer.USER32(?,00000001), ref: 00CD37DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CD3800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD380B
CreatePopupMenu.USER32 ref: 00CD381F
PostQuitMessage.USER32(00000000), ref: 00CD382E

Strings

TaskbarCreated, xrefs: 00CD3806

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: dbf57f7059ecf0058ae02f6adbdc0d4926503653dcfd88c53d501e501f3db51d
Instruction ID: ca412d786c57d67b755f18968b01959dc36f8becae24947d11d4fdfbb52b3b1a
Opcode Fuzzy Hash: dbf57f7059ecf0058ae02f6adbdc0d4926503653dcfd88c53d501e501f3db51d
Instruction Fuzzy Hash: 704116F920078BABDB245B689E4AB7A3796F700341F050127FB16D2391CB619E909673

Function 00CD3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CD3E79
LoadCursorW.USER32(00000000,00007F00), ref: 00CD3E88
LoadIconW.USER32(00000063), ref: 00CD3E9E
LoadIconW.USER32(000000A4), ref: 00CD3EB0
LoadIconW.USER32(000000A2), ref: 00CD3EC2

Part of subcall function 00CD4024: LoadImageW.USER32(00CD0000,00000063,00000001,00000010,00000010,00000000), ref: 00CD4048

RegisterClassExW.USER32(?), ref: 00CD3F30

Part of subcall function 00CD3F53: GetSysColorBrush.USER32(0000000F), ref: 00CD3F86
Part of subcall function 00CD3F53: RegisterClassExW.USER32(00000030), ref: 00CD3FB0
Part of subcall function 00CD3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD3FC1
Part of subcall function 00CD3F53: InitCommonControlsEx.COMCTL32(?), ref: 00CD3FDE
Part of subcall function 00CD3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CD3FEE
Part of subcall function 00CD3F53: LoadIconW.USER32(000000A9), ref: 00CD4004
Part of subcall function 00CD3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CD4013

Strings

#, xrefs: 00CD3F09
AutoIt v3, xrefs: 00CD3F1F
0, xrefs: 00CD3F02

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b8b895be717cc8aa4b6f80894dc2f97884061d6200be67a5b2864ec3432a6fcb
Instruction ID: c6cf2e68ee04fc9be890b531f5c42fb2b78a32946b323294be311bb64a3947da
Opcode Fuzzy Hash: b8b895be717cc8aa4b6f80894dc2f97884061d6200be67a5b2864ec3432a6fcb
Instruction Fuzzy Hash: A92139B8E04305ABCB11DFA9EC4AA99BFF5EB48310F00412BE619E33A0D77546408FB1

Function 01116720 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011167F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01116A17

Memory Dump Source

Source File: 00000000.00000002.1370481045.0000000001114000.00000040.00000020.00020000.00000000.sdmp, Offset: 01114000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1114000_RSLMZxqebl.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 6d56a3c85b0b8b1a5d1200800a0eb843145435472cf7210940289632b708891e
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: E7A11974E00209EFDB18CFA4C994BEEFBB6BF48304F108569E505BB284D7B69A44CB55

Function 00CD49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00CD4A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D441DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D4421A
RegCloseKey.ADVAPI32(?), ref: 00D44249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00CD4A13
Include, xrefs: 00D441D3, 00D44212

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 27b352da9d42382b4f352b3e4264898018fcdad06ba731432657583823b5b6e6
Instruction ID: 830922ff612d9a3f059c1e00e8cb11149a4d25261835be9692f8cab65be20628
Opcode Fuzzy Hash: 27b352da9d42382b4f352b3e4264898018fcdad06ba731432657583823b5b6e6
Instruction Fuzzy Hash: 4F114271A01209BFDB14ABA8DD86DBF7BBCEF04345F004055B606D6291EA709E45EB60

Function 00CD36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CD36E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CD3707
ShowWindow.USER32(00000000,?,?,?,?,00CD3AA3,?), ref: 00CD371B
ShowWindow.USER32(00000000,?,?,?,?,00CD3AA3,?), ref: 00CD3724

Strings

edit, xrefs: 00CD3701
AutoIt v3, xrefs: 00CD36DE, 00CD36E3, 00CD36E4

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e9ce3a2c42c6441d732f8aecaed4ff561eec6c201186853f8bdea03d1de9ab4f
Instruction ID: 95b3dfbcdec511d8073b11338cf00c71289c8c55674b041f149407c2007b0f0b
Opcode Fuzzy Hash: e9ce3a2c42c6441d732f8aecaed4ff561eec6c201186853f8bdea03d1de9ab4f
Instruction Fuzzy Hash: 8FF0DA79A403D17AEB315757BC09E673E7EE7C6F61F00001BBA09E23A0C6620895DAB1

Function 00CF7B47 Relevance: 9.0, APIs: 6, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00CF7B47

Part of subcall function 00CF123A: __initp_misc_winsig.LIBCMT ref: 00CF125E
Part of subcall function 00CF123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CF7F51
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CF7F65
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CF7F78
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CF7F8B
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CF7F9E
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00CF7FB1
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00CF7FC4
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00CF7FD7
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00CF7FEA
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00CF7FFD
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00CF8010
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00CF8023
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00CF8036
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00CF8049
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00CF805C
Part of subcall function 00CF123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00CF806F

__mtinitlocks.LIBCMT ref: 00CF7B4C

Part of subcall function 00CF7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00D8AC68,00000FA0,?,?,00CF7B51,00CF5E77,00D86C70,00000014), ref: 00CF7E41

__mtterm.LIBCMT ref: 00CF7B55

Part of subcall function 00CF7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00CF7B5A,00CF5E77,00D86C70,00000014), ref: 00CF7D3F
Part of subcall function 00CF7BBD: _free.LIBCMT ref: 00CF7D46
Part of subcall function 00CF7BBD: DeleteCriticalSection.KERNEL32(00D8AC68,?,?,00CF7B5A,00CF5E77,00D86C70,00000014), ref: 00CF7D68

__calloc_crt.LIBCMT ref: 00CF7B7A
GetCurrentThreadId.KERNEL32 ref: 00CF7BA3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: a5991eb89bcd173148d0aedc3c5edf6061abf8ad6c35a25da3925d4b6808e3d0
Instruction ID: d1a44e2354bc3d0f6cc4c5730a2c572f970ae8f327a80fdfdfb497ba940a0bd6
Opcode Fuzzy Hash: a5991eb89bcd173148d0aedc3c5edf6061abf8ad6c35a25da3925d4b6808e3d0
Instruction Fuzzy Hash: 9CF0963251D71A1FEAE877787C06A7A26949F02730B2107AAFB70D51D5FF248941A1B3

Function 01116500 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011163F0: Sleep.KERNELBASE(000001F4), ref: 01116401

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01116616

Strings

RYTNJEQD7XO9CGDCYL1U, xrefs: 01116679, 0111667C

Memory Dump Source

Source File: 00000000.00000002.1370481045.0000000001114000.00000040.00000020.00020000.00000000.sdmp, Offset: 01114000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1114000_RSLMZxqebl.jbxd

Similarity

API ID: CreateFileSleep
String ID: RYTNJEQD7XO9CGDCYL1U
API String ID: 2694422964-123414838
Opcode ID: 9309e428509e1c8ac622b554d9f4a51de0b802f22b848e4c9a7816c07c10f264
Instruction ID: 48ff3b481fac93788bfc71f3ae5bc0460376b5ad5722b5df823eefb0d83e726d
Opcode Fuzzy Hash: 9309e428509e1c8ac622b554d9f4a51de0b802f22b848e4c9a7816c07c10f264
Instruction Fuzzy Hash: 1151A270D14299DBEF15DBE4C814BEEBB75AF14304F004599E6487B2C0D7BA0B48CBA6

Function 00CD51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CD522F
_wcscpy.LIBCMT ref: 00CD5283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CD5293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D43CB0

Strings

Line: , xrefs: 00D43CD9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: d0424f06554a2a406f3b0f85fe75e9b40d96ee13902e0b00e3613c25bec29133
Instruction ID: 31eda012f9885f10baa346c081a5f55cde25e0752d8c587d2d2219ea81eff5d8
Opcode Fuzzy Hash: d0424f06554a2a406f3b0f85fe75e9b40d96ee13902e0b00e3613c25bec29133
Instruction Fuzzy Hash: 1731AF75108741AFD721EB60EC42FEF77E8AB44310F00451BF69992292EB70A64CDBA6

Function 00CD4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00CD41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00CD39FE,?,00000001), ref: 00CD41DB

_free.LIBCMT ref: 00D436B7
_free.LIBCMT ref: 00D436FE

Part of subcall function 00CDC833: __wsplitpath.LIBCMT ref: 00CDC93E
Part of subcall function 00CDC833: _wcscpy.LIBCMT ref: 00CDC953
Part of subcall function 00CDC833: _wcscat.LIBCMT ref: 00CDC968
Part of subcall function 00CDC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00CDC978

Strings

Bad directive syntax error, xrefs: 00D436E4
>>>AUTOIT SCRIPT<<<, xrefs: 00D43491

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 689b15ca31c11a45b254aee966fc992e3ac9f9e3d34e6e6a637caba71febe818
Instruction ID: 8dd2b37e91afde86f32056b7fa732ae8e77fcf3dde2cd4a9a7adb89853b16083
Opcode Fuzzy Hash: 689b15ca31c11a45b254aee966fc992e3ac9f9e3d34e6e6a637caba71febe818
Instruction Fuzzy Hash: A3916E71910219AFCF04EFA9DC919EEB7B4FF18310F14442AF956AB291DB30DA45DBA0

Function 00CD4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00CD5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D91148,?,00CD61FF,?,00000000,00000001,00000000), ref: 00CD5392

Part of subcall function 00CD49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00CD4A1D

_wcscat.LIBCMT ref: 00D42D80
_wcscat.LIBCMT ref: 00D42DB5

Strings

\Include\, xrefs: 00CD4B0A
\, xrefs: 00D42DA2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 4c9830d79d589277455d90be8bfc34ea48455d1645c8fff7633edde58a52b263
Instruction ID: 5d905daa9f5330e4c6b9210cd7d70c9f90490d248e5d2ea4f06c3bc8f8ba071c
Opcode Fuzzy Hash: 4c9830d79d589277455d90be8bfc34ea48455d1645c8fff7633edde58a52b263
Instruction Fuzzy Hash: 4A513F76805340ABC714EF55E9818BAB7F4BE59300B84452FF789E3361EB309618DBB6

Function 00CF34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00CF34FE

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00CF3539
__wopenfile.LIBCMT ref: 00CF3549

Strings

<G, xrefs: 00CF34CD, 00CF34F0, 00CF34FC

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 92e695733109c3176f35e3e24d55ba54b35dce9ad53ac57adf1040e5cc73fc78
Instruction ID: 4ca0ac98106d8b49d289263ff5f9cc347c5bc4baf6df335784fa11f8ce3873bc
Opcode Fuzzy Hash: 92e695733109c3176f35e3e24d55ba54b35dce9ad53ac57adf1040e5cc73fc78
Instruction Fuzzy Hash: EA11E771A0020EBFDBD2BF758C4267E3AA4AF45350B158525E615D7281EB34CB01B7B3

Function 00CED298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00CED28B,SwapMouseButtons,00000004,?), ref: 00CED2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00CED28B,SwapMouseButtons,00000004,?,?,?,?,00CEC865), ref: 00CED2DD
RegCloseKey.KERNELBASE(00000000,?,?,00CED28B,SwapMouseButtons,00000004,?,?,?,?,00CEC865), ref: 00CED2FF

Strings

Control Panel\Mouse, xrefs: 00CED2BA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dbf0a9d5a952399b4380073e81e440de0fd09cc45245aca96bc5a6f1cb92825e
Instruction ID: 6a07a31d55f38d1217e025cb0342b2809449cde32a883891d381db2da0ecd278
Opcode Fuzzy Hash: dbf0a9d5a952399b4380073e81e440de0fd09cc45245aca96bc5a6f1cb92825e
Instruction Fuzzy Hash: C3117C75611248BFDB208F69CC84EAF7BB8EF04741F004529E902D7220D6319E419B61

Function 011153F0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01115BAB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01115C41
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01115C63

Memory Dump Source

Source File: 00000000.00000002.1370481045.0000000001114000.00000040.00000020.00020000.00000000.sdmp, Offset: 01114000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1114000_RSLMZxqebl.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: aee4cd32bf56edf127bf6bbabec83cf79d7aa7a39c04f245531760f91fc10652
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: 22621F30A14259DBEB28CFA4C850BDEB776EF58300F1091A9D10DEB394E7759E81CB5A

Function 00CF365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF36B7
_memcpy_s.LIBCMT ref: 00CF3729
__filbuf.LIBCMT ref: 00CF37AA
_memset.LIBCMT ref: 00CF37EE

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: f5cdc0586341991db6b7de55a4b94c8298def3e50a70fb58a92df77c61da97c8
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: AE51C6B0A0028DBBCB649F69898467E77B1BF40360F24872AFA35C62D0D7749F50DB52

Function 00D1C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00CD4517: _fseek.LIBCMT ref: 00CD452F

Part of subcall function 00D1C56D: _wcscmp.LIBCMT ref: 00D1C65D
Part of subcall function 00D1C56D: _wcscmp.LIBCMT ref: 00D1C670

_free.LIBCMT ref: 00D1C4DD
_free.LIBCMT ref: 00D1C4E4
_free.LIBCMT ref: 00D1C54F

Part of subcall function 00CF1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00CF7A85), ref: 00CF1CB1
Part of subcall function 00CF1C9D: GetLastError.KERNEL32(00000000,?,00CF7A85), ref: 00CF1CC3

_free.LIBCMT ref: 00D1C557

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: e2b3e84b492d5f4e627742521216809d6dfbd8779d63be92392ded2167594cc4
Instruction ID: eda53435746267e38cec19c72a1cb6fb324ca8f5acf9747ab6abdd6df55d548c
Opcode Fuzzy Hash: e2b3e84b492d5f4e627742521216809d6dfbd8779d63be92392ded2167594cc4
Instruction Fuzzy Hash: 2E516EB1904219AFDF149F64DC81BEDBBB9EF48310F1040AEF659A3241DB715A80DF69

Function 00CEEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CEEBB2

Part of subcall function 00CD51AF: _memset.LIBCMT ref: 00CD522F
Part of subcall function 00CD51AF: _wcscpy.LIBCMT ref: 00CD5283
Part of subcall function 00CD51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CD5293

KillTimer.USER32(?,00000001,?,?), ref: 00CEEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CEEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D43C88

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2f07d920beeb9db522fd5502094a4e21c0d8d5f872a65d266eea1656c6c0b114
Instruction ID: e93626a70031b17f6da5372943db7af4d9e6062529dfb14eb5851bf8d28eb0df
Opcode Fuzzy Hash: 2f07d920beeb9db522fd5502094a4e21c0d8d5f872a65d266eea1656c6c0b114
Instruction Fuzzy Hash: 3C21F9759047949FE7329B28CC95BEBBFEC9B05308F14048DE69EA6281C3746B85CB61

Function 00CD40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D43725
GetOpenFileNameW.COMDLG32 ref: 00D4376F

Part of subcall function 00CD660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD53B1,?,?,00CD61FF,?,00000000,00000001,00000000), ref: 00CD662F

Part of subcall function 00CD40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CD40C6

Strings

X, xrefs: 00D4373E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7aa4a5bd7d6e090a9e1ba4c863481abbd06c100fe40bcde861146424166fc172
Instruction ID: 4b4917088497ca05054043fc1ffca14d7386cc4a2bbd251f9a4e2d08c827367b
Opcode Fuzzy Hash: 7aa4a5bd7d6e090a9e1ba4c863481abbd06c100fe40bcde861146424166fc172
Instruction Fuzzy Hash: DC21D571A00288ABCF05EFD8C8457EE7BF99F49704F00401AE648E7381DBB49A899F71

Function 00D1C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00D1C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D1C746

Strings

aut, xrefs: 00D1C740

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ec49ff4bf7b17679c85f78f35a7e02b148a93b360164ec4860dca13e4fadb2a4
Instruction ID: c1bc92aef92c0d0232da4aba80cc277fc5305a20aab4af8fe8c8dcd0ccbed5d2
Opcode Fuzzy Hash: ec49ff4bf7b17679c85f78f35a7e02b148a93b360164ec4860dca13e4fadb2a4
Instruction Fuzzy Hash: 6CD05E7150030EABDB20AB90DC0EF8A776CA704745F0001A0BA54E91B1DAB4E6998B79

Function 00D2F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791ed8b126f3203ef0a4436e43c5447159e11b7559a2dbcf6527b609956b83b2
Instruction ID: 0d707badc47e8b81e74d1ca6143c080a6fa1426ab7cb0223de96fe02ab79db95
Opcode Fuzzy Hash: 791ed8b126f3203ef0a4436e43c5447159e11b7559a2dbcf6527b609956b83b2
Instruction Fuzzy Hash: 3CF166716083119FC710DF28D880B5AB7E5FF98318F14892EF9959B392DB30E945CBA2

Function 00CD4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CD5022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CD50CB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: f3ca384ddc3271ec97fb14dbf905dcef0e2296119f1a61ffbf1adebd74be1414
Instruction ID: 304071670b0c2d88662122ce0fd6104316864960e110276517a97e838e7532eb
Opcode Fuzzy Hash: f3ca384ddc3271ec97fb14dbf905dcef0e2296119f1a61ffbf1adebd74be1414
Instruction Fuzzy Hash: 4A312CB5504701DFD721DF24D88569BBBE4FB49305F00092FE69AC7351E7716A44CBA2

Function 00CF395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00CF3973

Part of subcall function 00CF81C2: __NMSG_WRITE.LIBCMT ref: 00CF81E9
Part of subcall function 00CF81C2: __NMSG_WRITE.LIBCMT ref: 00CF81F3

__NMSG_WRITE.LIBCMT ref: 00CF397A

Part of subcall function 00CF821F: GetModuleFileNameW.KERNEL32(00000000,00D90312,00000104,00000000,00000001,00000000), ref: 00CF82B1
Part of subcall function 00CF821F: ___crtMessageBoxW.LIBCMT ref: 00CF835F

Part of subcall function 00CF1145: ___crtCorExitProcess.LIBCMT ref: 00CF114B
Part of subcall function 00CF1145: ExitProcess.KERNEL32 ref: 00CF1154

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

RtlAllocateHeap.NTDLL(00F50000,00000000,00000001,00000001,00000000,?,?,00CEF507,?,0000000E), ref: 00CF399F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: dee4d698efc67d148b372e2fd72fbce32886160783ae199c9928b1b15a7d7421
Instruction ID: aae603a5e43ac1e65db2ee88acc4d72983710fd1ec19d9e5dc5ed8d5a764dcef
Opcode Fuzzy Hash: dee4d698efc67d148b372e2fd72fbce32886160783ae199c9928b1b15a7d7421
Instruction Fuzzy Hash: EC01D63134574DBAE6A13B25EC46B7E33489F81760F250126FB11D6281DAF09F009673

Function 00D1C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00D1C385,?,?,?,?,?,00000004), ref: 00D1C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D1C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D1C708
CloseHandle.KERNEL32(00000000,?,00D1C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D1C70F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: cced5815725cd889d41bbb450dd0e424d7aa7c73c6876a8d1d2ecfec6af57fc5
Instruction ID: b8fb7c5c41e64393396dae3a3f0cdde165c9d389b8eb9b61c9379b775874cb45
Opcode Fuzzy Hash: cced5815725cd889d41bbb450dd0e424d7aa7c73c6876a8d1d2ecfec6af57fc5
Instruction Fuzzy Hash: DDE08632180714BBE7311B54AC09FCA7F59EB05762F144110FF14A91F097B1255187B9

Function 00D1BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D1BB72

Part of subcall function 00CF1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00CF7A85), ref: 00CF1CB1
Part of subcall function 00CF1C9D: GetLastError.KERNEL32(00000000,?,00CF7A85), ref: 00CF1CC3

_free.LIBCMT ref: 00D1BB83
_free.LIBCMT ref: 00D1BB95

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3b7543f732c1b25d447c4e580d332d4dcff599d68c72ee3383d3780db49341c3
Instruction ID: acc50b9ea68370dd92f8fb11712221bc8f545bbb4c6c02691470acd30ac10b75
Opcode Fuzzy Hash: 3b7543f732c1b25d447c4e580d332d4dcff599d68c72ee3383d3780db49341c3
Instruction Fuzzy Hash: EBE0C2A130470092CA206538BF44EF313CC4F0432074C080EB91AE3182CF20E88094B4

Function 00CD2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00CD22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00CD24F1), ref: 00CD2303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CD25A1
CoInitialize.OLE32(00000000), ref: 00CD2618
CloseHandle.KERNEL32(00000000), ref: 00D4503A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 178e8d31af769b3be5edd504ba3162e88fc61b4316d09f582f5d692652bb6a35
Instruction ID: eaf43e97cc09bf44cf7ad505c4982eff0547986bb10bf983556fc31a189509e1
Opcode Fuzzy Hash: 178e8d31af769b3be5edd504ba3162e88fc61b4316d09f582f5d692652bb6a35
Instruction Fuzzy Hash: 12719ABC9013839B8705EF6AA992599BBF4BB99384B91426FD11AC77B1DB304404CF39

Function 00D1BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D1BC18

Strings

EA06, xrefs: 00D1BC46

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: bce0168c10c33f6cb091f6fd4852661372439ee50e2976b7f110b96e996e54ab
Instruction ID: adba4d73bd4bb8a8b6937c2ef55a877b6aa993cd88174a83c1c333cc2335c015
Opcode Fuzzy Hash: bce0168c10c33f6cb091f6fd4852661372439ee50e2976b7f110b96e996e54ab
Instruction Fuzzy Hash: 7801F5729042587EDB68D7A8C816FFEBBF89B05301F04419BF192D2181E9B8E7089B70

Function 00CD3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00CD3A73

Part of subcall function 00CF1405: __lock.LIBCMT ref: 00CF140B

Part of subcall function 00CD3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00CD3AF3
Part of subcall function 00CD3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CD3B08

Part of subcall function 00CD3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00CD3AA3,?), ref: 00CD3D45
Part of subcall function 00CD3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00CD3AA3,?), ref: 00CD3D57
Part of subcall function 00CD3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D91148,00D91130,?,?,?,?,00CD3AA3,?), ref: 00CD3DC8
Part of subcall function 00CD3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00CD3AA3,?), ref: 00CD3E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CD3AB3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: e44399412dbf7f12db8ddf20125b355ae72f60fc36060e5eab5d6671e43af6d6
Instruction ID: d197b6c34a76a9743173ed55eeef1047f807945a6e81569864994767ad37821c
Opcode Fuzzy Hash: e44399412dbf7f12db8ddf20125b355ae72f60fc36060e5eab5d6671e43af6d6
Instruction Fuzzy Hash: 0E11CD759043819FC300EF6AE80591AFBE9EB94310F00891FF989C33B1DBB18554CBA2

Function 00CFE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00CFEA29
__close_nolock.LIBCMT ref: 00CFEA42

Part of subcall function 00CF7BDA: __getptd_noexit.LIBCMT ref: 00CF7BDA

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 228d7f4f8028aaf87c9aae6bc11e611084febfde410fc35d0dba0727a7cc95dd
Instruction ID: 3b2c7a1a076aceee180a1bfc390dcf0bfbb3d02ee753f1c8a27a81bbde06e524
Opcode Fuzzy Hash: 228d7f4f8028aaf87c9aae6bc11e611084febfde410fc35d0dba0727a7cc95dd
Instruction Fuzzy Hash: 94117072805A189FD792BF64984177C7E616F82331F2A4340E6245F2F2CBB48940BAA7

Function 00CEF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00CF395C: __FF_MSGBANNER.LIBCMT ref: 00CF3973
Part of subcall function 00CF395C: __NMSG_WRITE.LIBCMT ref: 00CF397A
Part of subcall function 00CF395C: RtlAllocateHeap.NTDLL(00F50000,00000000,00000001,00000001,00000000,?,?,00CEF507,?,0000000E), ref: 00CF399F

std::exception::exception.LIBCMT ref: 00CEF51E
__CxxThrowException@8.LIBCMT ref: 00CEF533

Part of subcall function 00CF6805: RaiseException.KERNEL32(?,?,0000000E,00D86A30,?,?,?,00CEF538,0000000E,00D86A30,?,00000001), ref: 00CF6856

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: ed4bc100e635bca2a5920f40796e8271b0d96a8134c8ce787a88b0ec1f98d136
Instruction ID: 9b49e7c4de85f5da3d4dd8cd704e6e1e2a362dadc6b3ec28ba11a6776b6fe634
Opcode Fuzzy Hash: ed4bc100e635bca2a5920f40796e8271b0d96a8134c8ce787a88b0ec1f98d136
Instruction Fuzzy Hash: 90F0FF3200024EA7DB15BF99D8029EF7BA8AF10354F70402AFE08D2181DBB0D785A2B6

Function 00CF3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF3868
__lock_file.LIBCMT ref: 00CF3889

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 909e336f7836fd253e7137cc48d5ff8367b9c5c54db8ad13e5a791a54b62f78c
Instruction ID: 9d1262c1b6775cd50ae2f7bf70ef055da7e80e16e333387a0a9f2894d41114db
Opcode Fuzzy Hash: 909e336f7836fd253e7137cc48d5ff8367b9c5c54db8ad13e5a791a54b62f78c
Instruction Fuzzy Hash: 7801717180024DBBCFA2AFA58C054BE7B61AF80760F15421AFA24561A1D7358B61FB93

Function 00CF35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

__lock_file.LIBCMT ref: 00CF3629

Part of subcall function 00CF4E1C: __lock.LIBCMT ref: 00CF4E3F

__fclose_nolock.LIBCMT ref: 00CF3634

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ff9f4fc5ed785d17dde84d54e6b65723ab903ff1e9d2a9a82294f65f3de5339e
Instruction ID: f22e86b5eef888772e7fcb043d0422a18020cf7ab4c6f430a67a381de6a080b8
Opcode Fuzzy Hash: ff9f4fc5ed785d17dde84d54e6b65723ab903ff1e9d2a9a82294f65f3de5339e
Instruction Fuzzy Hash: 13F0BB3180164CBAD7917B65880677E7AA07F40734F268108F620EB2C1C77C8701BB57

Function 011153ED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01115BAB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01115C41
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01115C63

Memory Dump Source

Source File: 00000000.00000002.1370481045.0000000001114000.00000040.00000020.00020000.00000000.sdmp, Offset: 01114000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1114000_RSLMZxqebl.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: 2f05e57e6639839ce6063b8bb7e35c3b0eb708fb684623facffc329264c09783
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: B712CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00CF2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00CF2A0B

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 960d0bc0b90fbc66d1f44b35ca1d5a261f20f312975b10b65dbe94be58e3481d
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 8E41C83170070E9FDB6C8E69C8815BE7BB6EF44360B24852DE665C7244D6B0DF41AB42

Function 00CEED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00CEEDC7

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4510a109458bf630028d67a4cb51852ca2c706bdcc0fff586b5571bd717477f5
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8431D674A00146DBD718DF5AC880A69FBB6FF49380B6486A5E419CB356DB31EFC1CB90

Function 00D49A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00D49A80

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1d7a97f0cc36b8ee68420a03f0d19792a1c2cb27eed3a06b575c944834ed668f
Instruction ID: d6af5b27394c1a5567a3cab8a7601dd88edf51b9d123b49a7359fdbd462ff2fd
Opcode Fuzzy Hash: 1d7a97f0cc36b8ee68420a03f0d19792a1c2cb27eed3a06b575c944834ed668f
Instruction Fuzzy Hash: D4415F70504681CFDB24DF5AC484B1ABBE1BF45304F29899CE99A4B362C376F886DF52

Function 00CFED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: cdfe8b07ace6913a9665c9650029e5e52f6dccf2882d1d52da50062c5089beeb
Instruction ID: 935da52f42633c75c72cbb308f6b2775d0d6fc2d5a181606486f416c7f9b192b
Opcode Fuzzy Hash: cdfe8b07ace6913a9665c9650029e5e52f6dccf2882d1d52da50062c5089beeb
Instruction Fuzzy Hash: 6F213B7280565C9FD7927FA898457783A616F42336F260740E7748B1F2DBB48900ABA7

Function 00CD41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD4214: FreeLibrary.KERNEL32(00000000,?), ref: 00CD4247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00CD39FE,?,00000001), ref: 00CD41DB

Part of subcall function 00CD4291: FreeLibrary.KERNEL32(00000000), ref: 00CD42C4

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 0da59ddabef016d6c0416699169e863021179040a01a854e22df6774aa99fc1b
Instruction ID: 193e57234c89dc1b2b6d76ea7fdcab339ea3614f2a389752919e77b401fa21f2
Opcode Fuzzy Hash: 0da59ddabef016d6c0416699169e863021179040a01a854e22df6774aa99fc1b
Instruction Fuzzy Hash: 2B11A331640306BBDB18AB74DC16FAE77A99F40710F10842AF796A62C1DF70DA45AB60

Function 00D49B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00D49B51

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 6c14615cadde906fafa79c847b6cb58abead716f7eb7a4f92ab7a92a3f58ad5f
Instruction ID: a09b10f7d81777fc8fd6746c9d689fb88962a6e7f37da611363b13d0bb13c7ab
Opcode Fuzzy Hash: 6c14615cadde906fafa79c847b6cb58abead716f7eb7a4f92ab7a92a3f58ad5f
Instruction Fuzzy Hash: C42127705087418FDB24DF6AC444A1ABBE1BF84304F25896CE9A64B362C771F986DF92

Function 00CFAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00CFAFC0

Part of subcall function 00CF7BDA: __getptd_noexit.LIBCMT ref: 00CF7BDA

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: cc4e44b61dbc0b68ac5ce0c6017019fd43a6d91326bba7cf1a57869575b2c029
Instruction ID: 054beb3dd2a250d2d106ad0cf27bf1ad9d4ebc199eb292c912b3c5a806d6b9e4
Opcode Fuzzy Hash: cc4e44b61dbc0b68ac5ce0c6017019fd43a6d91326bba7cf1a57869575b2c029
Instruction Fuzzy Hash: 651194B280561C9FD7927FA4D8457797B609F41331F2A4340E6745F1E2CBB48D00ABA3

Function 00CD39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e6c6f487e041fcac59e831272422d20e9d2018d4bf7707e35853961444fccb41
Instruction ID: d9dc7a44dec83a87bc497b62a18967cdf6323df19bc25c00b7e394d9c3c73809
Opcode Fuzzy Hash: e6c6f487e041fcac59e831272422d20e9d2018d4bf7707e35853961444fccb41
Instruction Fuzzy Hash: 6101363150010DAFCF05EFA5C8928FEBB74EF10344F548026B66697195EA309A49EF61

Function 00CF2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00CF2AED

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: dbbb9a0c363fe713257f318ef9590b3bfae1e438b634e6061ec14ad9921da8b3
Instruction ID: 90a963d3a4d18e4c90443e11ce2abbf371956a3219e5f895ecfa133a4ffa7864
Opcode Fuzzy Hash: dbbb9a0c363fe713257f318ef9590b3bfae1e438b634e6061ec14ad9921da8b3
Instruction Fuzzy Hash: 78F0C23150060DABDFA1AF658C063FF36A5BF00320F154415B6209B191C778CA12FB53

Function 00CD4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00CD39FE,?,00000001), ref: 00CD4286

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d2aea1757a53ff3b65e3fcc856369b537f3e3e2c66106847334a49bce013590e
Instruction ID: e655b4adbd0b20d6025d7d745c9322282640b5368f174338b6849a061cc4b9f1
Opcode Fuzzy Hash: d2aea1757a53ff3b65e3fcc856369b537f3e3e2c66106847334a49bce013590e
Instruction Fuzzy Hash: 95F01571509742DFCB389F65D890826BBE5AF043263248A2FF3E682711C7329A80DB50

Function 00CD40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CD40C6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 44220a35a18f52e5429f00cb4658b195c6a8c459d9048a32b48dbd598ff455a9
Instruction ID: 0ad5e1fe6a079279dceb4e235c8e970f87ac8c36261259a594d75f4f1b38c7fa
Opcode Fuzzy Hash: 44220a35a18f52e5429f00cb4658b195c6a8c459d9048a32b48dbd598ff455a9
Instruction Fuzzy Hash: 17E0CD365003255BC7119654CC46FFA779DDF88690F050075FA09D7344DE6499C196A1

Function 00D1BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D1BD16

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: fbef513067274b6a0371600c60c6161adbddbbb359ee27a9887b01b419130249
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: B7E092B0104B44ABD7388A24E800BE373E0EB05315F04095DF29B83241EB6278818659

Function 011163EC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01116401

Memory Dump Source

Source File: 00000000.00000002.1370481045.0000000001114000.00000040.00000020.00020000.00000000.sdmp, Offset: 01114000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1114000_RSLMZxqebl.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 89f44beac6b6fac8bda0588a3e6690b1fc5bbf7d2458b5b86a816307b79dc5e3
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 2BE0BF7498010DEFDB00EFA4D9496DE7BB4EF04301F1045A1FD05D7685DB719E54CA66

Function 011163F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01116401

Memory Dump Source

Source File: 00000000.00000002.1370481045.0000000001114000.00000040.00000020.00020000.00000000.sdmp, Offset: 01114000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1114000_RSLMZxqebl.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f45ca4668ce99792d5d38f318d5237b40af03496260a0d9d1847797e9be7890d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5DE0E67498010DDFDB00EFB4D94969E7FB4EF04301F104161FD01D2285D7719D50CA62

Non-executed Functions

Function 00D3F7FF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00D3F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D3F8DC
GetWindowLongW.USER32(?,000000F0), ref: 00D3F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3F940
SendMessageW.USER32 ref: 00D3F966
_wcsncpy.LIBCMT ref: 00D3F9D2
GetKeyState.USER32(00000011), ref: 00D3F9F3
GetKeyState.USER32(00000009), ref: 00D3FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D3FA16
GetKeyState.USER32(00000010), ref: 00D3FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3FA4F
SendMessageW.USER32 ref: 00D3FA72
SendMessageW.USER32(?,00001030,?,00D3E059), ref: 00D3FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00D3FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D3FB96
SetCapture.USER32(?), ref: 00D3FB9F
ClientToScreen.USER32(?,?), ref: 00D3FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D3FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00D3FC29
ReleaseCapture.USER32 ref: 00D3FC34
GetCursorPos.USER32(?), ref: 00D3FC69
ScreenToClient.USER32(?,?), ref: 00D3FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D3FCD8
SendMessageW.USER32 ref: 00D3FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D3FD41
SendMessageW.USER32 ref: 00D3FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D3FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D3FD8F
GetCursorPos.USER32(?), ref: 00D3FDB0
ScreenToClient.USER32(?,?), ref: 00D3FDBD
GetParent.USER32(?), ref: 00D3FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D3FE3F
SendMessageW.USER32 ref: 00D3FE6F
ClientToScreen.USER32(?,?), ref: 00D3FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D3FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D3FF19
SendMessageW.USER32 ref: 00D3FF3C
ClientToScreen.USER32(?,?), ref: 00D3FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D3FFB6
GetWindowLongW.USER32(?,000000F0), ref: 00D4004B

Strings

@U=u, xrefs: 00D3F8DC, 00D3F940, 00D3F966, 00D3FA16, 00D3FB6F, 00D3FE3F, 00D3FE6F, 00D3FF19, 00D3FF3C
F, xrefs: 00D3FF42
@GUI_DRAGID, xrefs: 00D3FBCC

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 2516578528-1007936534
Opcode ID: f96a8f1486c2d78aaa12737862f449ec0b76c226d7ecf715844ba7deb3e22923
Instruction ID: 693ff7fb1e0a313e0a91b70c7a3f1ef798b424946159e6ab46f85a4880cde74d
Opcode Fuzzy Hash: f96a8f1486c2d78aaa12737862f449ec0b76c226d7ecf715844ba7deb3e22923
Instruction Fuzzy Hash: FF329AB4A04349AFDB24CF64CC84F6ABBA9BF49354F080629FA95872A1D730DC45DB71

Function 00D3AACE Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00D3B1CD

Strings

@U=u, xrefs: 00D3AB64, 00D3ABB8, 00D3AC6B, 00D3ACB2, 00D3ACDA, 00D3AE3F, 00D3AEDA, 00D3AF24, 00D3AF6E, 00D3AF8E, 00D3B07A, 00D3B0B3, 00D3B104, 00D3B16F, 00D3B1CD
%d/%02d/%02d, xrefs: 00D3AEFC

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$@U=u
API String ID: 3850602802-2764005415
Opcode ID: 6f1b23c83cb6164782f542fdbf4e3111e03a69c310a93c3a2b76bacab286f74d
Instruction ID: 382f8198df00838e591846ee977e51f664f35be55c316ae7f6e3758a8a883125
Opcode Fuzzy Hash: 6f1b23c83cb6164782f542fdbf4e3111e03a69c310a93c3a2b76bacab286f74d
Instruction Fuzzy Hash: BC12AE71A00308ABEB259F68CC49FAE7BB9FF45720F14411AFA55DA2D1DB708942CB31

Function 00CEEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00CEEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D43AEA
IsIconic.USER32(000000FF), ref: 00D43AF3
ShowWindow.USER32(000000FF,00000009), ref: 00D43B00
SetForegroundWindow.USER32(000000FF), ref: 00D43B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D43B20
GetCurrentThreadId.KERNEL32 ref: 00D43B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00D43B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00D43B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00D43B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00D43B54
SetForegroundWindow.USER32(000000FF), ref: 00D43B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D43B6C
keybd_event.USER32(00000012,00000000), ref: 00D43B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D43B81
keybd_event.USER32(00000012,00000000), ref: 00D43B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D43B8F
keybd_event.USER32(00000012,00000000), ref: 00D43B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D43B9E
keybd_event.USER32(00000012,00000000), ref: 00D43BA3
SetForegroundWindow.USER32(000000FF), ref: 00D43BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00D43BCD

Strings

Shell_TrayWnd, xrefs: 00D43AE5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8483b1b5ea75f477a667b53239a0f8a8d0c4f768d1f4bdde36cb80429dc0b707
Instruction ID: 1b2f3eedde8a950fd6c52176fd79f3a879d152eea6c073cd46480902d60a30bd
Opcode Fuzzy Hash: 8483b1b5ea75f477a667b53239a0f8a8d0c4f768d1f4bdde36cb80429dc0b707
Instruction Fuzzy Hash: 6D319271A40318BBEB306BA58C4AF7F7E6DEB44B51F104015FE05EA2D0DAB09D01AEB0

Function 00D0ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00D0B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0B180
Part of subcall function 00D0B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0B1AD
Part of subcall function 00D0B134: GetLastError.KERNEL32 ref: 00D0B1BA

_memset.LIBCMT ref: 00D0AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D0AD5A
CloseHandle.KERNEL32(?), ref: 00D0AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D0AD82
GetProcessWindowStation.USER32 ref: 00D0AD9B
SetProcessWindowStation.USER32(00000000), ref: 00D0ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D0ADBF

Part of subcall function 00D0AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D0ACC0), ref: 00D0AB99
Part of subcall function 00D0AB84: CloseHandle.KERNEL32(?,?,00D0ACC0), ref: 00D0ABAB

Strings

default, xrefs: 00D0ADBA
, xrefs: 00D0AD17
winsta0, xrefs: 00D0AD7D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 513e77584b6251d353150f525066d63595a9f626c3d28d84e93173c936fe7dd4
Instruction ID: 182d6bb6580c0e73fc6ee4d38d9f24e89875a8ff6c9276a37073a39ad4f02350
Opcode Fuzzy Hash: 513e77584b6251d353150f525066d63595a9f626c3d28d84e93173c936fe7dd4
Instruction Fuzzy Hash: 22816A71900309AFDF219FA8CC49AEE7BB9EF08304F184119F918A62A1D7718E55DB72

Function 00D160DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D16EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D15FA6,?), ref: 00D16ED8

Part of subcall function 00D16EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D15FA6,?), ref: 00D16EF1

Part of subcall function 00D1725E: __wsplitpath.LIBCMT ref: 00D1727B
Part of subcall function 00D1725E: __wsplitpath.LIBCMT ref: 00D1728E

Part of subcall function 00D172CB: GetFileAttributesW.KERNEL32(?,00D16019), ref: 00D172CC

_wcscat.LIBCMT ref: 00D16149
_wcscat.LIBCMT ref: 00D16167
__wsplitpath.LIBCMT ref: 00D1618E
FindFirstFileW.KERNEL32(?,?), ref: 00D161A4
_wcscpy.LIBCMT ref: 00D16209
_wcscat.LIBCMT ref: 00D1621C
_wcscat.LIBCMT ref: 00D1622F
lstrcmpiW.KERNEL32(?,?), ref: 00D1625D
DeleteFileW.KERNEL32(?), ref: 00D1626E
MoveFileW.KERNEL32(?,?), ref: 00D16289
MoveFileW.KERNEL32(?,?), ref: 00D16298
CopyFileW.KERNEL32(?,?,00000000), ref: 00D162AD
DeleteFileW.KERNEL32(?), ref: 00D162BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D162E1
FindClose.KERNEL32(00000000), ref: 00D162FD
FindClose.KERNEL32(00000000), ref: 00D1630B

Strings

\*.*, xrefs: 00D16138, 00D16147, 00D16165

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 5eb133d789c4507c28eea1f92e8b798caeeec8dda7b839ac3534e51a35e6297a
Instruction ID: b4374be1e2f8a66b1425d92c81d44b9ff69a758f8584905365a69c3313dbcfe5
Opcode Fuzzy Hash: 5eb133d789c4507c28eea1f92e8b798caeeec8dda7b839ac3534e51a35e6297a
Instruction Fuzzy Hash: 8051007280921C6ACB21EBA1DC44DEB77BCAF05301F0901E6E585E3141DE76D7899FB9

Function 00D26B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D6DC00), ref: 00D26B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D26B44
GetClipboardData.USER32(0000000D), ref: 00D26B4C
CloseClipboard.USER32 ref: 00D26B58
GlobalLock.KERNEL32(00000000), ref: 00D26B74
CloseClipboard.USER32 ref: 00D26B7E
GlobalUnlock.KERNEL32(00000000), ref: 00D26B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00D26BA0
GetClipboardData.USER32(00000001), ref: 00D26BA8
GlobalLock.KERNEL32(00000000), ref: 00D26BB5
GlobalUnlock.KERNEL32(00000000), ref: 00D26BE9
CloseClipboard.USER32 ref: 00D26CF6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 77c48fb58774f46ff601134ba18550b2aa0a895161fe09f99540b00092bd7012
Instruction ID: 89e10d56f92c55182ca43d8acaf167a84bd23b06a94918e9dd1e423ab7dfec57
Opcode Fuzzy Hash: 77c48fb58774f46ff601134ba18550b2aa0a895161fe09f99540b00092bd7012
Instruction Fuzzy Hash: 0F519131200305ABD310BF60ED86F6E77A9EF64B05F04002AFA96D62E1DF70D806DA72

Function 00D1F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D1F62B
FindClose.KERNEL32(00000000), ref: 00D1F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D1F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D1F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D1F6E2
__swprintf.LIBCMT ref: 00D1F72E
__swprintf.LIBCMT ref: 00D1F767
__swprintf.LIBCMT ref: 00D1F7BB

Part of subcall function 00CF172B: __woutput_l.LIBCMT ref: 00CF1784

__swprintf.LIBCMT ref: 00D1F809
__swprintf.LIBCMT ref: 00D1F858
__swprintf.LIBCMT ref: 00D1F8A7
__swprintf.LIBCMT ref: 00D1F8F6

Strings

%4d, xrefs: 00D1F761
%02d, xrefs: 00D1F7B0, 00D1F7B9, 00D1F807, 00D1F856, 00D1F8A5, 00D1F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 00D1F728

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: aa912747e86ac3a796866cc3d895200e26f63e88b1ec9c34a0ea401790f71e77
Instruction ID: a4f0fc0f71addb7a0bcc9e0ddfd52e163876cc3067cd69abf4dbd5149eb9051d
Opcode Fuzzy Hash: aa912747e86ac3a796866cc3d895200e26f63e88b1ec9c34a0ea401790f71e77
Instruction Fuzzy Hash: F0A100B2408345ABC310EF95D885DAFB7ECEF98704F44091EF695C2252EB34D949DB62

Function 00D21B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D21B50
_wcscmp.LIBCMT ref: 00D21B65
_wcscmp.LIBCMT ref: 00D21B7C
GetFileAttributesW.KERNEL32(?), ref: 00D21B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00D21BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00D21BC0
FindClose.KERNEL32(00000000), ref: 00D21BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00D21BE7
_wcscmp.LIBCMT ref: 00D21C0E
_wcscmp.LIBCMT ref: 00D21C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00D21C37
SetCurrentDirectoryW.KERNEL32(00D839FC), ref: 00D21C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D21C5F
FindClose.KERNEL32(00000000), ref: 00D21C6C
FindClose.KERNEL32(00000000), ref: 00D21C7C

Strings

*.*, xrefs: 00D21BE2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: e2ecbe62bd390b239ea50b3e1fe765a5b0dff5de0d81cb1ce9cb2416c34bc27a
Instruction ID: 0610de8093220051b585521537f6669eff32fff67a3e7a89f2146ba9a040ea75
Opcode Fuzzy Hash: e2ecbe62bd390b239ea50b3e1fe765a5b0dff5de0d81cb1ce9cb2416c34bc27a
Instruction Fuzzy Hash: 1F31F639500329AFDF20AFB0EC48ADE77AD9F25315F044165ED05E2190EB70DA458B74

Function 00D2091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D209DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D209EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D209FB
__wsplitpath.LIBCMT ref: 00D20A59
_wcscat.LIBCMT ref: 00D20A71
_wcscat.LIBCMT ref: 00D20A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D20A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00D20AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00D20ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00D20AFF
_wcscpy.LIBCMT ref: 00D20B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D20B4A

Strings

*.*, xrefs: 00D20B05

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 9b5406ee7f143766889fcda3b20ffff5dd4bbf595544532dd1d579ed06a7dd95
Instruction ID: 843d88702b42778078a4ea2ed345bffc8407ef1d28e77fde0a0cf5ed08c76340
Opcode Fuzzy Hash: 9b5406ee7f143766889fcda3b20ffff5dd4bbf595544532dd1d579ed06a7dd95
Instruction Fuzzy Hash: 126178725043159FD710EF60D8409AEB7E8FF99314F08491AFA8AC7252DB31E985CBA2

Function 00D0A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00D0ABD7
Part of subcall function 00D0ABBB: GetLastError.KERNEL32(?,00D0A69F,?,?,?), ref: 00D0ABE1
Part of subcall function 00D0ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00D0A69F,?,?,?), ref: 00D0ABF0
Part of subcall function 00D0ABBB: HeapAlloc.KERNEL32(00000000,?,00D0A69F,?,?,?), ref: 00D0ABF7
Part of subcall function 00D0ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00D0AC0E

Part of subcall function 00D0AC56: GetProcessHeap.KERNEL32(00000008,00D0A6B5,00000000,00000000,?,00D0A6B5,?), ref: 00D0AC62
Part of subcall function 00D0AC56: HeapAlloc.KERNEL32(00000000,?,00D0A6B5,?), ref: 00D0AC69
Part of subcall function 00D0AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D0A6B5,?), ref: 00D0AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D0A6D0
_memset.LIBCMT ref: 00D0A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D0A704
GetLengthSid.ADVAPI32(?), ref: 00D0A715
GetAce.ADVAPI32(?,00000000,?), ref: 00D0A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D0A76E
GetLengthSid.ADVAPI32(?), ref: 00D0A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D0A79A
HeapAlloc.KERNEL32(00000000), ref: 00D0A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D0A7C2
CopySid.ADVAPI32(00000000), ref: 00D0A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D0A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D0A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D0A834

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 028c9871531b02895b9552b585a751065812a67560612aa0aa0f0f2852c1c62a
Instruction ID: 87134b54322180b9f4ffd61f41e47fd4cd62a12ecaa8180739c2ded6db3c2f88
Opcode Fuzzy Hash: 028c9871531b02895b9552b585a751065812a67560612aa0aa0f0f2852c1c62a
Instruction Fuzzy Hash: 62510B7190030AABDF109FA9DC45AEEBBB9FF08301F148129E915E7291DB359A05CB71

Function 00CD6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_ANYCRLF), xrefs: 00D52EA0
CRLF), xrefs: 00D52E43
NO_START_OPT), xrefs: 00D52CD1
BSR_UNICODE), xrefs: 00D52EBA
NO_AUTO_POSSESS), xrefs: 00D52CB0
UTF16), xrefs: 00D52C56
ANYCRLF), xrefs: 00D52E7D
CR), xrefs: 00D52E09
LIMIT_MATCH=, xrefs: 00D52CF2
UCP), xrefs: 00D52C8F
ANY), xrefs: 00D52E60
LF), xrefs: 00D52E26
LIMIT_RECURSION=, xrefs: 00D52D7E
UTF), xrefs: 00D52C7C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 904f84996116175c4679a64d19e1360a463bc838421702af281955937e861192
Instruction ID: fb997e1d4786c25bc2d104b11664c7d22cb08d18cf5a2116f3c715722faaf6fe
Opcode Fuzzy Hash: 904f84996116175c4679a64d19e1360a463bc838421702af281955937e861192
Instruction Fuzzy Hash: 0D727C71E042199BDF24CF59C8817BEB7B5BF09310F14816AED55EB380EB709A85DBA0

Function 00D163F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D16EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D15FA6,?), ref: 00D16ED8

Part of subcall function 00D172CB: GetFileAttributesW.KERNEL32(?,00D16019), ref: 00D172CC

_wcscat.LIBCMT ref: 00D16441
__wsplitpath.LIBCMT ref: 00D1645F
FindFirstFileW.KERNEL32(?,?), ref: 00D16474
_wcscpy.LIBCMT ref: 00D164A3
_wcscat.LIBCMT ref: 00D164B8
_wcscat.LIBCMT ref: 00D164CA
DeleteFileW.KERNEL32(?), ref: 00D164DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D164EB
FindClose.KERNEL32(00000000), ref: 00D16506

Strings

\*.*, xrefs: 00D1643B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 9af1d6194f5c775135eb6650689ef3d94d763ca938e96026456d836b0ca14351
Instruction ID: c2c5a4b920b1c096567880cf0f68995fe84fd858164fbac51fbac934d5eabb95
Opcode Fuzzy Hash: 9af1d6194f5c775135eb6650689ef3d94d763ca938e96026456d836b0ca14351
Instruction Fuzzy Hash: E03182B240C388AAC721DBE49885DEB77DCAF55310F44091AF6D8C3142EA35D54997B7

Function 00D331BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D32BB5,?,?), ref: 00D33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3328E

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D333C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D33604
RegCloseKey.ADVAPI32(00000000), ref: 00D33611

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 204f52a6b3c68d63531fc6482028ae97d68b6c833461e2e75198d3841de25683
Instruction ID: 09f86678327f2b9a80d0e5b1d6e4f038cc776fb0122f54120ba6b5703c47d543
Opcode Fuzzy Hash: 204f52a6b3c68d63531fc6482028ae97d68b6c833461e2e75198d3841de25683
Instruction Fuzzy Hash: 83E14B35604200AFCB14DF29C995E6ABBE9EF88710F04856DF54ADB3A1DB30ED05CB62

Function 00D12B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D12B5F
GetAsyncKeyState.USER32(000000A0), ref: 00D12BE0
GetKeyState.USER32(000000A0), ref: 00D12BFB
GetAsyncKeyState.USER32(000000A1), ref: 00D12C15
GetKeyState.USER32(000000A1), ref: 00D12C2A
GetAsyncKeyState.USER32(00000011), ref: 00D12C42
GetKeyState.USER32(00000011), ref: 00D12C54
GetAsyncKeyState.USER32(00000012), ref: 00D12C6C
GetKeyState.USER32(00000012), ref: 00D12C7E
GetAsyncKeyState.USER32(0000005B), ref: 00D12C96
GetKeyState.USER32(0000005B), ref: 00D12CA8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d4b437ad98de5e1ee5e13c05405a63edf24fbbfda2e70f2e9692c1bea9776e09
Instruction ID: 4e0467081434d86722adf7ae0707be90b74f799479f75fc790c27887c8fdf9c2
Opcode Fuzzy Hash: d4b437ad98de5e1ee5e13c05405a63edf24fbbfda2e70f2e9692c1bea9776e09
Instruction Fuzzy Hash: DA41E7345087C97DFF349B64A9043FABEA26B11344F0C4049DAC6562C1EFA699E4C7F2

Function 00D26D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D26D2E
EmptyClipboard.USER32 ref: 00D26D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00D26D49
CloseClipboard.USER32 ref: 00D26DE8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 36483c7e9b431ceedb96b24d8557ebf227e7d626aed632bbbf4d68cc727f9a7a
Instruction ID: e38f6b544a5d8ef260bf3bfeb18b6ebcc0b0c3d3fe04fb2be062ed0fc62c079b
Opcode Fuzzy Hash: 36483c7e9b431ceedb96b24d8557ebf227e7d626aed632bbbf4d68cc727f9a7a
Instruction Fuzzy Hash: 52218D35300318AFDB11AF64EC49B6D77A9EF14711F14801AF90ADB361CB74E8028B75

Function 00D2C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00D09ABF: CLSIDFromProgID.OLE32 ref: 00D09ADC
Part of subcall function 00D09ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00D09AF7
Part of subcall function 00D09ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00D09B05
Part of subcall function 00D09ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00D09B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00D2C235
_memset.LIBCMT ref: 00D2C242
_memset.LIBCMT ref: 00D2C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00D2C38C
CoTaskMemFree.OLE32(?), ref: 00D2C397

Strings

NULL Pointer assignment, xrefs: 00D2C3E5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 9a5b9e462433fa7962d22295c5fc84bc6dcd77a25dc2d710a8bb6ac4e74e11d1
Instruction ID: 7a3aef193940d3dbb1730f8503f9c29e2ae75184603e8bdaa74d532be6c8031b
Opcode Fuzzy Hash: 9a5b9e462433fa7962d22295c5fc84bc6dcd77a25dc2d710a8bb6ac4e74e11d1
Instruction Fuzzy Hash: 8E913F71D00229AFDB10DF94EC91EEEBBB9EF18710F10415AF519A7281DB70AA45CFA0

Function 00D179D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0B180
Part of subcall function 00D0B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0B1AD
Part of subcall function 00D0B134: GetLastError.KERNEL32 ref: 00D0B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00D17A0F

Strings

, xrefs: 00D179FD
@, xrefs: 00D17A02
SeShutdownPrivilege, xrefs: 00D179DD

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 3da11cffb46a1eb6aa78aea7bf7ab466bf5cd68c9050e990f5ebcd8968182db6
Instruction ID: 5fb98cd66482e6d029e0ddc9f2f432e2e9d10c6c715452290bf306f4bd8f6551
Opcode Fuzzy Hash: 3da11cffb46a1eb6aa78aea7bf7ab466bf5cd68c9050e990f5ebcd8968182db6
Instruction Fuzzy Hash: 0501A7717993117AF7286668BC5ABFF7678DF00751F280424BD5BE21E2EE609F8081B4

Function 00D28C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D28CA8
WSAGetLastError.WSOCK32(00000000), ref: 00D28CB7
bind.WSOCK32(00000000,?,00000010), ref: 00D28CD3
listen.WSOCK32(00000000,00000005), ref: 00D28CE2
WSAGetLastError.WSOCK32(00000000), ref: 00D28CFC
closesocket.WSOCK32(00000000,00000000), ref: 00D28D10

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: bdac621c0263f6908654ee7c8115106f0bca9f44eb608ac139fe348f30e73dc1
Instruction ID: 446453e368e9ba0600cfe235155c132aa049c4a42e9ed5155dc37d3930a69788
Opcode Fuzzy Hash: bdac621c0263f6908654ee7c8115106f0bca9f44eb608ac139fe348f30e73dc1
Instruction Fuzzy Hash: C921D031601210AFCB20AF28D845B6EB7A9EF58325F148159F957E73E2CB70AD41AB71

Function 00D16532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D16554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00D16564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00D16583
__wsplitpath.LIBCMT ref: 00D165A7
_wcscat.LIBCMT ref: 00D165BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D165F9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 7695eaeaf48662296512ff25a7a147b9a681a040ad8a48fdac7c4f524fe4950b
Instruction ID: 14d2aabd2a79a75a237530a5fce09b78a2bcbe9e28936f37bd25c03d43cf524f
Opcode Fuzzy Hash: 7695eaeaf48662296512ff25a7a147b9a681a040ad8a48fdac7c4f524fe4950b
Instruction Fuzzy Hash: A6214171900318ABEB20ABA4DC89FE9BBBDAB48300F5404E5E545D7141DB71DBC5CB71

Function 00D2923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00D2A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00D29296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 00D292B9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 67b23b61b2c357a3608d757aa408966283c466b88d20f395e3f92cc0adb352f7
Instruction ID: e8201f1ecb1d6a1f1670a4defe828369f52c3a128257e9ae2fba5db156489187
Opcode Fuzzy Hash: 67b23b61b2c357a3608d757aa408966283c466b88d20f395e3f92cc0adb352f7
Instruction Fuzzy Hash: 8841C271A00610AFDB10BB68CC92E7EB7EDEF48724F144449F956AB3D2CB749D019BA1

Function 00D1EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D1EB8A
_wcscmp.LIBCMT ref: 00D1EBBA
_wcscmp.LIBCMT ref: 00D1EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 00D1EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00D1EC0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c2f40eac043d6309acf9cdbdd392ecadc7bdd9fe2de74ff53a36cca4bfb61cc3
Instruction ID: 98a2514d4d04faa7ade3149b9f8fa1a2b70ca703ba778834ea7942116cba28c6
Opcode Fuzzy Hash: c2f40eac043d6309acf9cdbdd392ecadc7bdd9fe2de74ff53a36cca4bfb61cc3
Instruction Fuzzy Hash: 7F41CA356047029FC718DF28D891AAAB3E5FF49320F14455DE95ACB3A1DF31A980CBA1

Function 00D38111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D38160
IsWindowEnabled.USER32 ref: 00D3816E
GetForegroundWindow.USER32(?,?,00000001), ref: 00D3817B
IsIconic.USER32 ref: 00D38189
IsZoomed.USER32 ref: 00D38197

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0bbacd70fd5a070910d625002de2d666c1072af90a4bbf8adfd67d174f8bb0fc
Instruction ID: edba38f777b4fba27653566e1fa5e5b217989f9632d5c27833b60ce84345d1e2
Opcode Fuzzy Hash: 0bbacd70fd5a070910d625002de2d666c1072af90a4bbf8adfd67d174f8bb0fc
Instruction Fuzzy Hash: AA116A327007156BE7216F26DC44B6FBB9DEF94761F080429F84AD7281CF70E902A6B5

Function 00CD9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CD9E95
ERCP, xrefs: 00CD9C32
VUUU, xrefs: 00D5BE14
VUUU, xrefs: 00CD9EA7
VUUU, xrefs: 00CD9ED4

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a0b75861f7c042226f22115ccd0bdac9cad9f81924590e156552a9da6dd5ab86
Instruction ID: 2303a5d9dff0b51b9c6a4137702c332460b4384d7a188f10fa7b188ba0eb2631
Opcode Fuzzy Hash: a0b75861f7c042226f22115ccd0bdac9cad9f81924590e156552a9da6dd5ab86
Instruction Fuzzy Hash: 47929D75A0021ACBDF24CF59C8807ADB7B1FB54315F18819BED5AAB380D7709E85CBA1

Function 00CEE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CEE014,76F90AE0,00CEDEF1,00D6DC38,?,?), ref: 00CEE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CEE03E

Strings

kernel32.dll, xrefs: 00CEE027
GetNativeSystemInfo, xrefs: 00CEE038

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 0104ce518e0b3bd005716e10c1bd381d4ff52b06d053868df7290a8f2570dfb4
Instruction ID: e3c4b0a5cb2312c29df692d58c805e2574746765865344935e780d0a087fc5aa
Opcode Fuzzy Hash: 0104ce518e0b3bd005716e10c1bd381d4ff52b06d053868df7290a8f2570dfb4
Instruction Fuzzy Hash: 61D0C770500B529FD7335F75EC08A6276E9AB04751F184419F895D2650D7B4D9848774

Function 00D113CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D113DC

Strings

(, xrefs: 00D11422
|, xrefs: 00D1140C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7b2d9a830f37dcedfc71623284e580e62ffe1702633c76011d8a028ab91e4500
Instruction ID: dcce4fc4976d5cffade93b7b53244cb108a125472ae1f4cc342387cd4bdcc548
Opcode Fuzzy Hash: 7b2d9a830f37dcedfc71623284e580e62ffe1702633c76011d8a028ab91e4500
Instruction Fuzzy Hash: 08323879A00705AFC728CF59D480AAAB7F0FF48710B15C46EE59ADB3A1DB70E981CB54

Function 00CEB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CEB22F

Part of subcall function 00CEB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00CEB5A5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 98969da8b1194f5a1c773790a72fb0177e454ecaff0e5c8d2e558961eff9f421
Instruction ID: cdb328d7cd9d6c880b0174393f33697ba11c9c117fd2af6fe9b4c2add12d62f9
Opcode Fuzzy Hash: 98969da8b1194f5a1c773790a72fb0177e454ecaff0e5c8d2e558961eff9f421
Instruction Fuzzy Hash: 90A148B05141CABBDB286F2B5C89E7F6A6CFF46350F18411AF646D2292DB25DD00E272

Function 00D24EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D243BF,00000000), ref: 00D24FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D24FD2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 492486df38cc23aae7b9020a54abadcf9102977f56de8fbc47fe29443e9afde9
Instruction ID: f0945fa37d63a8f98ced6272844eee71bedcb241a00c4f972d670039663fd20e
Opcode Fuzzy Hash: 492486df38cc23aae7b9020a54abadcf9102977f56de8fbc47fe29443e9afde9
Instruction Fuzzy Hash: CE41D871504719BFEB209E84EE81EBF77BCEF9072CF14402AFA05A6180DA719E419670

Function 00D1E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D1E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D1E2B4

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6b48b08f1a9ea8d93b146f70f654186268f1d131af41c3727e36fd687d04c6c1
Instruction ID: 54a52364327b727050ab9325135076d7da2d93ceff3abc8c10fe17a86e1913c1
Opcode Fuzzy Hash: 6b48b08f1a9ea8d93b146f70f654186268f1d131af41c3727e36fd687d04c6c1
Instruction Fuzzy Hash: C4214835A00618EFCB00EFA5D884AEDBBB8FF48310F1484AAE905EB351DB31D945CB64

Function 00D0B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CEF4EA: std::exception::exception.LIBCMT ref: 00CEF51E
Part of subcall function 00CEF4EA: __CxxThrowException@8.LIBCMT ref: 00CEF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D0B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D0B1AD
GetLastError.KERNEL32 ref: 00D0B1BA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 427efc0f26924e97292d09b58a83550e346d4530c17a35a10262b0ffd5eac9d6
Instruction ID: d3ec5448111cecf00a039353dd4c40584aec6abadf2e5856b1241990529454c8
Opcode Fuzzy Hash: 427efc0f26924e97292d09b58a83550e346d4530c17a35a10262b0ffd5eac9d6
Instruction Fuzzy Hash: FB118FB1504305AFE7289F58DC85D6BB7FDEB44721B20852EE45A97280DB70FC418A70

Function 00D16685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D166AF
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00D166EC
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D166F5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b7c71097805250baea8e28f5b7cb31bad0a9cbeee7eeebee9924be93d2581864
Instruction ID: 719d94f9cf4b53637608571395b223e809184ab14892ef24eb68bd759ac1573e
Opcode Fuzzy Hash: b7c71097805250baea8e28f5b7cb31bad0a9cbeee7eeebee9924be93d2581864
Instruction Fuzzy Hash: B0118EB2900328BEE7118BA8DC45FEFBBACEB09754F104556F901E7290C2B49A4487B5

Function 00D171FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D17223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D1723A
FreeSid.ADVAPI32(?), ref: 00D1724A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e0776234ffc9e92712e35fe697d84f4abf1eb8e8ba4c452b3203c6c71a2fe074
Instruction ID: 9a2ea6f74bfe3d5917185f4795a5f8c787f7ed3e1d160e140bddffe53bb468cf
Opcode Fuzzy Hash: e0776234ffc9e92712e35fe697d84f4abf1eb8e8ba4c452b3203c6c71a2fe074
Instruction Fuzzy Hash: 23F01275904309BFDF04DFE8DD8AAEDBBB9EF08205F104469A512E21D1E6705644CB24

Function 00D1F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D1F599
FindClose.KERNEL32(00000000), ref: 00D1F5C9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f7cab53bd73e478f744a3fb2129c579dd5ee48cc5853dc2fe1eff6828c625624
Instruction ID: 0faa6a7a1a621122118e8f14ba02a69da3f8a54b3426ab0e4fe7b37d114b78c5
Opcode Fuzzy Hash: f7cab53bd73e478f744a3fb2129c579dd5ee48cc5853dc2fe1eff6828c625624
Instruction Fuzzy Hash: CF11AD326006009FD710EF29D845A6EB3E9FF84325F00891EF8A9D7391CF70A9018BA1

Function 00D1CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D2BE6A,?,?,00000000,?), ref: 00D1CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D2BE6A,?,?,00000000,?), ref: 00D1CEB9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f7acd1ad27422af75bbc84acdd22847641f6bae4c48575675269bddb9f013568
Instruction ID: cb3ffe8725688708a7d88cca20c63660227f7faf734d4ee8ce2981beee9dca5c
Opcode Fuzzy Hash: f7acd1ad27422af75bbc84acdd22847641f6bae4c48575675269bddb9f013568
Instruction Fuzzy Hash: 07F08271114329BBDB209FA4DC49FEA776DFF09391F004166F915D6281DA309A80CBB1

Function 00D1411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D14153
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00D14166

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e1cb87b9679e8d947778d16deac1852426a97432edb391d8839f3c6af2718759
Instruction ID: 8c71c528050bb46cd46eaeab4b968f14de48be2c4b9b3ce95d0caf097ed78cde
Opcode Fuzzy Hash: e1cb87b9679e8d947778d16deac1852426a97432edb391d8839f3c6af2718759
Instruction Fuzzy Hash: 0AF06D7080038DAFDB059FA0C805BFE7BB0EF01305F048009F9659A291D779C6529FA0

Function 00D0AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D0ACC0), ref: 00D0AB99
CloseHandle.KERNEL32(?,?,00D0ACC0), ref: 00D0ABAB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ac47fad1c7bbcc4d2a82414eff1e53903821a0d9e99b6c1a53cb637be63faf57
Instruction ID: 51a3c3e65128933762c45b42cbe2bc12d7e64461716ddb65d2d537dc9b7166a4
Opcode Fuzzy Hash: ac47fad1c7bbcc4d2a82414eff1e53903821a0d9e99b6c1a53cb637be63faf57
Instruction Fuzzy Hash: 07E0E671000710AFE7362F55EC05D7777EAEF04321720846DF859C1470D7625C91DB60

Function 00CF81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00CF6DB3,-0000031A,?,?,00000001), ref: 00CF81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CF81BA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 162baa566934f1b282ba06fbf8cac84cfaaee74d07691818f6f8d384890eb4d3
Instruction ID: 2af782390ff7dce052ad09cd2f4f48de98e58d964f769e48b97d5cf5404d28d1
Opcode Fuzzy Hash: 162baa566934f1b282ba06fbf8cac84cfaaee74d07691818f6f8d384890eb4d3
Instruction Fuzzy Hash: 16B09231044708ABEB102BE1EC09B587F6AEB08653F104050FA0DC42718B7255508AB2

Function 00CD77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CD7921

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: de648ea2867cb67ba4a5e00b490201b4e441545560d40fa77e3da24d4aea98d1
Instruction ID: 5bbf05cae3bbd5340debd93b09742d84f9e359e5ea8602bc165edec29a211623
Opcode Fuzzy Hash: de648ea2867cb67ba4a5e00b490201b4e441545560d40fa77e3da24d4aea98d1
Instruction Fuzzy Hash: 0AA24B75904219CFCF24CF59C8807ADBBB1FF48314F2582AAE959AB390E7349E85DB50

Function 00CFD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e9508ad9d5f6a2cb3e8a41c094f390a86a3658ff729809af643f24fa0fac45
Instruction ID: 83a728839eb9c37e29506428d88899e3b6584816d247a612b23f348e6927603e
Opcode Fuzzy Hash: c2e9508ad9d5f6a2cb3e8a41c094f390a86a3658ff729809af643f24fa0fac45
Instruction Fuzzy Hash: 28324522D29F054DD7639634CC22336A389AFB73C4F15D727E82AF5AAADF68C5834111

Function 00CD96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 5ea944ad12dcc1a3c9c315341f291d80bd6806a18b21bfe2220b9888a3880af7
Instruction ID: 7f7b284cddfcd31110e3b95d27da0f1b523014063215d4b9254678e9b8cfd93d
Opcode Fuzzy Hash: 5ea944ad12dcc1a3c9c315341f291d80bd6806a18b21bfe2220b9888a3880af7
Instruction Fuzzy Hash: 2722A7766083009FD724DF24C890B6BB7E4EF84310F14491EFA9A8B3A1DB71E945DB92

Function 00D0038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b69c37a0208b07b8766ead2d4dda4996992e3b6bda9ef8349732ae2bdc6ac9
Instruction ID: edd38d2c952c5ae3179f234d25fd0ed7751be6688eaa64ba289d616041de9c14
Opcode Fuzzy Hash: 83b69c37a0208b07b8766ead2d4dda4996992e3b6bda9ef8349732ae2bdc6ac9
Instruction Fuzzy Hash: 7DB11320D2AF414DC32396399831336BA5CAFBB2D5F91D71BFC1AB0E66EB6181C34190

Function 00D1B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00D1B6DF

Part of subcall function 00CF344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D1BDC3,00000000,?,?,?,?,00D1BF70,00000000,?), ref: 00CF3453
Part of subcall function 00CF344A: __aulldiv.LIBCMT ref: 00CF3473

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: b411e770f4b4ea626d618a3a7a3336d07127124f5fc7702f88fa2103c4e1d993
Instruction ID: a91e2768759e8adf33e1b2a24a4ef6aa1fe51b47137c3be6567ee976702fdd83
Opcode Fuzzy Hash: b411e770f4b4ea626d618a3a7a3336d07127124f5fc7702f88fa2103c4e1d993
Instruction Fuzzy Hash: 572172726346109BC729CF68D881A92B7E1EB95320B248E6DE4E5CF2C0CB74B945DB64

Function 00D26AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D26ACA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 39ee51ea5ae350e3012aa1b50064cdde696af0cd5a27f78ac071297070d6b358
Instruction ID: 209164bcdb623272241f807d027250d941f8fcba566d435bdd3f26d8a52b6142
Opcode Fuzzy Hash: 39ee51ea5ae350e3012aa1b50064cdde696af0cd5a27f78ac071297070d6b358
Instruction Fuzzy Hash: 5DE012362003146FD700EB59D404956B7EDAF74755B048416E946D7351DAB0E8449BB0

Function 00D174E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00D1750A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: f7a30f8307793a1e4b09af189971a134510a5fc7cee9aa1048e10839708bba37
Instruction ID: d3ef21e639ddecf1b552255613238a569c3ddb92afeebefe167ec706ca4f8f26
Opcode Fuzzy Hash: f7a30f8307793a1e4b09af189971a134510a5fc7cee9aa1048e10839708bba37
Instruction Fuzzy Hash: DCD06CA416C60579F82907A8AC1BFF61A2AE301781FE84589B642D91E4ACB4AD81A035

Function 00D0B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D0AD3E), ref: 00D0B124

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bc3792c98fbadfed0f43a706dde647a9ace13943ea6a5cba6ef47cc2649b3fa8
Instruction ID: 735a4e54b67ecee50125a18ad81f2607718fcf5e1a7e06f8940246468419c232
Opcode Fuzzy Hash: bc3792c98fbadfed0f43a706dde647a9ace13943ea6a5cba6ef47cc2649b3fa8
Instruction Fuzzy Hash: 9ED05E320A460EAEDF024FA4DC02EAF3F6AEB04701F408110FA21C50A0C671D531EB60

Function 00D4B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00D4B352

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 17e38cd6668966d6852842dc146506b61830af281f653728bb3349d67164a835
Instruction ID: bfb1cb9505478f23ecfcf04ec94bd43905270c2be0a2a39665b92c7dbb09295e
Opcode Fuzzy Hash: 17e38cd6668966d6852842dc146506b61830af281f653728bb3349d67164a835
Instruction Fuzzy Hash: 84C04CB1400209DFC751CBC4CD889EEB7BCAB04301F1040919145F1150D7709B459F72

Function 00CF8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CF818F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 96f54269e69cc8a46f32d3d50d6fb1b51b0b3766c66e79e92a0bab0de9846263
Instruction ID: 9b5628fab36100b1f4bcfc383577e60ad7b50915dde4a58a615a234b13ef5a8b
Opcode Fuzzy Hash: 96f54269e69cc8a46f32d3d50d6fb1b51b0b3766c66e79e92a0bab0de9846263
Instruction Fuzzy Hash: 6DA0113000030CAB8F002B82EC088883F2EEA002A2B2000A0F80C802208B22A8A08AA2

Function 00CD93F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b1f30689b5c48940a1d0087580bd0fe1785421aa785278322b171ebf1c4f2a
Instruction ID: 93f49f79c091e9c3a1b743675fcd572f2c73606c00ef01d92319f663b6b3d5be
Opcode Fuzzy Hash: 33b1f30689b5c48940a1d0087580bd0fe1785421aa785278322b171ebf1c4f2a
Instruction Fuzzy Hash: E6128C70A00209EFDF04DFA9D981AAEB7F5FF48300F60456AE906E7255EB35A911DB60

Function 00CDAF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 7127a005e0b669e6149f33ce0abade6945aab6931f13e96fdbe1841793646720
Instruction ID: e17bd4e49fb25f3ebad40e0c4e2f3d9688fe992a91b3afea8d382a41fbc15b40
Opcode Fuzzy Hash: 7127a005e0b669e6149f33ce0abade6945aab6931f13e96fdbe1841793646720
Instruction Fuzzy Hash: A3027D70A00205DBCB04DF69D981ABEBBF5EF44300F55806AE906DB395EB31DA15DBA1

Function 00CF02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 0350503a240ea22cc65e0754f18eeaa0edd8cfe90a7bbfde7e13235bfc623479
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: D5C1B7322051D70ADF6D463AC43443EFBA15A91BB132B176DE8B3CB4D6EF20DA25D621

Function 00CF06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 0f3d90b02bfa4c5a0ca4464f0ad4b5be10c7f228c654abd23728dce5456b6be8
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 6CC1A5322051D70ADF6D463AC43443EBBA15AA2BB132B176DD4B3CB4D6EF20DB25D621

Function 00CEFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1daf0294a0ddc00fbca3f438535d11fe02f71968ab49924760d9f2f7ca84b48e
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C4C180322091D30ADF2D463BC47443EBAA15AA2BB131A077DD4B3CB5D5EF20DB66D620

Function 00D2A2A9 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D2A2FE
DeleteObject.GDI32(00000000), ref: 00D2A310
DestroyWindow.USER32 ref: 00D2A31E
GetDesktopWindow.USER32 ref: 00D2A338
GetWindowRect.USER32(00000000), ref: 00D2A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D2A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D2A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A4D8
GetClientRect.USER32(00000000,?), ref: 00D2A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D2A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A55E
GlobalLock.KERNEL32(00000000), ref: 00D2A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A576
GlobalUnlock.KERNEL32(00000000), ref: 00D2A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A586
GlobalFree.KERNEL32(00000000), ref: 00D2A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D5D9BC,00000000), ref: 00D2A5B9
GlobalFree.KERNEL32(00000000), ref: 00D2A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D2A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D2A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2A81D

Strings

static, xrefs: 00D2A518, 00D2A66F
@U=u, xrefs: 00D2A60E, 00D2A79D
AutoIt v3, xrefs: 00D2A4D0
DISPLAY, xrefs: 00D2A680
, xrefs: 00D2A7A3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 93b0c2b402280092b5dc66b6ab78a4478ec323a4e344df18c62ab8a352c1fea6
Instruction ID: b51bf5711c0271a78217ec380c22734a5ec5b7562e79d3cfbaae235d8811a49b
Opcode Fuzzy Hash: 93b0c2b402280092b5dc66b6ab78a4478ec323a4e344df18c62ab8a352c1fea6
Instruction Fuzzy Hash: 1A026A75900219AFDB14DFA8DD89EAEBBB9EB48315F048159F905EB2A0C730ED41CB70

Function 00D3D285 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D3D2DB
GetSysColorBrush.USER32(0000000F), ref: 00D3D30C
GetSysColor.USER32(0000000F), ref: 00D3D318
SetBkColor.GDI32(?,000000FF), ref: 00D3D332
SelectObject.GDI32(?,00000000), ref: 00D3D341
InflateRect.USER32(?,000000FF,000000FF), ref: 00D3D36C
GetSysColor.USER32(00000010), ref: 00D3D374
CreateSolidBrush.GDI32(00000000), ref: 00D3D37B
FrameRect.USER32(?,?,00000000), ref: 00D3D38A
DeleteObject.GDI32(00000000), ref: 00D3D391
InflateRect.USER32(?,000000FE,000000FE), ref: 00D3D3DC
FillRect.USER32(?,?,00000000), ref: 00D3D40E
GetWindowLongW.USER32(?,000000F0), ref: 00D3D439

Part of subcall function 00D3D575: GetSysColor.USER32(00000012), ref: 00D3D5AE
Part of subcall function 00D3D575: SetTextColor.GDI32(?,?), ref: 00D3D5B2
Part of subcall function 00D3D575: GetSysColorBrush.USER32(0000000F), ref: 00D3D5C8
Part of subcall function 00D3D575: GetSysColor.USER32(0000000F), ref: 00D3D5D3
Part of subcall function 00D3D575: GetSysColor.USER32(00000011), ref: 00D3D5F0
Part of subcall function 00D3D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D3D5FE
Part of subcall function 00D3D575: SelectObject.GDI32(?,00000000), ref: 00D3D60F
Part of subcall function 00D3D575: SetBkColor.GDI32(?,00000000), ref: 00D3D618
Part of subcall function 00D3D575: SelectObject.GDI32(?,?), ref: 00D3D625
Part of subcall function 00D3D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00D3D644
Part of subcall function 00D3D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D3D65B
Part of subcall function 00D3D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00D3D670
Part of subcall function 00D3D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D3D698

Strings

@U=u, xrefs: 00D3D463

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: ba6c661928691ec48454d064bdec703a7f1efcf86c5480cf3e2096e05ae3e3a3
Instruction ID: e2da55c93747142d4d1f8bd70deb97ccea48a2cc61594e0044fda6e1ea674a5d
Opcode Fuzzy Hash: ba6c661928691ec48454d064bdec703a7f1efcf86c5480cf3e2096e05ae3e3a3
Instruction Fuzzy Hash: 4A916F72408701AFD7209F64DC48E6B7BAAFB85326F140A19F9A2D62E0D771D944CF72

Function 00CEB8FD Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00CEB98B
DeleteObject.GDI32(00000000), ref: 00CEB9CD
DeleteObject.GDI32(00000000), ref: 00CEB9D8
DestroyIcon.USER32(00000000), ref: 00CEB9E3
DestroyWindow.USER32(00000000), ref: 00CEB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D4D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D4D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00D4D711

Part of subcall function 00CEB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CEB759,?,00000000,?,?,?,?,00CEB72B,00000000,?), ref: 00CEBA58

SendMessageW.USER32 ref: 00D4D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D4D76F
ImageList_Destroy.COMCTL32(00000000), ref: 00D4D785
ImageList_Destroy.COMCTL32(00000000), ref: 00D4D790

Strings

@U=u, xrefs: 00D4D2AA, 00D4D3B1, 00D4D68E
0, xrefs: 00D4D5A5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: 3a3eaa9e9bffa1ddbaaaa6927669586c6662f112545cb9bd4dd12e3ca2cbf739
Instruction ID: 591c79df5a491abcb88c3d9628cec947202229ce8dc9c0a95b2811d3725b44a8
Opcode Fuzzy Hash: 3a3eaa9e9bffa1ddbaaaa6927669586c6662f112545cb9bd4dd12e3ca2cbf739
Instruction Fuzzy Hash: 20126D30104241DFDB25CF25C888BAAB7F6FF45305F184569E989DB662C731EC46DBA1

Function 00D3D575 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D3D5AE
SetTextColor.GDI32(?,?), ref: 00D3D5B2
GetSysColorBrush.USER32(0000000F), ref: 00D3D5C8
GetSysColor.USER32(0000000F), ref: 00D3D5D3
CreateSolidBrush.GDI32(?), ref: 00D3D5D8
GetSysColor.USER32(00000011), ref: 00D3D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D3D5FE
SelectObject.GDI32(?,00000000), ref: 00D3D60F
SetBkColor.GDI32(?,00000000), ref: 00D3D618
SelectObject.GDI32(?,?), ref: 00D3D625
InflateRect.USER32(?,000000FF,000000FF), ref: 00D3D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D3D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 00D3D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D3D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D3D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 00D3D6DD
DrawFocusRect.USER32(?,?), ref: 00D3D6E8
GetSysColor.USER32(00000011), ref: 00D3D6F6
SetTextColor.GDI32(?,00000000), ref: 00D3D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D3D712
SelectObject.GDI32(?,00D3D2A5), ref: 00D3D729
DeleteObject.GDI32(?), ref: 00D3D734
SelectObject.GDI32(?,?), ref: 00D3D73A
DeleteObject.GDI32(?), ref: 00D3D73F
SetTextColor.GDI32(?,?), ref: 00D3D745
SetBkColor.GDI32(?,?), ref: 00D3D74F

Strings

@U=u, xrefs: 00D3D698

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: efc1d86fbf0b39996fae687c5fa5c2931764f71d7528e2e1216b414e14fa5b76
Instruction ID: d1bbdf83379daa4765e104c8d6c972293ae6e2d608cc2f01d2eb0e9d6fa8ff14
Opcode Fuzzy Hash: efc1d86fbf0b39996fae687c5fa5c2931764f71d7528e2e1216b414e14fa5b76
Instruction Fuzzy Hash: 0F513D71900708AFDF219FA4DC48EAE7B7AEB09321F244515F915EB2A1D7719A40DF70

Function 00D1DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1DBD6
GetDriveTypeW.KERNEL32(?,00D6DC54,?,\\.\,00D6DC00), ref: 00D1DCC3
SetErrorMode.KERNEL32(00000000,00D6DC54,?,\\.\,00D6DC00), ref: 00D1DE29

Strings

CDROM, xrefs: 00D1DCF7
SCSI, xrefs: 00D1DD93
Virtual, xrefs: 00D1DDEE
RAMDisk, xrefs: 00D1DCED
\\.\, xrefs: 00D1DC2B
iSCSI, xrefs: 00D1DDCB
RAID, xrefs: 00D1DDC4
SATA, xrefs: 00D1DDD9
FileBackedVirtual, xrefs: 00D1DDF5
Unknown, xrefs: 00D1DCE3, 00D1DD8C
ATAPI, xrefs: 00D1DD9A
Removable, xrefs: 00D1DD15
USB, xrefs: 00D1DDBD
PhysicalDrive, xrefs: 00D1DC67
ATA, xrefs: 00D1DDA1
SAS, xrefs: 00D1DDD2
MMC, xrefs: 00D1DDE7
Fibre, xrefs: 00D1DDB6
1394, xrefs: 00D1DDA8
SSA, xrefs: 00D1DDAF
SSD, xrefs: 00D1DD50
Network, xrefs: 00D1DD01
Fixed, xrefs: 00D1DD0B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 77e2fea859c81f64619ab82f9bceddad93f7eac1960d8f78d2946b3c7ea8db4f
Instruction ID: 3be793c086611b6557d566da9712200da4029318b306dee18412a64b8d4ff667
Opcode Fuzzy Hash: 77e2fea859c81f64619ab82f9bceddad93f7eac1960d8f78d2946b3c7ea8db4f
Instruction Fuzzy Hash: 0B518770248302BFC610EF14F8818AAB7A3FB54B55B14491AF49B97291DF70E9CAD772

Function 00D3C6E9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00D3C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00D3C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00D3C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00D3CB15

Strings

0, xrefs: 00D3C89C
@U=u, xrefs: 00D3C83E, 00D3C859, 00D3C9D5, 00D3CA08, 00D3CA68, 00D3CAB1, 00D3CB15, 00D3CB39, 00D3CBED

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: 9e0c9c43b8747bc33bba8575dc623ab55540d343a21ff398ca42d4f57acb1ec7
Instruction ID: 177b1fdfcf267f04a5a7970993e633eee32ef92ba9e06bacb75b000120211a7c
Opcode Fuzzy Hash: 9e0c9c43b8747bc33bba8575dc623ab55540d343a21ff398ca42d4f57acb1ec7
Instruction Fuzzy Hash: FEF10271214301AFE7218F24CC89BAABBE5FF49355F08162DF999E62A1C774C941CBB1

Function 00CDCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CDCC68
__wcsnicmp.LIBCMT ref: 00CDCC80
__wcsnicmp.LIBCMT ref: 00CDCC98
__wcsnicmp.LIBCMT ref: 00CDCCB0
__wcsnicmp.LIBCMT ref: 00CDCCC8
__wcsnicmp.LIBCMT ref: 00CDCCE0
__wcsnicmp.LIBCMT ref: 00CDCCF8
__wcsnicmp.LIBCMT ref: 00CDCD0C
__wcsnicmp.LIBCMT ref: 00CDCD4D
__wcsnicmp.LIBCMT ref: 00CDCD61
__wcsnicmp.LIBCMT ref: 00CDCD75
__wcsnicmp.LIBCMT ref: 00CDCD89

Strings

#requireadmin, xrefs: 00CDCC92
#include-once, xrefs: 00CDCCC2
#ce, xrefs: 00CDCD83
#cs, xrefs: 00CDCD06, 00CDCD5B
#notrayicon, xrefs: 00CDCC7A
#pragma compile, xrefs: 00CDCC62
#OnAutoItStartRegister, xrefs: 00CDCCAA
Bad directive syntax error, xrefs: 00D42ECB
Cannot parse #include, xrefs: 00D42FA1
#comments-start, xrefs: 00CDCCF2, 00CDCD47
#include, xrefs: 00CDCCDA
#comments-end, xrefs: 00CDCD6F
Unterminated group of comments, xrefs: 00D42FB4

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 93f36fc63cbe0a194d31b8ee17b8a0d5308c93d67c5d99c859714c4d3e198224
Instruction ID: ebdfa57c9b93b5cd969a33e0462c02bc039c2568d91ae342470eea12517ad591
Opcode Fuzzy Hash: 93f36fc63cbe0a194d31b8ee17b8a0d5308c93d67c5d99c859714c4d3e198224
Instruction Fuzzy Hash: 5781FB3064020ABBCB15BE65DDC2FBF7769AF24740F48403AFB05A62C6EB60D945D6B1

Function 00D3638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00D6DC00), ref: 00D36449

Strings

TABLEFT, xrefs: 00D364A7
GETSELECTED, xrefs: 00D366C1
GETCURRENTSELECTION, xrefs: 00D36603
ISVISIBLE, xrefs: 00D36455
GETLINECOUNT, xrefs: 00D366E4
CHECK, xrefs: 00D3668B
SENDCOMMANDID, xrefs: 00D367CA
UNCHECK, xrefs: 00D366A1
DELSTRING, xrefs: 00D36569
HIDEDROPDOWN, xrefs: 00D36520
GETCURRENTCOL, xrefs: 00D36724
GETCURRENTLINE, xrefs: 00D36704
EDITPASTE, xrefs: 00D3675B
SELECTSTRING, xrefs: 00D36626
ADDSTRING, xrefs: 00D36536
TABRIGHT, xrefs: 00D364BD
FINDSTRING, xrefs: 00D36596
SHOWDROPDOWN, xrefs: 00D36500
GETLINE, xrefs: 00D3678B
ISENABLED, xrefs: 00D3648C
ISCHECKED, xrefs: 00D36659
SETCURRENTSELECTION, xrefs: 00D365D6
CURRENTTAB, xrefs: 00D364DD

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 22c7fdf9e7220a8023d21c248666902a0fdc19a2af8cbaa93b33c8802ac29594
Instruction ID: a9c8da3eaeba07b7d1cb6dafef8540931c037f411591107ec0e414319abad3cb
Opcode Fuzzy Hash: 22c7fdf9e7220a8023d21c248666902a0fdc19a2af8cbaa93b33c8802ac29594
Instruction Fuzzy Hash: F1C1D530204642ABCB04FF10C551A6E77A5EF99394F148869F8865B3E2DB30ED4ADBB1

Function 00D3B6C4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D3B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D3B7C1
CharNextW.USER32(0000014E), ref: 00D3B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D3B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D3B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D3B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D3B875
SetWindowTextW.USER32(?,0000014E), ref: 00D3B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D3B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D3B90E
_memset.LIBCMT ref: 00D3B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D3B97C
_memset.LIBCMT ref: 00D3B9DB
SendMessageW.USER32 ref: 00D3BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D3BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 00D3BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D3BB2C
GetMenuItemInfoW.USER32(?), ref: 00D3BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D3BBA3
DrawMenuBar.USER32(?), ref: 00D3BBB2
SetWindowTextW.USER32(?,0000014E), ref: 00D3BBDA

Strings

@U=u, xrefs: 00D3B7B0, 00D3B7C1, 00D3B7F6, 00D3B875, 00D3B8DD, 00D3B90E, 00D3B97C, 00D3BA05, 00D3BA5D, 00D3BB0A
0, xrefs: 00D3BB4F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: ab36a0858cc4d7735d2721608438b92a19aaa13f42f1d68fb50f7f7a1c1199c5
Instruction ID: 72f2ae80a7846282aa88510ccda5631ae92c04f7ad3d07700d2b92682b89a5d1
Opcode Fuzzy Hash: ab36a0858cc4d7735d2721608438b92a19aaa13f42f1d68fb50f7f7a1c1199c5
Instruction Fuzzy Hash: 32E17E75900318AFDF209F61CC85AFE7B78EF05724F14815AFA59AA291DB708A81DF70

Function 00D3764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D3778A
GetDesktopWindow.USER32 ref: 00D3779F
GetWindowRect.USER32(00000000), ref: 00D377A6
GetWindowLongW.USER32(?,000000F0), ref: 00D37808
DestroyWindow.USER32(?), ref: 00D37834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D3785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D378A1
SendMessageW.USER32(?,00000421,?,?), ref: 00D378B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D378C9
IsWindowVisible.USER32(?), ref: 00D378E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D37904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D37918
GetWindowRect.USER32(?,?), ref: 00D37930
MonitorFromPoint.USER32(?,?,00000002), ref: 00D37956
GetMonitorInfoW.USER32 ref: 00D37970
CopyRect.USER32(?,?), ref: 00D37987
SendMessageW.USER32(?,00000412,00000000), ref: 00D379F2

Strings

(, xrefs: 00D37965
tooltips_class32, xrefs: 00D37856
0, xrefs: 00D37735

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8cbfd30abd22279d586dbc249e917f6e286edf4254fabe94de5266db715853df
Instruction ID: bcc3cfc7e247fc1f616fc59b7c370b45e3522094f5ab7890579cd96563259056
Opcode Fuzzy Hash: 8cbfd30abd22279d586dbc249e917f6e286edf4254fabe94de5266db715853df
Instruction Fuzzy Hash: A6B19FB1608701AFD754DF64C849B6ABBE5FF88310F04891DF9999B291DB70EC05CBA2

Function 00D16CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D16CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D16D21
_wcscpy.LIBCMT ref: 00D16D4F
_wcscmp.LIBCMT ref: 00D16D5A
_wcscat.LIBCMT ref: 00D16D70
_wcsstr.LIBCMT ref: 00D16D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D16D97
_wcscat.LIBCMT ref: 00D16DE0
_wcscat.LIBCMT ref: 00D16DE7
_wcsncpy.LIBCMT ref: 00D16E12

Strings

%u.%u.%u.%u, xrefs: 00D16E75
\VarFileInfo\Translation, xrefs: 00D16D8F
StringFileInfo\, xrefs: 00D16D6A
04090000, xrefs: 00D16DCD
DefaultLangCodepage, xrefs: 00D16DFA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4dd83024ea9cb55b0d9cb7d4a1b683c5b1fea838b2ec2f1671a552aed51a6333
Instruction ID: f88abb82c7170a97a2c27a806d20f46f64c51fb666983f059657294ac78a304d
Opcode Fuzzy Hash: 4dd83024ea9cb55b0d9cb7d4a1b683c5b1fea838b2ec2f1671a552aed51a6333
Instruction Fuzzy Hash: 3F41D571A00208BFE710BB64AC47EBF776CDF45710F140069FA05A6182EE74DA15A7B2

Function 00CEA856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CEA939
GetSystemMetrics.USER32(00000007), ref: 00CEA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CEA96C
GetSystemMetrics.USER32(00000008), ref: 00CEA974
GetSystemMetrics.USER32(00000004), ref: 00CEA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CEA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00CEA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CEA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CEAA0D
GetClientRect.USER32(00000000,000000FF), ref: 00CEAA2B
GetStockObject.GDI32(00000011), ref: 00CEAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CEAA52

Part of subcall function 00CEB63C: GetCursorPos.USER32(000000FF), ref: 00CEB64F
Part of subcall function 00CEB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00CEB66C
Part of subcall function 00CEB63C: GetAsyncKeyState.USER32(00000001), ref: 00CEB691
Part of subcall function 00CEB63C: GetAsyncKeyState.USER32(00000002), ref: 00CEB69F

SetTimer.USER32(00000000,00000000,00000028,00CEAB87), ref: 00CEAA79

Strings

@U=u, xrefs: 00CEAA52
AutoIt v3 GUI, xrefs: 00CEA9F1

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 00d3299d2f116410c446a3b3d864f8f026ef162f8309efbe97346de54a76ac33
Instruction ID: b18afd353cefc756028e024e19c445251d494d9886e92e3a29a82e8daea59428
Opcode Fuzzy Hash: 00d3299d2f116410c446a3b3d864f8f026ef162f8309efbe97346de54a76ac33
Instruction Fuzzy Hash: EAB17675A0030AAFDB24DFA9DC45BAE7BB5FB08311F154229FA15E7290DB34A841CF61

Function 00D0EA9D Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D0EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D0EAC2
SetWindowTextW.USER32(?,?), ref: 00D0EAD9
GetDlgItem.USER32(?,000003EA), ref: 00D0EAEE
SetWindowTextW.USER32(00000000,?), ref: 00D0EAF4
GetDlgItem.USER32(?,000003E9), ref: 00D0EB04
SetWindowTextW.USER32(00000000,?), ref: 00D0EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D0EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D0EB45
GetWindowRect.USER32(?,?), ref: 00D0EB4E
SetWindowTextW.USER32(?,?), ref: 00D0EBB9
GetDesktopWindow.USER32 ref: 00D0EBBF
GetWindowRect.USER32(00000000), ref: 00D0EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D0EC12
GetClientRect.USER32(?,?), ref: 00D0EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D0EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D0EC6F

Strings

@U=u, xrefs: 00D0EAC2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: b887860ffe8edb999f0ee0ff991b979ba0b5420e20165e611cadedbc0c83b349
Instruction ID: ea7bc3394eaf257209c7e8685820791dbcfb7062e0d100a59868b1c12965b30e
Opcode Fuzzy Hash: b887860ffe8edb999f0ee0ff991b979ba0b5420e20165e611cadedbc0c83b349
Instruction Fuzzy Hash: 5F511C71900709AFDB209FA8CD89B6EBBF5FF08705F044928E596E26A0D775A945CB20

Function 00CD2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CD2F7A
IsWindow.USER32(?), ref: 00D422FD

Strings

REGEXPTITLE, xrefs: 00D420F8
INSTANCE, xrefs: 00D4223C
LAST, xrefs: 00D420B6
ALL, xrefs: 00D42264
CLASS, xrefs: 00D42128
REGEXPCLASS, xrefs: 00D42149
TITLE, xrefs: 00D42292
HANDLE, xrefs: 00D420E2
ACTIVE, xrefs: 00D420CC

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: b8af911643a30fdb5741877f2e359b8c6db46abb8af7fc9e1749ac020e1164a1
Instruction ID: 856e527d9e7f2bfee3c5f64ad5f15e0dd38b6a830d57665fea5fd6d574454b41
Opcode Fuzzy Hash: b8af911643a30fdb5741877f2e359b8c6db46abb8af7fc9e1749ac020e1164a1
Instruction Fuzzy Hash: 73D13B30104742DBCB04EF50C481ABABBB1FF58340F544A1EF596936A1DB70E99ADBB1

Function 00D36BC9 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D36C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D36D16

Strings

@U=u, xrefs: 00D36D16
GETSELECTEDCOUNT, xrefs: 00D36CF9
GETSELECTED, xrefs: 00D36E3C
SELECTALL, xrefs: 00D36D75
GETSUBITEMCOUNT, xrefs: 00D36CA1
ISSELECTED, xrefs: 00D36D21
SELECTCLEAR, xrefs: 00D36D8D
GETITEMCOUNT, xrefs: 00D36C84
FINDITEM, xrefs: 00D36E81
SELECT, xrefs: 00D36DA8
GETTEXT, xrefs: 00D36CBF
VIEWCHANGE, xrefs: 00D36ECD
DESELECT, xrefs: 00D36DFC
SELECTINVERT, xrefs: 00D36DDE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: 54d63820096e96cf65b8ffc53cc9c68177bb3d3f114d07f546644c810af921b4
Instruction ID: 3312f129ec97825a75d94b78a19d2d3e358327a6b5cc1f1927cee343eb9cab64
Opcode Fuzzy Hash: 54d63820096e96cf65b8ffc53cc9c68177bb3d3f114d07f546644c810af921b4
Instruction Fuzzy Hash: 9BA16E30204341ABCB14FF24C851A6AB7A5FF49354F14896DF996AB3D2DB30EC0ADB61

Function 00D3E731 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D3E754
GetFileSize.KERNEL32(00000000,00000000), ref: 00D3E76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D3E776
CloseHandle.KERNEL32(00000000), ref: 00D3E783
GlobalLock.KERNEL32(00000000), ref: 00D3E78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D3E79B
GlobalUnlock.KERNEL32(00000000), ref: 00D3E7A4
CloseHandle.KERNEL32(00000000), ref: 00D3E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D3E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D5D9BC,?), ref: 00D3E7D5
GlobalFree.KERNEL32(00000000), ref: 00D3E7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D3E809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00D3E834
DeleteObject.GDI32(00000000), ref: 00D3E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D3E872

Strings

@U=u, xrefs: 00D3E872

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: e2a7ad9d6f030af1b97a8b45dba01ea10184e340391ffd119cf18a9c51a18bea
Instruction ID: cc1f2dbfbf7a6b19b98d5316539f31deb49d1135fde6df71b6a194624c11d663
Opcode Fuzzy Hash: e2a7ad9d6f030af1b97a8b45dba01ea10184e340391ffd119cf18a9c51a18bea
Instruction Fuzzy Hash: 30411775600304EFDB219F65DC88EAA7BBAEB89716F148058F90AD72A0D731A941DB70

Function 00D33639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D33735
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D6DC00,00000000,?,00000000,?,?), ref: 00D337A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D337EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D33874
RegCloseKey.ADVAPI32(?), ref: 00D33B94
RegCloseKey.ADVAPI32(00000000), ref: 00D33BA1

Strings

REG_DWORD, xrefs: 00D33A65
REG_EXPAND_SZ, xrefs: 00D33811
REG_MULTI_SZ, xrefs: 00D3395C
REG_QWORD, xrefs: 00D33AE2
REG_SZ, xrefs: 00D338B2
REG_BINARY, xrefs: 00D33B2F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 2ca80d0dad5af19cc78f3c78ee8e65b099d7003fcc029af24aa217b2d3ec68fd
Instruction ID: 716ec1de3280af7f48df0c428c540c10c6641161095dbe4d434ba5fc00a0e712
Opcode Fuzzy Hash: 2ca80d0dad5af19cc78f3c78ee8e65b099d7003fcc029af24aa217b2d3ec68fd
Instruction Fuzzy Hash: 60026C756046019FCB14EF28C951A2EB7E5FF88720F04845DF99A9B3A2CB30ED01DBA1

Function 00D0CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D0CF91
__swprintf.LIBCMT ref: 00D0D032
_wcscmp.LIBCMT ref: 00D0D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D0D09A
_wcscmp.LIBCMT ref: 00D0D0D6
GetClassNameW.USER32(?,?,00000400), ref: 00D0D10D
GetDlgCtrlID.USER32(?), ref: 00D0D15F
GetWindowRect.USER32(?,?), ref: 00D0D195
GetParent.USER32(?), ref: 00D0D1B3
ScreenToClient.USER32(00000000), ref: 00D0D1BA
GetClassNameW.USER32(?,?,00000100), ref: 00D0D234
_wcscmp.LIBCMT ref: 00D0D248
GetWindowTextW.USER32(?,?,00000400), ref: 00D0D26E
_wcscmp.LIBCMT ref: 00D0D282

Strings

%s%u, xrefs: 00D0D02C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 65571c430c211daccc4add14f342aab3c06bdb440ba0cf324af3a6d068dec11f
Instruction ID: 3f7157c1c7b912ac2ede6ae80e4d9f45408d9650137717e262cc489fcc988c8e
Opcode Fuzzy Hash: 65571c430c211daccc4add14f342aab3c06bdb440ba0cf324af3a6d068dec11f
Instruction Fuzzy Hash: 66A1A271604306AFD715DFA4C884BAAB7AAFF44354F04861AFA9DD2190DB30E946CBB1

Function 00D0D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00D0D8EB
_wcscmp.LIBCMT ref: 00D0D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00D0D924
CharUpperBuffW.USER32(?,00000000), ref: 00D0D941
_wcscmp.LIBCMT ref: 00D0D95F
_wcsstr.LIBCMT ref: 00D0D970
GetClassNameW.USER32(00000018,?,00000400), ref: 00D0D9A8
_wcscmp.LIBCMT ref: 00D0D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00D0D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 00D0DA28
_wcscmp.LIBCMT ref: 00D0DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 00D0DA60
GetWindowRect.USER32(00000004,?), ref: 00D0DAC9

Strings

@, xrefs: 00D0D8C6
ThumbnailClass, xrefs: 00D0D9B3, 00D0DA33

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: c8f33644566a6a8d1a1d54feede27c847bdbb4a85ed5be228b75adda4943a1c5
Instruction ID: 8a8b5b941c06bea7c134251135e68ede95d197a4891926b659c80754b1d20a2b
Opcode Fuzzy Hash: c8f33644566a6a8d1a1d54feede27c847bdbb4a85ed5be228b75adda4943a1c5
Instruction Fuzzy Hash: 3B819F311083099BDB11DF94D885BAA7BA9EF84314F08846BFD8D9A0D6DB30DD46CBB1

Function 00D3CE58 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D3CEFB
DestroyWindow.USER32(?,?), ref: 00D3CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D3CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D3D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3D025
DestroyWindow.USER32(?), ref: 00D3D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CD0000,00000000), ref: 00D3D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3D094
GetDesktopWindow.USER32 ref: 00D3D0A9
GetWindowRect.USER32(00000000), ref: 00D3D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D3D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D3D0DA

Part of subcall function 00CEB526: GetWindowLongW.USER32(?,000000EB), ref: 00CEB537

Strings

@U=u, xrefs: 00D3CFA7, 00D3D081
tooltips_class32, xrefs: 00D3CFED, 00D3D06E
0, xrefs: 00D3CF1B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 3877571568-1130792468
Opcode ID: 27907fe9c830b312f2456f190a7e33929df6a4d2aeeb735b0f88700ebd3e0d99
Instruction ID: 2157847f136c1103ac37a66fbfd51639516b04a7112cd19dde91f48d77375269
Opcode Fuzzy Hash: 27907fe9c830b312f2456f190a7e33929df6a4d2aeeb735b0f88700ebd3e0d99
Instruction Fuzzy Hash: F0719AB4540305AFD724CF28DC85F667BE6EB88B44F08451AF985873A1D770E946DB32

Function 00D3F351 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

DragQueryPoint.SHELL32(?,?), ref: 00D3F37A

Part of subcall function 00D3D7DE: ClientToScreen.USER32(?,?), ref: 00D3D807
Part of subcall function 00D3D7DE: GetWindowRect.USER32(?,?), ref: 00D3D87D
Part of subcall function 00D3D7DE: PtInRect.USER32(?,?,00D3ED5A), ref: 00D3D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 00D3F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D3F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D3F411
_wcscat.LIBCMT ref: 00D3F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D3F458
SendMessageW.USER32(?,000000B0,?,?), ref: 00D3F471
SendMessageW.USER32(?,000000B1,?,?), ref: 00D3F488
SendMessageW.USER32(?,000000B1,?,?), ref: 00D3F4AA
DragFinish.SHELL32(?), ref: 00D3F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D3F59C

Strings

@U=u, xrefs: 00D3F3E3, 00D3F458, 00D3F471, 00D3F488, 00D3F4AA
@GUI_DRAGID, xrefs: 00D3F510
@GUI_DROPID, xrefs: 00D3F4D1
@GUI_DRAGFILE, xrefs: 00D3F54B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: b06d9626d95278dc75a0014f5ec1609008d373d0e891ed98e5d528141f074b76
Instruction ID: d5cae8e8737569e920028680d5aa272330df74701bb1d74e445a518506276d53
Opcode Fuzzy Hash: b06d9626d95278dc75a0014f5ec1609008d373d0e891ed98e5d528141f074b76
Instruction Fuzzy Hash: 12614A71508305AFC711EF64CC85E9FBBF9EB89710F000A1EB695922A1DB70DA09CB62

Function 00D0D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D0D753

Strings

CLASSNAME=, xrefs: 00D0D790
[CLASS:, xrefs: 00D0D7A3
[HANDLE:, xrefs: 00D0D75F
[ACTIVE, xrefs: 00D0D740
LAST, xrefs: 00D0D718
ALL, xrefs: 00D0D7E7
HANDLE=, xrefs: 00D0D74C
[REGEXPTITLE:, xrefs: 00D0D77B
[LAST, xrefs: 00D0D800
REGEXP=, xrefs: 00D0D768
ACTIVE, xrefs: 00D0D72E
[ALL, xrefs: 00D0D7F9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 165a3ae80ca7d8370ed81fe6597cb13589fe63797e9d1daabc96e652ab668b2a
Instruction ID: 86c3b0ba8f6534628efeb4def224299b8ef6d035ed69d7ccaa788a66a4a5b987
Opcode Fuzzy Hash: 165a3ae80ca7d8370ed81fe6597cb13589fe63797e9d1daabc96e652ab668b2a
Instruction Fuzzy Hash: 52316131544209AADB14FE90DD43FBD73A59F20750F20012BF546711D5EB61EE08E772

Function 00D279B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00D279C6
LoadCursorW.USER32(00000000,00007F00), ref: 00D279D1
LoadCursorW.USER32(00000000,00007F03), ref: 00D279DC
LoadCursorW.USER32(00000000,00007F8B), ref: 00D279E7
LoadCursorW.USER32(00000000,00007F01), ref: 00D279F2
LoadCursorW.USER32(00000000,00007F81), ref: 00D279FD
LoadCursorW.USER32(00000000,00007F88), ref: 00D27A08
LoadCursorW.USER32(00000000,00007F80), ref: 00D27A13
LoadCursorW.USER32(00000000,00007F86), ref: 00D27A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00D27A29
LoadCursorW.USER32(00000000,00007F85), ref: 00D27A34
LoadCursorW.USER32(00000000,00007F82), ref: 00D27A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00D27A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00D27A55
LoadCursorW.USER32(00000000,00007F02), ref: 00D27A60
LoadCursorW.USER32(00000000,00007F89), ref: 00D27A6B
GetCursorInfo.USER32(?), ref: 00D27A7B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: e5760eeda2f1a242f08992dc88e43839f6a519040f652fca9c793791152eb82d
Instruction ID: 7c020736d1d2e10716925f0956db1206e6de774d2a33a3c183bc320cd4b36fd3
Opcode Fuzzy Hash: e5760eeda2f1a242f08992dc88e43839f6a519040f652fca9c793791152eb82d
Instruction Fuzzy Hash: F13127B1D0831A6ADB209FB69C8995FBFF8FF14754F50452AE50DE7280DA78A5008FA1

Function 00CDC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00CEE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00CDC8B7,?,00002000,?,?,00000000,?,00CD419E,?,?,?,00D6DC00), ref: 00CEE984

Part of subcall function 00CD660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD53B1,?,?,00CD61FF,?,00000000,00000001,00000000), ref: 00CD662F

__wsplitpath.LIBCMT ref: 00CDC93E

Part of subcall function 00CF1DFC: __wsplitpath_helper.LIBCMT ref: 00CF1E3C

_wcscpy.LIBCMT ref: 00CDC953
_wcscat.LIBCMT ref: 00CDC968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00CDC978
SetCurrentDirectoryW.KERNEL32(?), ref: 00CDCABE

Part of subcall function 00CDB337: _wcscpy.LIBCMT ref: 00CDB36F

Strings

Bad directive syntax error, xrefs: 00D43429
Error opening the file, xrefs: 00D430B4, 00D4313D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00D43098
EA06, xrefs: 00D430C9
AU3!, xrefs: 00CDC90C
Unterminated string, xrefs: 00D43470
>>>AUTOIT SCRIPT<<<, xrefs: 00D4311B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 333b9664225a664326b90aee1d6a729b251b5ca2401f64c547061a85cac23368
Instruction ID: 498306001415a4d0aecd2976d7413e5f7d101d714123e6261b339408675adb30
Opcode Fuzzy Hash: 333b9664225a664326b90aee1d6a729b251b5ca2401f64c547061a85cac23368
Instruction Fuzzy Hash: 73129D71508341AFC724EF24C891AAFBBE5EF99304F04491EF68993361DB31DA49DB62

Function 00D3716A Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D371FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D37247

Strings

@U=u, xrefs: 00D37247
GETSELECTED, xrefs: 00D3733F
GETTOTALCOUNT, xrefs: 00D3722A
SELECT, xrefs: 00D373E0
CHECK, xrefs: 00D37267
EXPAND, xrefs: 00D372E1
COLLAPSE, xrefs: 00D3728D
GETTEXT, xrefs: 00D37382
EXISTS, xrefs: 00D372B0
ISCHECKED, xrefs: 00D373B2
UNCHECK, xrefs: 00D3740B
GETITEMCOUNT, xrefs: 00D37311

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 6fdcb28ac084718b421126d36acbec3ae733e7a83eb1a6c8d5eb923128814cd1
Instruction ID: 6268ac60989b8e2ab73296052d6d80c8eea31ab7d1ecae1972fb7097ef145573
Opcode Fuzzy Hash: 6fdcb28ac084718b421126d36acbec3ae733e7a83eb1a6c8d5eb923128814cd1
Instruction Fuzzy Hash: FE919074208B419BCB14FF10C851A6EB7A1FF98350F144859F9965B3A3DB30ED0ADBA1

Function 00D3E4F5 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D3E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D39808,?), ref: 00D3E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D3E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D3E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D3E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00D39808,?), ref: 00D3E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D3E6DF
DestroyIcon.USER32(?), ref: 00D3E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D3E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D3E717

Part of subcall function 00CF0FA7: __wcsicmp_l.LIBCMT ref: 00CF1030

Strings

@U=u, xrefs: 00D3E6F7
.dll, xrefs: 00D3E564
.exe, xrefs: 00D3E541
.icl, xrefs: 00D3E521

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 85a70e6548412fb69bf779ce1b507e6ce91d74b48666c108e8a8b76b38ae92fc
Instruction ID: 7d9c5dd8d72a40964de676776d1ede0de089bd2cf192d5c3e6e3553952c71e5b
Opcode Fuzzy Hash: 85a70e6548412fb69bf779ce1b507e6ce91d74b48666c108e8a8b76b38ae92fc
Instruction Fuzzy Hash: AE61AE71500319FAEB24DF64CC46FBE7BA8BB18B25F204505F915E61D1EBB0A980DBB0

Function 00D1AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D1AB3D
VariantCopy.OLEAUT32(?,?), ref: 00D1AB46
VariantClear.OLEAUT32(?), ref: 00D1AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D1AC40
__swprintf.LIBCMT ref: 00D1AC70
VarR8FromDec.OLEAUT32(?,?), ref: 00D1AC9C
VariantInit.OLEAUT32(?), ref: 00D1AD4D
SysFreeString.OLEAUT32(00000016), ref: 00D1ADDF
VariantClear.OLEAUT32(?), ref: 00D1AE35
VariantClear.OLEAUT32(?), ref: 00D1AE44
VariantInit.OLEAUT32(00000000), ref: 00D1AE80

Strings

Default, xrefs: 00D1ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 00D1AC6A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 9910c281618ce8f4d4a881a263a6322ecca8e078118a904ce854a9188be33de2
Instruction ID: ce3d1e6cdecd55d8e52387285f30761969ae47a6ec18422fab484517d1314a48
Opcode Fuzzy Hash: 9910c281618ce8f4d4a881a263a6322ecca8e078118a904ce854a9188be33de2
Instruction Fuzzy Hash: D4D1C271609615FBDB209F69E985BAAB7B6FF04700F188056F4499B281DF70DC80DBB2

Function 00D1D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

CharLowerBuffW.USER32(?,?), ref: 00D1D292
GetDriveTypeW.KERNEL32 ref: 00D1D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1D38C

Strings

closed, xrefs: 00D1D2A6, 00D1D2AF
close, xrefs: 00D1D298
close cd wait, xrefs: 00D1D377
set cd door , xrefs: 00D1D32D
type cdaudio alias cd wait, xrefs: 00D1D30A
wait, xrefs: 00D1D349
open , xrefs: 00D1D2EE
open, xrefs: 00D1D2B9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: ee4b3504b4fe91ce0c82065b78c3c836ec11043c0afedc4ec02a2e98f467751a
Instruction ID: 433155bf232006ed9b064410f16e2e7a863724275bd17f2ff452e583a4564009
Opcode Fuzzy Hash: ee4b3504b4fe91ce0c82065b78c3c836ec11043c0afedc4ec02a2e98f467751a
Instruction Fuzzy Hash: 5E514A71104705AFC700EF11D88196EB7E9EF98758F10485EF89AA7361DB31EE0ADB62

Function 00D126BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00D43973,00000016,0000138C,00000016,?,00000016,00D6DDB4,00000000,?), ref: 00D126F1
LoadStringW.USER32(00000000,?,00D43973,00000016), ref: 00D126FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00D43973,00000016,0000138C,00000016,?,00000016,00D6DDB4,00000000,?,00000016), ref: 00D1271C
LoadStringW.USER32(00000000,?,00D43973,00000016), ref: 00D1271F
__swprintf.LIBCMT ref: 00D1276F
__swprintf.LIBCMT ref: 00D12780
_wprintf.LIBCMT ref: 00D12829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D12840

Strings

Error: , xrefs: 00D127F7
Line %d (File "%s"):, xrefs: 00D12769
^ ERROR, xrefs: 00D127D5
%s (%d) : ==> %s: %s %s, xrefs: 00D12824
Line %d:, xrefs: 00D1277A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: b860873b0c76176d74a8521a46ebbb3e1c745070af38810b55def09d1bfd2fd0
Instruction ID: ef96c0cd77fca64113307951aff31e95ebf2587f724d3af952f315381fca06b5
Opcode Fuzzy Hash: b860873b0c76176d74a8521a46ebbb3e1c745070af38810b55def09d1bfd2fd0
Instruction Fuzzy Hash: A7410E72800219BACB14FBD0DD86DEEB778AF15740F100066B605B6192EA719F59EB71

Function 00D1D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D1D0D8
__swprintf.LIBCMT ref: 00D1D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D1D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D1D15C
_memset.LIBCMT ref: 00D1D17B
_wcsncpy.LIBCMT ref: 00D1D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D1D1EC
CloseHandle.KERNEL32(00000000), ref: 00D1D1F7
RemoveDirectoryW.KERNEL32(?), ref: 00D1D200
CloseHandle.KERNEL32(00000000), ref: 00D1D20A

Strings

\, xrefs: 00D1D110
\??\%s, xrefs: 00D1D0F4
:, xrefs: 00D1D11B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 66b0f5f48f6ff81506fbc34226b897c28951a510f0b82fde051344b016a1fd79
Instruction ID: aca234abaf86f423b14d072def9e535f5aea8c4908b2e7ef923aa05465f4ce0c
Opcode Fuzzy Hash: 66b0f5f48f6ff81506fbc34226b897c28951a510f0b82fde051344b016a1fd79
Instruction Fuzzy Hash: 4F31B3B2500209BBDB20DFA0DC48FEB37BDEF89741F1440A5F919D2161EB7096848B35

Function 00D205F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00D2076F
_wcscat.LIBCMT ref: 00D20787
_wcscat.LIBCMT ref: 00D20799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D207AE
SetCurrentDirectoryW.KERNEL32(?), ref: 00D207C2
GetFileAttributesW.KERNEL32(?), ref: 00D207DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D207F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00D20806

Strings

*.*, xrefs: 00D20845

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 87fc1045e72cbb04ad318080a0a8dcc2b715e43d6cf1b76157bd4e05db53a565
Instruction ID: 8b7af41a80725049d89c80e42ce1d151911812d23772a4209d17137be4654afd
Opcode Fuzzy Hash: 87fc1045e72cbb04ad318080a0a8dcc2b715e43d6cf1b76157bd4e05db53a565
Instruction Fuzzy Hash: D08191715043159FCB24EF24D84596FBBE9FBE8309F18882EF985D7252E730D9448BA2

Function 00D3EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D3EF3B
GetFocus.USER32 ref: 00D3EF4B
GetDlgCtrlID.USER32(00000000), ref: 00D3EF56
_memset.LIBCMT ref: 00D3F081
GetMenuItemInfoW.USER32 ref: 00D3F0AC
GetMenuItemCount.USER32(00000000), ref: 00D3F0CC
GetMenuItemID.USER32(?,00000000), ref: 00D3F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00D3F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00D3F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D3F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D3F1C8

Strings

0, xrefs: 00D3F079

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: effaf6d2e6d2ee2b7566e1f9c0703e3a140ef6c124302b15ad3b9d0d7f6068fb
Instruction ID: 1217436464e78adfd6df203b5c0c13d770f69321c87c1725db4b4deb6d0ba374
Opcode Fuzzy Hash: effaf6d2e6d2ee2b7566e1f9c0703e3a140ef6c124302b15ad3b9d0d7f6068fb
Instruction Fuzzy Hash: F3815A71908309AFDB24CF14D884A6BBBE9FB88314F14492EF99997291D770D905CBB2

Function 00D0A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00D0ABD7
Part of subcall function 00D0ABBB: GetLastError.KERNEL32(?,00D0A69F,?,?,?), ref: 00D0ABE1
Part of subcall function 00D0ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00D0A69F,?,?,?), ref: 00D0ABF0
Part of subcall function 00D0ABBB: HeapAlloc.KERNEL32(00000000,?,00D0A69F,?,?,?), ref: 00D0ABF7
Part of subcall function 00D0ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00D0AC0E

Part of subcall function 00D0AC56: GetProcessHeap.KERNEL32(00000008,00D0A6B5,00000000,00000000,?,00D0A6B5,?), ref: 00D0AC62
Part of subcall function 00D0AC56: HeapAlloc.KERNEL32(00000000,?,00D0A6B5,?), ref: 00D0AC69
Part of subcall function 00D0AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D0A6B5,?), ref: 00D0AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D0A8CB
_memset.LIBCMT ref: 00D0A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D0A8FF
GetLengthSid.ADVAPI32(?), ref: 00D0A910
GetAce.ADVAPI32(?,00000000,?), ref: 00D0A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D0A969
GetLengthSid.ADVAPI32(?), ref: 00D0A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D0A995
HeapAlloc.KERNEL32(00000000), ref: 00D0A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D0A9BD
CopySid.ADVAPI32(00000000), ref: 00D0A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D0A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D0AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D0AA2F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1798aea4ac3638587c102ca8168719ebb6d97d46982f2ab939b7e2fe13f3eec7
Instruction ID: e0ab6db1c96c436fb0e06324924e89ba501eceee1a7153ce13adbf61f7072f2b
Opcode Fuzzy Hash: 1798aea4ac3638587c102ca8168719ebb6d97d46982f2ab939b7e2fe13f3eec7
Instruction Fuzzy Hash: AC51F871A00309ABDF10DF98DD45AEEBBBAFB04311F148119F919AA2D0DB359A05CB71

Function 00D1CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00D1CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 00D1CCC5
__swprintf.LIBCMT ref: 00D1CD1E
__swprintf.LIBCMT ref: 00D1CD37
_wprintf.LIBCMT ref: 00D1CDED
_wprintf.LIBCMT ref: 00D1CE0B

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00D1CDE8
Error: , xrefs: 00D1CDB5
Line %d (File "%s"):, xrefs: 00D1CD18, 00D1CD31
^ ERROR, xrefs: 00D1CD8F
"%s" (%d) : ==> %s:, xrefs: 00D1CE06

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 5cf42f853f8bd565edf985e9d0f54d7beca39f92b6a8e8e58ec4a3f4f1abb722
Instruction ID: b328aa89bdf0bf964a1ba4506aea022e49577443484f56ecdea8b1731250bc4c
Opcode Fuzzy Hash: 5cf42f853f8bd565edf985e9d0f54d7beca39f92b6a8e8e58ec4a3f4f1abb722
Instruction Fuzzy Hash: 21513F71940209BBCB15EBA0DD46EEEB779EF04344F100166F605722A2EB316E99EF71

Function 00D1CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00D1CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D1CAB0
__swprintf.LIBCMT ref: 00D1CB09
__swprintf.LIBCMT ref: 00D1CB22
_wprintf.LIBCMT ref: 00D1CBCD
_wprintf.LIBCMT ref: 00D1CBEB

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00D1CBC8
Error: , xrefs: 00D1CB95
Line %d (File "%s"):, xrefs: 00D1CB03, 00D1CB1C
"%s" (%d) : ==> %s:, xrefs: 00D1CBE6
^ ERROR , xrefs: 00D1CB64

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 35c16923812c2a50df49eeaa3896c33c581fa435292387559d0593430c10dbb6
Instruction ID: 87adac934e61fc99e83806f83ca4c052c9101c8d2b13460d11020ec6b288c985
Opcode Fuzzy Hash: 35c16923812c2a50df49eeaa3896c33c581fa435292387559d0593430c10dbb6
Instruction Fuzzy Hash: 63513F71940209BACB15EBE0DD46EEEB779AF04340F100156F609B2252EB716E99EF71

Function 00D1778F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D17794

Part of subcall function 00CEDC38: timeGetTime.WINMM(?,753DB400,00D458AB), ref: 00CEDC3C

Sleep.KERNEL32(0000000A), ref: 00D177C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00D177E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00D17806
SetActiveWindow.USER32 ref: 00D17825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D17833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D17852
Sleep.KERNEL32(000000FA), ref: 00D1785D
IsWindow.USER32 ref: 00D17869
EndDialog.USER32(00000000), ref: 00D1787A

Strings

@U=u, xrefs: 00D17833, 00D17852
BUTTON, xrefs: 00D177F8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 53aa2a3cced56d7bb3fdc57c6ddcbfed7fcb7ec32251d6fd5bc334110766b884
Instruction ID: ec11964d14e43e5370f73408418dec0d51d4dd12937d3cb83c9bd264981e4181
Opcode Fuzzy Hash: 53aa2a3cced56d7bb3fdc57c6ddcbfed7fcb7ec32251d6fd5bc334110766b884
Instruction Fuzzy Hash: 3421E8B0248305BFE7115B60FC89AAA3B7AFB4574AF140025F906C23B2DF619D85DA35

Function 00D155BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D155D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00D15664
GetMenuItemCount.USER32(00D91708), ref: 00D156ED
DeleteMenu.USER32(00D91708,00000005,00000000,000000F5,?,?), ref: 00D1577D
DeleteMenu.USER32(00D91708,00000004,00000000), ref: 00D15785
DeleteMenu.USER32(00D91708,00000006,00000000), ref: 00D1578D
DeleteMenu.USER32(00D91708,00000003,00000000), ref: 00D15795
GetMenuItemCount.USER32(00D91708), ref: 00D1579D
SetMenuItemInfoW.USER32(00D91708,00000004,00000000,00000030), ref: 00D157D3
GetCursorPos.USER32(?), ref: 00D157DD
SetForegroundWindow.USER32(00000000), ref: 00D157E6
TrackPopupMenuEx.USER32(00D91708,00000000,?,00000000,00000000,00000000), ref: 00D157F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D15805

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: ab1b8a1971385b84233a5d1cfddd1de648ca709da6a36080a93225a07e81a3be
Instruction ID: f082cf0b888aa820695cf2ff1a6f675b8c191eab6b70f1ef2c6b749b69b12298
Opcode Fuzzy Hash: ab1b8a1971385b84233a5d1cfddd1de648ca709da6a36080a93225a07e81a3be
Instruction Fuzzy Hash: D171BF70640605FEEB219B14FC89FEABF65FF81368F280205F519AA1D5CB759890DBB0

Function 00D0A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D0A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D0A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D0A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D0A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D0A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00D0A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D0A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D0A2AB

Strings

\IPC$, xrefs: 00D0A1F3
SOFTWARE\Classes\, xrefs: 00D0A17D
\CLSID, xrefs: 00D0A193

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 715c1caeeb13c49ff01b58ab295123992c76e8b89b1df7512a8202d8d0d9cc42
Instruction ID: ebd5143977ed7f1663de9808423d53d873a2d92c5716d6ef332611869c4ad924
Opcode Fuzzy Hash: 715c1caeeb13c49ff01b58ab295123992c76e8b89b1df7512a8202d8d0d9cc42
Instruction Fuzzy Hash: A541E976C10229AFDF21EBA4DC85DEDB7B8FF14710F04416AE905A32A1DB709E05DB61

Function 00D3A1B6 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D3A259
CreateCompatibleDC.GDI32(00000000), ref: 00D3A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D3A273
SelectObject.GDI32(00000000,00000000), ref: 00D3A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D3A286
DeleteDC.GDI32(00000000), ref: 00D3A28F
GetWindowLongW.USER32(?,000000EC), ref: 00D3A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D3A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D3A2B9

Strings

static, xrefs: 00D3A1F1
@U=u, xrefs: 00D3A273

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 82a9e6cda614c24792079a5bdda53eb6179029f7268ca0334d46cfb22bcc8a76
Instruction ID: ddea7be659a0ec22428672322112561daf0ce84f36bbce23b22a22f1034e8b40
Opcode Fuzzy Hash: 82a9e6cda614c24792079a5bdda53eb6179029f7268ca0334d46cfb22bcc8a76
Instruction Fuzzy Hash: 50319A31200319AFDB215FA8DC49FEB3B69FF09361F140215FA59A62A0C735D811DBB4

Function 00D125B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D436F4,00000010,?,Bad directive syntax error,00D6DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D125D6
LoadStringW.USER32(00000000,?,00D436F4,00000010), ref: 00D125DD
_wprintf.LIBCMT ref: 00D12610
__swprintf.LIBCMT ref: 00D12632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D126A1

Strings

Error: , xrefs: 00D1266F
Line %d (File "%s"):, xrefs: 00D12647
., xrefs: 00D12687
%s (%d) : ==> %s.: %s %s, xrefs: 00D1260B
Line %d:, xrefs: 00D1262C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 3c9294c54573ea8a307be4c823152732ca68936450f4454e257290d69cfc098b
Instruction ID: 9651467648bef9c0aba7fafc0319a1d3d35cd32d5e34dd17a036359d604b68a2
Opcode Fuzzy Hash: 3c9294c54573ea8a307be4c823152732ca68936450f4454e257290d69cfc098b
Instruction Fuzzy Hash: E4213C7180021EBFCF11BF90DC4AEEE7B39FF18704F040456F615661A2EA71A669EB61

Function 00D17AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D17B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D17B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D17B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D17B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D17B8C

Strings

close PlayMe, xrefs: 00D17B53, 00D17B80
alias PlayMe, xrefs: 00D17B1B
play PlayMe, xrefs: 00D17B87
status PlayMe mode, xrefs: 00D17B3D
open , xrefs: 00D17AF1
play PlayMe wait, xrefs: 00D17B76

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: a6e1e752683f288e1cc4557dd64f39deeaae554ea1e9009e4ec1a1a453b73400
Instruction ID: 72c4c62876eaceacd863dbea28adc9ef45820fe23b2311dbe6e018daf545995e
Opcode Fuzzy Hash: a6e1e752683f288e1cc4557dd64f39deeaae554ea1e9009e4ec1a1a453b73400
Instruction Fuzzy Hash: 071194A1A502597DE720B7A1DC8ADFFBA7CEB91F10F00041A7515A21D1EF609A49C6B0

Function 00D202EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

CoInitialize.OLE32(00000000), ref: 00D2034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D203DE
SHGetDesktopFolder.SHELL32(?), ref: 00D203F2
CoCreateInstance.OLE32(00D5DA8C,00000000,00000001,00D83CF8,?), ref: 00D2043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D204AD
CoTaskMemFree.OLE32(?,?), ref: 00D20505
_memset.LIBCMT ref: 00D20542
SHBrowseForFolderW.SHELL32(?), ref: 00D2057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D205A1
CoTaskMemFree.OLE32(00000000), ref: 00D205A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00D205DF
CoUninitialize.OLE32(00000001,00000000), ref: 00D205E1

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2ac41fb5dce7e3860c9394720b5f3789ebd0f63527a9ea901414e32a214e8915
Instruction ID: 838bcd5c88a5b5758b82bf9b208d9f3793689986070d65aba6dfd5fc069c8c4d
Opcode Fuzzy Hash: 2ac41fb5dce7e3860c9394720b5f3789ebd0f63527a9ea901414e32a214e8915
Instruction Fuzzy Hash: D2B1D775A00219AFDB14DFA4D888DAEBBB9FF48305B148499F906EB351DB70ED41CB60

Function 00D12E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D12ED6
SetKeyboardState.USER32(?), ref: 00D12F41
GetAsyncKeyState.USER32(000000A0), ref: 00D12F61
GetKeyState.USER32(000000A0), ref: 00D12F78
GetAsyncKeyState.USER32(000000A1), ref: 00D12FA7
GetKeyState.USER32(000000A1), ref: 00D12FB8
GetAsyncKeyState.USER32(00000011), ref: 00D12FE4
GetKeyState.USER32(00000011), ref: 00D12FF2
GetAsyncKeyState.USER32(00000012), ref: 00D1301B
GetKeyState.USER32(00000012), ref: 00D13029
GetAsyncKeyState.USER32(0000005B), ref: 00D13052
GetKeyState.USER32(0000005B), ref: 00D13060

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4134074838f48b771a34535d750efb472bc7041cbf00850105e506157dcbb387
Instruction ID: 9c0dc0ce8322bec46edbb9ee11c592da76d6abc5144616241516baf63f124d9f
Opcode Fuzzy Hash: 4134074838f48b771a34535d750efb472bc7041cbf00850105e506157dcbb387
Instruction Fuzzy Hash: AA51C360A0878839EB35EBA4A8117FABBF49F11340F0C459DD5C2561C2DE95ABDCC7B2

Function 00D0ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D0ED1E
GetWindowRect.USER32(00000000,?), ref: 00D0ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D0ED8E
GetDlgItem.USER32(?,00000002), ref: 00D0ED99
GetWindowRect.USER32(00000000,?), ref: 00D0EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D0EE01
GetDlgItem.USER32(?,000003E9), ref: 00D0EE0F
GetWindowRect.USER32(00000000,?), ref: 00D0EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D0EE63
GetDlgItem.USER32(?,000003EA), ref: 00D0EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D0EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 00D0EE9B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9f3dfd821c851f8c4a5818bba82ae8b7b60f8085bffd1eb90fc114de1eb7eb62
Instruction ID: fbb0d1497d141ba65600d298cf4555be334342df11dd1570364ff6fe6113813f
Opcode Fuzzy Hash: 9f3dfd821c851f8c4a5818bba82ae8b7b60f8085bffd1eb90fc114de1eb7eb62
Instruction Fuzzy Hash: 0E5101B1B00309AFDB18CF69DD95BAEBBB6EB88701F148529F919D72D0D7709D418B20

Function 00CEB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CEB759,?,00000000,?,?,?,?,00CEB72B,00000000,?), ref: 00CEBA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CEB72B), ref: 00CEB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00CEB72B,00000000,?,?,00CEB2EF,?,?), ref: 00CEB88D
DestroyAcceleratorTable.USER32(00000000), ref: 00D4D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CEB72B,00000000,?,?,00CEB2EF,?,?), ref: 00D4D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CEB72B,00000000,?,?,00CEB2EF,?,?), ref: 00D4D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CEB72B,00000000,?,?,00CEB2EF,?,?), ref: 00D4D90A
DeleteObject.GDI32(00000000), ref: 00D4D91C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cdef772cdc8e5c9803a2f4167d2f7e9e2dd7b886185907915eb88c7d5d3fd2cf
Instruction ID: a26489483d92daa360b2a96ff009af0d23b2e4cba6a3f39f3fe6e51aa6c83145
Opcode Fuzzy Hash: cdef772cdc8e5c9803a2f4167d2f7e9e2dd7b886185907915eb88c7d5d3fd2cf
Instruction Fuzzy Hash: 2B614635901742DFDB369F1AD988B36B7B6FB94312F18051AE48686BA4C730AC90DF70

Function 00CEB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00CEB526: GetWindowLongW.USER32(?,000000EB), ref: 00CEB537

GetSysColor.USER32(0000000F), ref: 00CEB438

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 82cf7d9fd1d1369ae76b28f725d1cc513df6ee0975cde3741344148d8ff3b1a9
Instruction ID: 8501c9486b01e93cad7e9b1989c9fe0005d5981d7419d7b508c112b4b8e37cf5
Opcode Fuzzy Hash: 82cf7d9fd1d1369ae76b28f725d1cc513df6ee0975cde3741344148d8ff3b1a9
Instruction Fuzzy Hash: 6941A231000784AFDB215F69DC89BBA3B66AB06731F184261FDA5CE2E6D7308D41DB31

Function 00D1690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00D16923
_wcscpy.LIBCMT ref: 00D16934
__wsplitpath.LIBCMT ref: 00D16958
__wsplitpath.LIBCMT ref: 00D16979
_wcscpy.LIBCMT ref: 00D1699B
_wcscpy.LIBCMT ref: 00D169B9
_wcscpy.LIBCMT ref: 00D169C7
_wcscat.LIBCMT ref: 00D169D6
_wcscat.LIBCMT ref: 00D16A2B
_wcscat.LIBCMT ref: 00D16A61
_wcscat.LIBCMT ref: 00D16A73

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: e3a75c3a7ad65cee62c7c25e8e8120c1ff0bde767981365692e5126138f3428d
Instruction ID: 4bc8c15787f2032b445d09919977e2bb1c3853324fbe24470d4146a93254a398
Opcode Fuzzy Hash: e3a75c3a7ad65cee62c7c25e8e8120c1ff0bde767981365692e5126138f3428d
Instruction Fuzzy Hash: 16411B7684511CAFCFA2EB90DC45DDA73BCEF44300F1041E6B659A2051EE31ABE99F61

Function 00D1D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00D6DC00,00D6DC00,00D6DC00), ref: 00D1D7CE
GetDriveTypeW.KERNEL32(?,00D83A70,00000061), ref: 00D1D898
_wcscpy.LIBCMT ref: 00D1D8C2

Strings

ramdisk, xrefs: 00D1D842
network, xrefs: 00D1D82C
unknown, xrefs: 00D1D859
all, xrefs: 00D1D7D4
removable, xrefs: 00D1D800
fixed, xrefs: 00D1D816
cdrom, xrefs: 00D1D7EA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 736b2af34bd21361411221d8316d4802b35a5ff97858fbf3ed69771339a7ef6d
Instruction ID: 2da7b667b126fe0e81f080d58b0e2570638a1d0abc18e393a544795e53f21ce2
Opcode Fuzzy Hash: 736b2af34bd21361411221d8316d4802b35a5ff97858fbf3ed69771339a7ef6d
Instruction Fuzzy Hash: B251C431104340AFC704EF14E8C1AAEB7A6EF88714F24882EF59A572A2DF31DD45DB62

Function 00D3B33A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D3B3F4

Strings

@U=u, xrefs: 00D3B42A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 345b6cb51df2cce0ead5aa9978e4676c8e8342005ec29a01b950929462b49cef
Instruction ID: 38bfe94dac9194942396a61addfcc1b679bb6a0ac09e774dfbc49da4ce3586f9
Opcode Fuzzy Hash: 345b6cb51df2cce0ead5aa9978e4676c8e8342005ec29a01b950929462b49cef
Instruction Fuzzy Hash: B2518C30601219BBEF309F29CC85BAD3B65AB05378F284017FB55E62E2C771E9849B71

Function 00CEA699 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D4DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D4DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D4DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D4DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D4DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00CEA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00D4DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D4DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00CEA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00D4DBC8

Strings

@U=u, xrefs: 00D4DB7A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 7117197fade1156259886b965dcf79dc03fd82134c64d8dd8e521e36722d7364
Instruction ID: 313d6b0f98818ae2275665914843a371b7349e74ffca9a478588e6940376f0ca
Opcode Fuzzy Hash: 7117197fade1156259886b965dcf79dc03fd82134c64d8dd8e521e36722d7364
Instruction Fuzzy Hash: 65516A74600349EFDB20DF6ACC81FAA77BAEB58750F140519F946D7290DBB0AD80DB60

Function 00CD936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00CD93AB
__itow.LIBCMT ref: 00CD93DF

Part of subcall function 00CF1557: _xtow@16.LIBCMT ref: 00CF1578

Strings

True, xrefs: 00D44C8C
0x%p, xrefs: 00D44CAD
False, xrefs: 00D44C93
%.15g, xrefs: 00CD93A5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 317da45730b005db74a488f9ed8218676d69def3184ae8d30412743e516e2da3
Instruction ID: a3d840349a98e74f92ec07c83725dd376f4535dbe7d66913b863ec7ae33e9fb6
Opcode Fuzzy Hash: 317da45730b005db74a488f9ed8218676d69def3184ae8d30412743e516e2da3
Instruction Fuzzy Hash: A141C275500205EBDB24EF75D982F7AB3E8EF48300F28446FE649D7291EA31D941DB61

Function 00D0B907 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D0B98C
GetDlgCtrlID.USER32 ref: 00D0B997
GetParent.USER32 ref: 00D0B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D0B9B6
GetDlgCtrlID.USER32(?), ref: 00D0B9BF
GetParent.USER32(?), ref: 00D0B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D0B9DE

Strings

@U=u, xrefs: 00D0B9DE
ListBox, xrefs: 00D0B949
ComboBox, xrefs: 00D0B911

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: @U=u$ComboBox$ListBox
API String ID: 1383977212-2258501812
Opcode ID: 1757b9f01043be6dd98e3a555a755b2e5022bbb3a0af91bfadf71273a5b2c1fd
Instruction ID: 6f7ccb674e4338e09f07e0af8c541039d1c03bc0d4f254c9c25cac0d32f141af
Opcode Fuzzy Hash: 1757b9f01043be6dd98e3a555a755b2e5022bbb3a0af91bfadf71273a5b2c1fd
Instruction Fuzzy Hash: 8621A1B4900208BFDB04ABA4DC96EBEBB75EF49310B10011BFA65932E1DB749916DF30

Function 00D0B9F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D0BA73
GetDlgCtrlID.USER32 ref: 00D0BA7E
GetParent.USER32 ref: 00D0BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D0BA9D
GetDlgCtrlID.USER32(?), ref: 00D0BAA6
GetParent.USER32(?), ref: 00D0BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D0BAC5

Strings

@U=u, xrefs: 00D0BAC5
ListBox, xrefs: 00D0BA32
ComboBox, xrefs: 00D0B9FA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: @U=u$ComboBox$ListBox
API String ID: 1383977212-2258501812
Opcode ID: 4951f044dbdb211b7892281821010b81de9681caf083db6c52b5901adbfdd2bb
Instruction ID: c567af3e866957453ab8c006a523a87ebc64cef5dea4531c062da28b3c770e40
Opcode Fuzzy Hash: 4951f044dbdb211b7892281821010b81de9681caf083db6c52b5901adbfdd2bb
Instruction Fuzzy Hash: 2E21A1B4A00208BFDB04ABA4CC85FBEB776EF45310F140016F955A32D1DBB5991ADB30

Function 00D16F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D16F1D
gethostname.WSOCK32(?,00000100), ref: 00D16F37
gethostbyname.WSOCK32(?), ref: 00D16F44
_wcscpy.LIBCMT ref: 00D16F6C
inet_ntoa.WSOCK32(?), ref: 00D16F8A
_strcat.LIBCMT ref: 00D16F98
_wcscpy.LIBCMT ref: 00D16FAF
WSACleanup.WSOCK32 ref: 00D16FBD
_wcscpy.LIBCMT ref: 00D16FCB

Strings

0.0.0.0, xrefs: 00D16F66

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 1a5d09cb1db7c3b05252ca63eb37473184e367d1cd984764e404ec2c7f5d8755
Instruction ID: fbd1d6c78d9bad98b3ce734d9c8ddf4e07c9cd3aed56e9cd45fe2ea5f38472c5
Opcode Fuzzy Hash: 1a5d09cb1db7c3b05252ca63eb37473184e367d1cd984764e404ec2c7f5d8755
Instruction Fuzzy Hash: 2D11D272904219BFCB24AB60BC0AEEA77A8EF44711F1400A5F545E6191EE70DAC69AB1

Function 00D0BAD7 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D0BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 00D0BAF8
_wcscmp.LIBCMT ref: 00D0BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D0BB85

Strings

@U=u, xrefs: 00D0BB85
list, xrefs: 00D0BB67
SHELLDLL_DefView, xrefs: 00D0BB04
smallicons, xrefs: 00D0BB4D
largeicons, xrefs: 00D0BB19
details, xrefs: 00D0BB33

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 93f9a72ad259e7fcac00a89af4a71d16fe89b6612ea2f8e7317ee71b83a358e9
Instruction ID: 867cda48db41a1e4e5fbc9d73d80ff0842c4ee621ebdd05621943eb9ead3d1fc
Opcode Fuzzy Hash: 93f9a72ad259e7fcac00a89af4a71d16fe89b6612ea2f8e7317ee71b83a358e9
Instruction Fuzzy Hash: 5111A77664C30AFEFA287A24DC07EB6379DDF11734B200027FA1CE50D6EBA198515635

Function 00CF500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF5047

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

__gmtime64_s.LIBCMT ref: 00CF50E0
__gmtime64_s.LIBCMT ref: 00CF5116
__gmtime64_s.LIBCMT ref: 00CF5133
__allrem.LIBCMT ref: 00CF5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF51A5
__allrem.LIBCMT ref: 00CF51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF51DA
__allrem.LIBCMT ref: 00CF51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF520F
__invoke_watson.LIBCMT ref: 00CF5280

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 42c9c34f828a5a6a93f50cf8ffdd516dc91c693626aa2de1266faa04940a7cf8
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: B271C971A01F1AABE7549E68CC4177A73A8EF10764F144229F724D62C1EB70DA408BE1

Function 00D14DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D14DF8
GetMenuItemInfoW.USER32(00D91708,000000FF,00000000,00000030), ref: 00D14E59
SetMenuItemInfoW.USER32(00D91708,00000004,00000000,00000030), ref: 00D14E8F
Sleep.KERNEL32(000001F4), ref: 00D14EA1
GetMenuItemCount.USER32(?), ref: 00D14EE5
GetMenuItemID.USER32(?,00000000), ref: 00D14F01
GetMenuItemID.USER32(?,-00000001), ref: 00D14F2B
GetMenuItemID.USER32(?,?), ref: 00D14F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D14FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D14FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D14FEB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ec2da573302959acb8c4a2d2b2e19af6e3336ff83f56cc44101989c8e570cec2
Instruction ID: 7b68699b93f799c6b63fad3c18a7463e7f298c2a9529faf8cc21ad7d4a234a99
Opcode Fuzzy Hash: ec2da573302959acb8c4a2d2b2e19af6e3336ff83f56cc44101989c8e570cec2
Instruction Fuzzy Hash: 5B616A71900349AFDB21CFA4E884AEE7BA9EF41705F180159F842E7351DB31AD86CB31

Function 00D094E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00D094FE
SafeArrayAllocData.OLEAUT32(?), ref: 00D09549
VariantInit.OLEAUT32(?), ref: 00D0955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D0957B
VariantCopy.OLEAUT32(?,?), ref: 00D095BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D095D2
VariantClear.OLEAUT32(?), ref: 00D095E7
SafeArrayDestroyData.OLEAUT32(?), ref: 00D095F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D095FD
VariantClear.OLEAUT32(?), ref: 00D0960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D0961A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a066ce3e4f33b45dafc6be6bceb72924b1600b32aa75762d95cdc4f44d1c940c
Instruction ID: a580e049c881b3d34e0cacd4c7c983382438d8f86b0023173146b0d96719eb19
Opcode Fuzzy Hash: a066ce3e4f33b45dafc6be6bceb72924b1600b32aa75762d95cdc4f44d1c940c
Instruction Fuzzy Hash: 47413B31900319AFCB11EFA5DC98ADEBB79EF08355F008065E916E3261DB31EA45CBB1

Function 00D2ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

CoInitialize.OLE32 ref: 00D2ADF6
CoUninitialize.OLE32 ref: 00D2AE01
CoCreateInstance.OLE32(?,00000000,00000017,00D5D8FC,?), ref: 00D2AE61
IIDFromString.OLE32(?,?), ref: 00D2AED4
VariantInit.OLEAUT32(?), ref: 00D2AF6E
VariantClear.OLEAUT32(?), ref: 00D2AFCF

Strings

NULL Pointer assignment, xrefs: 00D2AEA6
Invalid parameter, xrefs: 00D2AEED
Failed to create object, xrefs: 00D2AE6C, 00D2AF22

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a9a41d83f48c8997a8f2429c90b8b348ca8f246cd55af431754c8e06af5f4edc
Instruction ID: 115122948ecaa8ba0ff6e70688ea00de84f66c2cae08b9ae1b3f8f775956fb74
Opcode Fuzzy Hash: a9a41d83f48c8997a8f2429c90b8b348ca8f246cd55af431754c8e06af5f4edc
Instruction Fuzzy Hash: 00619E70208321AFD710EF58E944B6ABBE8EF58718F14440AF9859B291C774ED49CBB3

Function 00CECB8D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CECC15

Part of subcall function 00CECCCD: GetClientRect.USER32(?,?), ref: 00CECCF6
Part of subcall function 00CECCCD: GetWindowRect.USER32(?,?), ref: 00CECD37
Part of subcall function 00CECCCD: ScreenToClient.USER32(?,?), ref: 00CECD5F

GetDC.USER32 ref: 00D4D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D4D14A
SelectObject.GDI32(00000000,00000000), ref: 00D4D158
SelectObject.GDI32(00000000,00000000), ref: 00D4D16D
ReleaseDC.USER32(?,00000000), ref: 00D4D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D4D200

Strings

@U=u, xrefs: 00D4D14A
U, xrefs: 00D4D0D5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 074aed29916ecf58cb732b87b0541f628ad8dcc4512ca56307ca26cef0a49bcf
Instruction ID: 6ad03b557897213c8d8d0348e223249a3ebd6a1bbe6768e1df0161a5b7c40019
Opcode Fuzzy Hash: 074aed29916ecf58cb732b87b0541f628ad8dcc4512ca56307ca26cef0a49bcf
Instruction Fuzzy Hash: 8871C031500349DFCF219F64CC85AAA7BB6FF49314F28426AED659B2A6C7318842DF70

Function 00D28107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D28168
inet_addr.WSOCK32(?,?,?), ref: 00D281AD
gethostbyname.WSOCK32(?), ref: 00D281B9
IcmpCreateFile.IPHLPAPI ref: 00D281C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D28237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D2824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D282C2
WSACleanup.WSOCK32 ref: 00D282C8

Strings

Ping, xrefs: 00D281EB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 870ab68bb911fa30caad699705351a19b2b97ae7c8a6c5df290675cb128259bf
Instruction ID: a8c80f5b69f7f9a081529caf7e138fcebac5d8203cfe632b1cd9ea1f696c5f93
Opcode Fuzzy Hash: 870ab68bb911fa30caad699705351a19b2b97ae7c8a6c5df290675cb128259bf
Instruction Fuzzy Hash: D651B131605710AFD7209F24DC45B2AB7E5EF58314F148829FA9ADB3E1DB70E801EB65

Function 00D3ECD4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

Part of subcall function 00CEB63C: GetCursorPos.USER32(000000FF), ref: 00CEB64F
Part of subcall function 00CEB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00CEB66C
Part of subcall function 00CEB63C: GetAsyncKeyState.USER32(00000001), ref: 00CEB691
Part of subcall function 00CEB63C: GetAsyncKeyState.USER32(00000002), ref: 00CEB69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00D3ED3C
ImageList_EndDrag.COMCTL32 ref: 00D3ED42
ReleaseCapture.USER32 ref: 00D3ED48
SetWindowTextW.USER32(?,00000000), ref: 00D3EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D3EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00D3EEDC

Strings

@U=u, xrefs: 00D3EE03
@GUI_DROPID, xrefs: 00D3EE33
@GUI_DRAGFILE, xrefs: 00D3EE77

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 8c22adb93d7ebf5220f32b9b33da5e1ad7bd1865aa14ce6b1a3f3dba6903ae16
Instruction ID: d519b15686497d3590db0d54b83868891a2f380e16d13c9241d9aa3df2750a19
Opcode Fuzzy Hash: 8c22adb93d7ebf5220f32b9b33da5e1ad7bd1865aa14ce6b1a3f3dba6903ae16
Instruction Fuzzy Hash: 2751BB74604305AFD710EF24DC86F6A77E9FB88314F044A2EF995972E2DB709908DB62

Function 00D1E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D1E40C
GetLastError.KERNEL32 ref: 00D1E416
SetErrorMode.KERNEL32(00000000,READY), ref: 00D1E483

Strings

READY, xrefs: 00D1E45C
UNKNOWN, xrefs: 00D1E43B
NOTREADY, xrefs: 00D1E442
READONLY, xrefs: 00D1E44E
INVALID, xrefs: 00D1E455

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 19faf550fd01515b29e1da6b012d68d9316afcb34be01c785835c1d701a48cff
Instruction ID: b9065f022028c7405b9dd0208e03a647402a9a757d6c33af401bc7418cae1562
Opcode Fuzzy Hash: 19faf550fd01515b29e1da6b012d68d9316afcb34be01c785835c1d701a48cff
Instruction Fuzzy Hash: B6316335A00206AFD711EFA4E885AFD77B5EF48700F148016E905E7291DA70D982C7B1

Function 00D38ECC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D38EE4
GetDC.USER32(00000000), ref: 00D38EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D38EF7
ReleaseDC.USER32(00000000,00000000), ref: 00D38F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00D38F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D38F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D3BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00D38F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D38FAA

Strings

@U=u, xrefs: 00D38F50, 00D38FAA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: a22a69f1785c1b47ddc7decedb4707a6b5b86588238133377b0e69ac730e83d7
Instruction ID: 035e79a1c2d35200defa6eae7c28391dd474ecd8b1ced39a5f2c0031b71d9b77
Opcode Fuzzy Hash: a22a69f1785c1b47ddc7decedb4707a6b5b86588238133377b0e69ac730e83d7
Instruction Fuzzy Hash: AF316D72100314BFEB218F54CC49FEA3BAAEF49716F084065FE08DA291DAB59842CB70

Function 00D2B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D2B2D5
CoInitialize.OLE32(00000000), ref: 00D2B302
CoUninitialize.OLE32 ref: 00D2B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 00D2B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D2B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00D2B56D
CoGetObject.OLE32(?,00000000,00D5D91C,?), ref: 00D2B590
SetErrorMode.KERNEL32(00000000), ref: 00D2B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D2B623
VariantClear.OLEAUT32(00D5D91C), ref: 00D2B633

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: f509b69830bc5a9a9293a67ba6316a17cfc86d0e52f7f93629f382c6dde1b458
Instruction ID: bbd7dff291f7618be192da7be5ba22ad386a5dfeac8cd5a800c578cc5751c287
Opcode Fuzzy Hash: f509b69830bc5a9a9293a67ba6316a17cfc86d0e52f7f93629f382c6dde1b458
Instruction Fuzzy Hash: 60C11371608315AFC700EF64D88492AB7E9FF98318F04491EF98ADB251DBB1ED05CB62

Function 00CFACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00CFACC1

Part of subcall function 00CF7CF4: __mtinitlocknum.LIBCMT ref: 00CF7D06
Part of subcall function 00CF7CF4: EnterCriticalSection.KERNEL32(00000000,?,00CF7ADD,0000000D), ref: 00CF7D1F

__calloc_crt.LIBCMT ref: 00CFACD2

Part of subcall function 00CF6986: __calloc_impl.LIBCMT ref: 00CF6995
Part of subcall function 00CF6986: Sleep.KERNEL32(00000000,000003BC,00CEF507,?,0000000E), ref: 00CF69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 00CFACED
GetStartupInfoW.KERNEL32(?,00D86E28,00000064,00CF5E91,00D86C70,00000014), ref: 00CFAD46
__calloc_crt.LIBCMT ref: 00CFAD91
GetFileType.KERNEL32(00000001), ref: 00CFADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00CFAE11

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 3bda5eaffb8b9d93accc84244a1c201be5033f8961bdeac3df194f317c9c04f0
Instruction ID: ece2228e08030646202fc4a544af1bd57d5aaa60d0d863734a65246f04ad8ba5
Opcode Fuzzy Hash: 3bda5eaffb8b9d93accc84244a1c201be5033f8961bdeac3df194f317c9c04f0
Instruction Fuzzy Hash: 2E81D1B09053598FDB64CF68C8805B9FBF0AF09324B24425ED5AAEB3D1C7349902CB67

Function 00D167E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00D167FD
__swprintf.LIBCMT ref: 00D1680A

Part of subcall function 00CF172B: __woutput_l.LIBCMT ref: 00CF1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00D16834
LoadResource.KERNEL32(?,00000000), ref: 00D16840
LockResource.KERNEL32(00000000), ref: 00D1684D
FindResourceW.KERNEL32(?,?,00000003), ref: 00D1686D
LoadResource.KERNEL32(?,00000000), ref: 00D1687F
SizeofResource.KERNEL32(?,00000000), ref: 00D1688E
LockResource.KERNEL32(?), ref: 00D1689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00D168F9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 194ad9f0cee7ce0dd32f2cceb0e6f17a7b5a477f9bac76190474de9736e83254
Instruction ID: 1adcd76edf05157ad5e953f94fcfdf859a3b4a5c7fa566598f39b1ed5b9b059d
Opcode Fuzzy Hash: 194ad9f0cee7ce0dd32f2cceb0e6f17a7b5a477f9bac76190474de9736e83254
Instruction Fuzzy Hash: E1316E75A0031ABBDB119FA0ED45AFA7BA9EF08341F144426FD06D2290EB34D991DBB4

Function 00D14025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D14047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D130A5,?,00000001), ref: 00D1405B
GetWindowThreadProcessId.USER32(00000000), ref: 00D14062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D130A5,?,00000001), ref: 00D14071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D14083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D130A5,?,00000001), ref: 00D1409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D130A5,?,00000001), ref: 00D140AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D130A5,?,00000001), ref: 00D140F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D130A5,?,00000001), ref: 00D14108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D130A5,?,00000001), ref: 00D14113

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 412449791c10daa011e8eece4fcaa633e370c1d4d74bc72dc8b5fdc7199305c5
Instruction ID: 9a897a902c85bc95d88d83e795499078c2fd464b9129b403be70eb078f1ae9b1
Opcode Fuzzy Hash: 412449791c10daa011e8eece4fcaa633e370c1d4d74bc72dc8b5fdc7199305c5
Instruction Fuzzy Hash: AA318FB5600704BFDB20DB65EC85BA977AAAB54752F188106FD05E6390CFB4DDC08B70

Function 00D40133 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

GetSystemMetrics.USER32(0000000F), ref: 00D4016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00D4038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D403AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00D403D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D403FF
ShowWindow.USER32(00000003,00000000), ref: 00D40421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D40440

Strings

@U=u, xrefs: 00D403AB, 00D403FF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID: @U=u
API String ID: 3356174886-2594219639
Opcode ID: 029e3a679edbd75efbd0111d5d9ddcf32212142f547257e0591b27cf02431ff9
Instruction ID: 65d36b0bb6efc5febfab73d7c31ee16cce5ba87a59165e810692b7a50045697f
Opcode Fuzzy Hash: 029e3a679edbd75efbd0111d5d9ddcf32212142f547257e0591b27cf02431ff9
Instruction Fuzzy Hash: E6A1AE35600616EFDB18CF68C9897BDBFB1BF48741F088119EE58AB290D774AD50CBA0

Function 00D0CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00D0CF50), ref: 00D0CE90

Strings

INSTANCE, xrefs: 00D0CD9E
TEXT, xrefs: 00D0CDC7
CLASS, xrefs: 00D0CC10
NAME, xrefs: 00D0CCC2
REGEXPCLASS, xrefs: 00D0CC56
CLASSNN, xrefs: 00D0CC33

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 99af91ca22b3334eec99bf999d5dd3ecec602528d49e542ba47b2dc73ddea7a6
Instruction ID: c0a8ea5688f8516eff143ad89808c970290e71d760f2e4a177cafbaf02df6dfc
Opcode Fuzzy Hash: 99af91ca22b3334eec99bf999d5dd3ecec602528d49e542ba47b2dc73ddea7a6
Instruction Fuzzy Hash: C5915130610646ABCB18EF60C481BEEFB75FF04340F549619E95DA7291DF30A99ADBB0

Function 00CD3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CD30DC
CoUninitialize.OLE32(?,00000000), ref: 00CD3181
UnregisterHotKey.USER32(?), ref: 00CD32A9
DestroyWindow.USER32(?), ref: 00D45079
FreeLibrary.KERNEL32(?), ref: 00D450F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D45125

Strings

close all, xrefs: 00CD30D7

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8ec12beb28b8caa76e0f917fe3da5ae8dcaf7ee76698aa5647d2babd75245576
Instruction ID: 4311c81c12df65ec394e0c7ca4a71db36f9e4806c5e9ab663a483faf2fee9ea9
Opcode Fuzzy Hash: 8ec12beb28b8caa76e0f917fe3da5ae8dcaf7ee76698aa5647d2babd75245576
Instruction Fuzzy Hash: 839149346002829FC719EF14D895B68F3B4FF14304F5482AAE60AA7362DF30AE56DF65

Function 00D39A75 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D39B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00D39B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D39B47
_wcscat.LIBCMT ref: 00D39BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D39BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D39BE7

Strings

@U=u, xrefs: 00D39B19, 00D39B2D
SysListView32, xrefs: 00D39AEB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: ea726acec67e4c2cc50e4aac7e8b6670cd1425121a45b47c7139d6c11a8915f4
Instruction ID: d0c3cfb6b45e92430f299a7f4ca21e0c9aed8134c5fde7b0cd4b55576488ede6
Opcode Fuzzy Hash: ea726acec67e4c2cc50e4aac7e8b6670cd1425121a45b47c7139d6c11a8915f4
Instruction Fuzzy Hash: 4E41A071900308AFDB219FA4DC85BEEB7B9EF08350F14052AF585E7291C6B19D85CB70

Function 00D245C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D245FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D2462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00D2466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D24682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D2468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00D246BF
InternetCloseHandle.WININET(00000000), ref: 00D24706

Part of subcall function 00D25052: GetLastError.KERNEL32(?,?,00D243CC,00000000,00000000,00000001), ref: 00D25067

Strings

, xrefs: 00D246B8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: fc670a3eca55d608768c8e1d1783c74092f4a6c09690dd54a63b73f15315af47
Instruction ID: 5b5a0bdee2866cb51ac5fba229586ecc55427b36d369e7351e8f7ea50839f454
Opcode Fuzzy Hash: fc670a3eca55d608768c8e1d1783c74092f4a6c09690dd54a63b73f15315af47
Instruction Fuzzy Hash: 0E415BB1501229BFEB119F50EC85FEA7BADFF19309F144016FE169A141DBB099448BB4

Function 00D38FC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D38FE7
GetWindowLongW.USER32(00F6D200,000000F0), ref: 00D3901A
GetWindowLongW.USER32(00F6D200,000000F0), ref: 00D3904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D39081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D390AB
GetWindowLongW.USER32(00000000,000000F0), ref: 00D390BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D390D6

Strings

@U=u, xrefs: 00D38FE7, 00D39081, 00D390AB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 9592794c04d6e5b5bd6695aef60f29237f18ce248b34258e4ea4f33e3e61a2f9
Instruction ID: 445160ff569ba10d34f9512b1d6ab6d58172c336e0d806e207f1a053967ab331
Opcode Fuzzy Hash: 9592794c04d6e5b5bd6695aef60f29237f18ce248b34258e4ea4f33e3e61a2f9
Instruction Fuzzy Hash: 65316435600215EFDB248F58DC95F64B3B6FB4A315F180165F928CB2B1CBB1A840DB60

Function 00D2B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D6DC00), ref: 00D2B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D6DC00), ref: 00D2B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D2B8C1
SysFreeString.OLEAUT32(?), ref: 00D2B8EB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 19f6b81e02dfcf498442f090befd11f5bf7431fa7aedf8b78da02e3f0a2d883b
Instruction ID: e2245bef5529d242d979f8e8b8f03b0f94f89eaa8a5de062b2434ae66752b0b3
Opcode Fuzzy Hash: 19f6b81e02dfcf498442f090befd11f5bf7431fa7aedf8b78da02e3f0a2d883b
Instruction Fuzzy Hash: 04F14D71A00219EFCF04DF94D884EAEB7BAFF58325F148459F915AB250DB71AE41CB60

Function 00D324D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D324F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D32688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D326AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D326EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D3270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D3286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D328A1
CloseHandle.KERNEL32(?), ref: 00D328D0
CloseHandle.KERNEL32(?), ref: 00D32947

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: dc174598b7d7460dde53ea466b900de70b0927a9a6e81f5f53c24f6f2f45a53f
Instruction ID: 105086a95b33a7d7492e28ed78c721142553c7db8aa24dfb4f53be342fd6f812
Opcode Fuzzy Hash: dc174598b7d7460dde53ea466b900de70b0927a9a6e81f5f53c24f6f2f45a53f
Instruction Fuzzy Hash: C5D19C35A04340DFCB15EF25C891B6ABBE5AF84310F18845DF9899B3A2DB31ED41DB62

Function 00D17555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D16EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D15FA6,?), ref: 00D16ED8

Part of subcall function 00D16EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D15FA6,?), ref: 00D16EF1

Part of subcall function 00D172CB: GetFileAttributesW.KERNEL32(?,00D16019), ref: 00D172CC

lstrcmpiW.KERNEL32(?,?), ref: 00D175CA
_wcscmp.LIBCMT ref: 00D175E2
MoveFileW.KERNEL32(?,?), ref: 00D175FB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ab3d5aab6e6763094b11e3150aec1a59dee63f45aecd0913023c2a7375bbccd8
Instruction ID: 04e9c5a1a82dc4c91242c6c21187374c46809670c95820ca6ffe7d68aa7af661
Opcode Fuzzy Hash: ab3d5aab6e6763094b11e3150aec1a59dee63f45aecd0913023c2a7375bbccd8
Instruction Fuzzy Hash: 3B5132B2A0921DAADFA0EB94E8419DE73BC9F08310F10409AFA05E3151EA74D7C5CB75

Function 00CEEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00D4DAD1,00000004,00000000,00000000), ref: 00CEEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00D4DAD1,00000004,00000000,00000000), ref: 00CEEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00D4DAD1,00000004,00000000,00000000), ref: 00D4DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00D4DAD1,00000004,00000000,00000000), ref: 00D4DCF2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b3ef43cb80632070812ad5b1aa838bd4cb3c5da11e32ee2e3fc7bff5b51ce69f
Instruction ID: 5ea33dfc7e9e6a84632042c7bb9de194c4b127e09daac1c029c08bce81ba2f2d
Opcode Fuzzy Hash: b3ef43cb80632070812ad5b1aa838bd4cb3c5da11e32ee2e3fc7bff5b51ce69f
Instruction Fuzzy Hash: 6941F4716087C0DBDB394B2B8DCDB2B7A97AB49381F19081DE097C26A1D670B880D739

Function 00D0B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D0AEF1,00000B00,?,?), ref: 00D0B26C
HeapAlloc.KERNEL32(00000000,?,00D0AEF1,00000B00,?,?), ref: 00D0B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D0AEF1,00000B00,?,?), ref: 00D0B288
GetCurrentProcess.KERNEL32(?,00000000,?,00D0AEF1,00000B00,?,?), ref: 00D0B290
DuplicateHandle.KERNEL32(00000000,?,00D0AEF1,00000B00,?,?), ref: 00D0B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D0AEF1,00000B00,?,?), ref: 00D0B2A3
GetCurrentProcess.KERNEL32(00D0AEF1,00000000,?,00D0AEF1,00000B00,?,?), ref: 00D0B2AB
DuplicateHandle.KERNEL32(00000000,?,00D0AEF1,00000B00,?,?), ref: 00D0B2AE
CreateThread.KERNEL32(00000000,00000000,00D0B2D4,00000000,00000000,00000000), ref: 00D0B2C8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a2d6a62957791357ded0df70f16d348e3f03abec9a391cc56b78213b2fe31a07
Instruction ID: eb35b658112464ea5954512b1145c908b8d1a5425b793649348df89b35d41c5f
Opcode Fuzzy Hash: a2d6a62957791357ded0df70f16d348e3f03abec9a391cc56b78213b2fe31a07
Instruction Fuzzy Hash: 6301B6B5640308BFE720ABA5DC4DF6B7BADEB88752F018411FA05DB2A1CA749800CB71

Function 00D2C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00D2C876, 00D2C887
Not an Object type, xrefs: 00D2C49E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6b59efe235b8fe532d93c0598397ac4a97cf3e7e77b0f6c5bf13bc7c29c3e0c3
Instruction ID: 40ee843d3f6e73ae2068d987058c3a3347f9f7ef68ebef1d37d0e474497f85c6
Opcode Fuzzy Hash: 6b59efe235b8fe532d93c0598397ac4a97cf3e7e77b0f6c5bf13bc7c29c3e0c3
Instruction Fuzzy Hash: 98E1C371A10229AFDF10DFA4E880BAEB7B5EF58358F149029F945A7281D770ED45CBB0

Function 00D2BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2BB5C
VariantInit.OLEAUT32(?), ref: 00D2BC2D
VariantInit.OLEAUT32(?), ref: 00D2BD2E
VariantClear.OLEAUT32(?), ref: 00D2BD38
VariantClear.OLEAUT32(?), ref: 00D2BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 00D2BBBD, 00D2BCEB, 00D2BDA7
Incorrect Object type in FOR..IN loop, xrefs: 00D2BD11

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 4a1982723de554022d224076862ddbf92212db715dc71407f3d3024ddcce8cb5
Instruction ID: d2fdf2eb8f5777e3c250f039882799051bf5dbbd50aa8ee0b6a7b9506c0f7426
Opcode Fuzzy Hash: 4a1982723de554022d224076862ddbf92212db715dc71407f3d3024ddcce8cb5
Instruction Fuzzy Hash: AC919171A00225ABDF20DFA5E844FEEB7B8EF54724F14815AF915AB281D7B09944CFB0

Function 00D3172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00D16532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D16554
Part of subcall function 00D16532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00D16564
Part of subcall function 00D16532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00D165F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D3179A
GetLastError.KERNEL32 ref: 00D317AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D317D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D31855
GetLastError.KERNEL32(00000000), ref: 00D31860
CloseHandle.KERNEL32(00000000), ref: 00D31895

Strings

SeDebugPrivilege, xrefs: 00D317B8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 62336b4922992c9b0b629832a88051aeb41b0a80f63b4b3fcc0f24e3ed4b887b
Instruction ID: 7f9c6745ede2db6a03ec1e7e8c7b030575f3754dfeaaf8aea48b6555d7cd683d
Opcode Fuzzy Hash: 62336b4922992c9b0b629832a88051aeb41b0a80f63b4b3fcc0f24e3ed4b887b
Instruction Fuzzy Hash: 8041DE76600201AFEB15EF54C895FAEB7A6AF04300F088059F9069F3D2DBB4A941CBB5

Function 00D3E397 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00D91628,00000000,00D91628,00000000,00000000,00D91628,?,00D4DC5D,00000000,?,00000000,00000000,00000000,?,00D4DAD1,00000004), ref: 00D3E40B
EnableWindow.USER32(00000000,00000000), ref: 00D3E42F
ShowWindow.USER32(00D91628,00000000), ref: 00D3E48F
ShowWindow.USER32(00000000,00000004), ref: 00D3E4A1
EnableWindow.USER32(00000000,00000001), ref: 00D3E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D3E4E8

Strings

@U=u, xrefs: 00D3E4E8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 50c13b2dec5f8db2d52f0380fa3363433e8ddef1eaa184ee41485f81bc50b436
Instruction ID: e90516167ca0368c23590ab1581523c9e7d360d1c4b63534c137a0465da606df
Opcode Fuzzy Hash: 50c13b2dec5f8db2d52f0380fa3363433e8ddef1eaa184ee41485f81bc50b436
Instruction Fuzzy Hash: A5414830601244EFDB22CF28C599B947BE1BB09305F1C81A9EA598F2E2C731E852DB71

Function 00D15819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D158B8

Strings

question, xrefs: 00D15871
blank, xrefs: 00D1583A
warning, xrefs: 00D158A1
info, xrefs: 00D15859
stop, xrefs: 00D15889

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: cd118cc034d7e5e15c156e6a679fc1a48138d026dc5d20d74a2956f93deffc1e
Instruction ID: ea75d86e7dadd91355fe09741dbe53168701e9e1682b20c7ae97f8f6d3129011
Opcode Fuzzy Hash: cd118cc034d7e5e15c156e6a679fc1a48138d026dc5d20d74a2956f93deffc1e
Instruction Fuzzy Hash: D711EB3120D746FEE7156F98BC83DEA379C9F55B10B34003AF645E5282EB68AA805275

Function 00D1A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00D1A806

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 62a6f4a126c34844f2659b2d0a4fc08724f6340b4c331595a61587d80a4e67d6
Instruction ID: 35bb837161a1d88f64bc3c2115db3577368a7120854cb86842c22665b1434006
Opcode Fuzzy Hash: 62a6f4a126c34844f2659b2d0a4fc08724f6340b4c331595a61587d80a4e67d6
Instruction Fuzzy Hash: 56C1707590521AEFDB10CF98E491BEEB7F4FF08315F24406AE645E7241DB34AA81CBA1

Function 00D16B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D16B63
LoadStringW.USER32(00000000), ref: 00D16B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D16B80
LoadStringW.USER32(00000000), ref: 00D16B87
_wprintf.LIBCMT ref: 00D16BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D16BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D16BA8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c9840f34c9babc6b4a82e1c31c0633b19d141e8dfc1b7c7eda57dcf5b93fcb0c
Instruction ID: 9eabe09861338d2000e68e8afba9b5ad9d16f61aa67d0c555f92f85252d50ccf
Opcode Fuzzy Hash: c9840f34c9babc6b4a82e1c31c0633b19d141e8dfc1b7c7eda57dcf5b93fcb0c
Instruction Fuzzy Hash: 870131F6900308BFEB21ABA4AD89EF7776CD708305F0044A1BB46E2141EA74DE848F71

Function 00D32B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D32BB5,?,?), ref: 00D33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D32BF6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 16c9e50f58641b1048a1c07fac1de9f1a1e27ca701917a3be10b4bdcc91d76d0
Instruction ID: 10e151dd2356766b757d7a6d096d30b08becca2417e55e62e53c279d20b447df
Opcode Fuzzy Hash: 16c9e50f58641b1048a1c07fac1de9f1a1e27ca701917a3be10b4bdcc91d76d0
Instruction Fuzzy Hash: E6916A71604301AFCB10EF14D891B6EB7E5FF88310F18885DF996972A2DB34E945DBA2

Function 00D295BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00D29691
WSAGetLastError.WSOCK32(00000000), ref: 00D2969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00D296C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D296E9
WSAGetLastError.WSOCK32(00000000), ref: 00D296F8
htons.WSOCK32(?,?,?,00000000,?), ref: 00D297AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00D6DC00), ref: 00D29765

Part of subcall function 00D0D2FF: _strlen.LIBCMT ref: 00D0D309

_strlen.LIBCMT ref: 00D29800

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 5179180f6a2097b98ef26d7cf82d01be929cf987650cc9a11d8a48326bf7ac55
Instruction ID: cf99282d80fff3b9d2b7b091cc8ec01802cec21f09630a6aeb095ec02193e0a3
Opcode Fuzzy Hash: 5179180f6a2097b98ef26d7cf82d01be929cf987650cc9a11d8a48326bf7ac55
Instruction Fuzzy Hash: 3881FE31504200ABC710EF64DC95E6BB7E9EF99714F144A1EFA569B2A1EB30DD04CBA2

Function 00CFA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00CFA991

Part of subcall function 00CF7D7C: __FF_MSGBANNER.LIBCMT ref: 00CF7D91
Part of subcall function 00CF7D7C: __NMSG_WRITE.LIBCMT ref: 00CF7D98
Part of subcall function 00CF7D7C: __malloc_crt.LIBCMT ref: 00CF7DB8

__lock.LIBCMT ref: 00CFA9A4
__lock.LIBCMT ref: 00CFA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00D86DE0,00000018,00D05E7B,?,00000000,00000109), ref: 00CFAA0C
EnterCriticalSection.KERNEL32(8000000C,00D86DE0,00000018,00D05E7B,?,00000000,00000109), ref: 00CFAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 00CFAA39

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 6d3ce50495760b775bf21700f7e5921b7e4b0e527bad5e76ca8e8c7fc4a09005
Instruction ID: 3eb41cb659cb1a9f6777a1b35de521cecd9d91f3d1181f1a3c869a184ba9d082
Opcode Fuzzy Hash: 6d3ce50495760b775bf21700f7e5921b7e4b0e527bad5e76ca8e8c7fc4a09005
Instruction Fuzzy Hash: BB4157B19003199FEB509F68D944778FBA0AF00325F248319E629AB2D1D7B49A44DFA3

Function 00D216DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

Part of subcall function 00CEC6F4: _wcscpy.LIBCMT ref: 00CEC717

_wcstok.LIBCMT ref: 00D2184E
_wcscpy.LIBCMT ref: 00D218DD
_memset.LIBCMT ref: 00D21910

Strings

X, xrefs: 00D21948

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a84e013b6827000abb46af962d97a05a1a030b615c44aa8740b2085beb3f99f9
Instruction ID: d887c1538152d558efde122d56e08b714850c87a0c2a52be29cfa7630d7b29c0
Opcode Fuzzy Hash: a84e013b6827000abb46af962d97a05a1a030b615c44aa8740b2085beb3f99f9
Instruction Fuzzy Hash: DAC18E345043519FC724EF24D881A6AB7E0FFA5354F04892EF99A973A2DB30EC45DB92

Function 00CEAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f04bb9b454dc6638a771580acee4e06452ab21f7e8d45569ac65c018e4c3dc
Instruction ID: b878901932d720525a43c03b7f92ac7afa8a772d3cba33ee2f9fe48181dbd9e4
Opcode Fuzzy Hash: 80f04bb9b454dc6638a771580acee4e06452ab21f7e8d45569ac65c018e4c3dc
Instruction Fuzzy Hash: 40716BB0900249FFCB14CF9ACC88AAEBB75FF85310F248149F915AA251C734AA41CFA5

Function 00D32230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D3225A
_memset.LIBCMT ref: 00D32323
ShellExecuteExW.SHELL32(?), ref: 00D32368

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

Part of subcall function 00CEC6F4: _wcscpy.LIBCMT ref: 00CEC717

CloseHandle.KERNEL32(00000000), ref: 00D3242F
FreeLibrary.KERNEL32(00000000), ref: 00D3243E

Strings

@, xrefs: 00D32334

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 814fb1bcb6de123477ff743a0034674bfcb1c38a9442c2fad1b052fbee22ffcd
Instruction ID: 2e95335b63ae97f282fd3552c79ee5ef7008eceded2ffef3bd557cc2aef89574
Opcode Fuzzy Hash: 814fb1bcb6de123477ff743a0034674bfcb1c38a9442c2fad1b052fbee22ffcd
Instruction Fuzzy Hash: 9E717E75E006199FCF15EFA8D8819AEB7F5FF48310F148459E856AB361CB34AD41CBA0

Function 00D3E062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D3E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 00D3E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 00D3E248
GetWindowLongW.USER32(?,000000EC), ref: 00D3E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D3E281

Strings

@U=u, xrefs: 00D3E1D5, 00D3E20D, 00D3E281

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID: @U=u
API String ID: 3188977179-2594219639
Opcode ID: a2e0e3cbcf008e02787b7041d8d366d5dfe234f947b180e9b1a4123bf9520154
Instruction ID: 97e54d38c8b663bc639f6118b8bba592d69a058fa47c585782e522aca139dee3
Opcode Fuzzy Hash: a2e0e3cbcf008e02787b7041d8d366d5dfe234f947b180e9b1a4123bf9520154
Instruction Fuzzy Hash: 60618038A00704AFDB25CF58C895FAAB7BAEF89300F184459F959973E1C7B1A941DB30

Function 00D13BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D13C02
GetKeyboardState.USER32(?), ref: 00D13C17
SetKeyboardState.USER32(?), ref: 00D13C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D13CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D13CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D13D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D13D26

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 51510d73ceb33a5a3e2f82069c68375286027f87a056ec613ba030704b8af29c
Instruction ID: 22fd3777bde8db7e3f5710ed6e17e1733698117fa29430a1160757f56351753b
Opcode Fuzzy Hash: 51510d73ceb33a5a3e2f82069c68375286027f87a056ec613ba030704b8af29c
Instruction Fuzzy Hash: E151E4A05087D53DFB328734EC45BF6BEAAAB06300F0C8488E0D5568C2DA94EED4D771

Function 00D3CCF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00D3CDF0

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: e1ac1a20c61ded7458424a1323d9608cc224700e43043436ecbf9b4a0560510b
Instruction ID: 79f3860795ca51705faff5bceb81842e81e9c5c6e07cdcb6de6c98a2154d63a4
Opcode Fuzzy Hash: e1ac1a20c61ded7458424a1323d9608cc224700e43043436ecbf9b4a0560510b
Instruction Fuzzy Hash: 0F41D23A910205ABCB20DF68DC44FA9BB69EB09310F181265F95AF72E1C730AD41DB70

Function 00D108AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D108F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D10918
SysAllocString.OLEAUT32(00000000), ref: 00D1091B
SysAllocString.OLEAUT32(?), ref: 00D10939
SysFreeString.OLEAUT32(?), ref: 00D10942
StringFromGUID2.OLE32(?,?,00000028), ref: 00D10967
SysAllocString.OLEAUT32(?), ref: 00D10975

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2509e1afc502f6bcc8360937985c3533b8d5fb83f2e505edfde4fa32d78a3654
Instruction ID: 4a9e77f86a10111eb14252911e78710c43cbfbc1eb9b1c77b74a7653a4341af1
Opcode Fuzzy Hash: 2509e1afc502f6bcc8360937985c3533b8d5fb83f2e505edfde4fa32d78a3654
Instruction Fuzzy Hash: 14218676601319BF9B10AFA8DC84DEB77ACEB09360B048125FD55DB255DAB0EC858B70

Function 00D0B80A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D0B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D0B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D0B8D1

Strings

@U=u, xrefs: 00D0B88E, 00D0B8A1, 00D0B8D1
ListBox, xrefs: 00D0B84D
ComboBox, xrefs: 00D0B815

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: a297304b176f7d4368406bf47f8ac341f8e303794a5452dada6084e0e9cc0c55
Instruction ID: 28423475b997c0c6f8ce110b48dc575a4b51d757c6039b882272161d32daae69
Opcode Fuzzy Hash: a297304b176f7d4368406bf47f8ac341f8e303794a5452dada6084e0e9cc0c55
Instruction Fuzzy Hash: 1021E171900208BFDB14ABA4D886ABE7779DF05360B14812AF569A62E0DB744D0AAB70

Function 00D12472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D12485
__wcsnicmp.LIBCMT ref: 00D124A6
__wcsnicmp.LIBCMT ref: 00D124C0

Strings

#requireadmin, xrefs: 00D124A0
#notrayicon, xrefs: 00D1247D
#OnAutoItStartRegister, xrefs: 00D124BA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 25e9db3b5071ea2e2601fe4562889b0ccd94b9df132b3fca42ce5bdeabe7e59c
Instruction ID: 586513b3101152a279172325d3857e6647ae31a036689f8af6047e818a3b29dd
Opcode Fuzzy Hash: 25e9db3b5071ea2e2601fe4562889b0ccd94b9df132b3fca42ce5bdeabe7e59c
Instruction Fuzzy Hash: 7D216A71204251BBD620AA24BC42EFB7399EF64310F28402AF98597082EE5299D2D2B1

Function 00D10986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D109CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D109F1
SysAllocString.OLEAUT32(00000000), ref: 00D109F4
SysAllocString.OLEAUT32 ref: 00D10A15
SysFreeString.OLEAUT32 ref: 00D10A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00D10A38
SysAllocString.OLEAUT32(?), ref: 00D10A46

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ef40f9566422ebe36e5cc723b9e7e2024e99ad780e68896f45e98d77cf873758
Instruction ID: eae98e215833b67e0a8175548e64c64dbd6a3f58343d7a1e25da2c415ec36870
Opcode Fuzzy Hash: ef40f9566422ebe36e5cc723b9e7e2024e99ad780e68896f45e98d77cf873758
Instruction Fuzzy Hash: 12214775604304BFDB10AFA8DC89DAA77EDEF483607548125F949CB265DAB0ECC18B74

Function 00D0DBBF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D0DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D0DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D0DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D0DC52
_wcsstr.LIBCMT ref: 00D0DC5C

Strings

@U=u, xrefs: 00D0DBF4, 00D0DC2C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 88d307862bc321d34839fe64ccdc9ca3ccb08f2ef29da588e917ba67971b3092
Instruction ID: 5f11a507fb1352ea4d65e8e88ffca4a48548bb2e80f834e0a5ad6a00ca3389f0
Opcode Fuzzy Hash: 88d307862bc321d34839fe64ccdc9ca3ccb08f2ef29da588e917ba67971b3092
Instruction Fuzzy Hash: 9E21F571204244ABEB255BA99C49F7F7BAADF49750F14402AF80DCA191EAA1CC41E274

Function 00D3A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CED1BA
Part of subcall function 00CED17C: GetStockObject.GDI32(00000011), ref: 00CED1CE
Part of subcall function 00CED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CED1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D3A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D3A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D3A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D3A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D3A360

Strings

Msctls_Progress32, xrefs: 00D3A2FE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 008dd84c238210a5e39ba57947953a226e6819c92b80aeed880e48a3959b6df1
Instruction ID: b414d74a8af99f32b7abc6a668d3aca5c8d821d8ab98ce0dd68fd7797a826353
Opcode Fuzzy Hash: 008dd84c238210a5e39ba57947953a226e6819c92b80aeed880e48a3959b6df1
Instruction Fuzzy Hash: 0A1190B1250219BEEF155FA4CC85EEB7F6DFF09798F014115BA48A60A0C6729C22DBB4

Function 00CECCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CECCF6
GetWindowRect.USER32(?,?), ref: 00CECD37
ScreenToClient.USER32(?,?), ref: 00CECD5F
GetClientRect.USER32(?,?), ref: 00CECE8C
GetWindowRect.USER32(?,?), ref: 00CECEA5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a8302cf8179d7d372fdcabe2d644e292eb590e157f3f2970182776d9834adf50
Instruction ID: a692111944f8ca3e671ea97a938821e31203b151549b35a7915782eb11b182ea
Opcode Fuzzy Hash: a8302cf8179d7d372fdcabe2d644e292eb590e157f3f2970182776d9834adf50
Instruction Fuzzy Hash: DAB14E79900289EBDF14CFAAC5807EDB7B1FF08350F149529EC69EB250DB30AA51CB64

Function 00D31BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D31C18
Process32FirstW.KERNEL32(00000000,?), ref: 00D31C26
__wsplitpath.LIBCMT ref: 00D31C54

Part of subcall function 00CF1DFC: __wsplitpath_helper.LIBCMT ref: 00CF1E3C

_wcscat.LIBCMT ref: 00D31C69
Process32NextW.KERNEL32(00000000,?), ref: 00D31CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00D31CF1

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 12272114dcc9724ce91d4865b48c0ac59331e759ad3dcc09a8fbee16ac1655bb
Instruction ID: 44b90b54020631d46f3dbcffc14eace76a3bc58c18657d1c644b702d80f53535
Opcode Fuzzy Hash: 12272114dcc9724ce91d4865b48c0ac59331e759ad3dcc09a8fbee16ac1655bb
Instruction Fuzzy Hash: 79516CB1504341AFD720EF64D885EABB7ECEF88754F04492EF98597251EB70DA04CBA2

Function 00D32FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D32BB5,?,?), ref: 00D33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D330AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D330EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D33112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D3313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D3317E
RegCloseKey.ADVAPI32(00000000), ref: 00D3318B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 0d25bd9d86ad199f9adf6e4cee3c9835ab4510d2608d15319def36ba438ab53a
Instruction ID: c93ed699b3d77e59c03dd26a76769ec29f4d02db708b6fd936f715508ba67696
Opcode Fuzzy Hash: 0d25bd9d86ad199f9adf6e4cee3c9835ab4510d2608d15319def36ba438ab53a
Instruction Fuzzy Hash: F9513931604300AFC714EF68C995E6ABBF9FF88310F04491EF695972A1DB71EA05DB62

Function 00D384DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D38540
GetMenuItemCount.USER32(00000000), ref: 00D38577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D3859F
GetMenuItemID.USER32(?,?), ref: 00D3860E
GetSubMenu.USER32(?,?), ref: 00D3861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 00D3866D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 67fe06c3ef54df4c4001edefb930d3192022b6d7b9c7806f1bd4a2b53b102df8
Instruction ID: 7ef88b989f8a22d0a9878f0a2ed564de84293126470a7843e494f419028d4d73
Opcode Fuzzy Hash: 67fe06c3ef54df4c4001edefb930d3192022b6d7b9c7806f1bd4a2b53b102df8
Instruction Fuzzy Hash: 31518B31A00619AFCB11EF68C845AAEB7F5EF48310F144469F916FB351DB70AE419BA1

Function 00D14AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D14B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D14B5B
IsMenu.USER32(00000000), ref: 00D14B7B
CreatePopupMenu.USER32 ref: 00D14BAF
GetMenuItemCount.USER32(000000FF), ref: 00D14C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D14C3E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a6e9141b8f1fe61c458632313f757618f1e26a902fb1f521fb38c56d293070e1
Instruction ID: a5d7e86c84c3e43e99fc1a25ee9a72abd044cf9092455054d2775e05406cd658
Opcode Fuzzy Hash: a6e9141b8f1fe61c458632313f757618f1e26a902fb1f521fb38c56d293070e1
Instruction Fuzzy Hash: DC51AE70601309FBDF20CF64E988BEDBBF6AF45318F184159E8559A291EB709984CBB1

Function 00D28DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00D6DC00), ref: 00D28E7C
WSAGetLastError.WSOCK32(00000000), ref: 00D28E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00D28EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00D28EC5
_strlen.LIBCMT ref: 00D28EF7
WSAGetLastError.WSOCK32(00000000), ref: 00D28F6A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 7a81652d62681c63c26ee58dde8e5eb9945709099587e6bf269dc64da0e2c825
Instruction ID: 1d59e77c5c24596d776600f0d7911c1f8d8eca55aca61fe1bfc1ae5cc5e3cad1
Opcode Fuzzy Hash: 7a81652d62681c63c26ee58dde8e5eb9945709099587e6bf269dc64da0e2c825
Instruction Fuzzy Hash: D241C371500214AFCB14EBA4DD85EAEB7BAEF18314F10415AF61A97291DF30EE40DB70

Function 00CEABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

BeginPaint.USER32(?,?,?), ref: 00CEAC2A
GetWindowRect.USER32(?,?), ref: 00CEAC8E
ScreenToClient.USER32(?,?), ref: 00CEACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CEACBC
EndPaint.USER32(?,?,?,?,?), ref: 00CEAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D4E673

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 4709fdb5f7d393801a23b496ff0cf582911f37b4759e5a6bf877a4b92bd733a4
Instruction ID: b41dad9a41cff621231910afaab922f4002e2f97e78505ef5f9a39988c0c8535
Opcode Fuzzy Hash: 4709fdb5f7d393801a23b496ff0cf582911f37b4759e5a6bf877a4b92bd733a4
Instruction Fuzzy Hash: 0E41BA74500341AFC720DF26DC84FBA7BE8BB59320F180669F9A4C72A1C731A945DB72

Function 00D198BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D198D1

Part of subcall function 00CEF4EA: std::exception::exception.LIBCMT ref: 00CEF51E
Part of subcall function 00CEF4EA: __CxxThrowException@8.LIBCMT ref: 00CEF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D19908
EnterCriticalSection.KERNEL32(?), ref: 00D19924
LeaveCriticalSection.KERNEL32(?), ref: 00D1999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D199B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D199D2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: fed34bdce8b2e3a0de67e387e13459da685844c6cc625459826699410c7e8dcc
Instruction ID: 88cccee0f6c07c1f4ee40c397f519fbbe50564c0a2db0f967cc7c681977f5a95
Opcode Fuzzy Hash: fed34bdce8b2e3a0de67e387e13459da685844c6cc625459826699410c7e8dcc
Instruction Fuzzy Hash: 87318131900205EBDB109F95DC85EAEB7B9FF44310B1480A9F904EB246DB30DA51DBB4

Function 00D29B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00D277F4,?,?,00000000,00000001), ref: 00D29B53

Part of subcall function 00D26544: GetWindowRect.USER32(?,?), ref: 00D26557

GetDesktopWindow.USER32 ref: 00D29B7D
GetWindowRect.USER32(00000000), ref: 00D29B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D29BB6

Part of subcall function 00D17A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D17AD0

GetCursorPos.USER32(?), ref: 00D29BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D29C44

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 0de10ea60c1a4f1aae115a73b56629c3eb31ad47b270183072cffa36ad80a43f
Instruction ID: a3e818ed341d1caf0f944a82ed742fe72d508edca43f077c0a40700d67b4999e
Opcode Fuzzy Hash: 0de10ea60c1a4f1aae115a73b56629c3eb31ad47b270183072cffa36ad80a43f
Instruction Fuzzy Hash: 8631C172104319AFC720DF54E849F9AB7EAFF99314F00091AF989D7291DA31E945CBB1

Function 00D0AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D0AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 00D0AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D0AFC4
CloseHandle.KERNEL32(00000004), ref: 00D0AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D0AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D0B012

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bc209e1acd2ab3a79b8d28e8ee819080f25b9307b8b02700473450726989f901
Instruction ID: 0dad230ff95a5997c4f80ad81b9a0083b8979d4cf3f8d26bd83a83f2b00f8d33
Opcode Fuzzy Hash: bc209e1acd2ab3a79b8d28e8ee819080f25b9307b8b02700473450726989f901
Instruction Fuzzy Hash: 0B214C7210430AABDB128F98DD09BAE7BAAEF44305F144015FE05A61A1C376DD61EB71

Function 00D3EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CEAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CEAFE3
Part of subcall function 00CEAF83: SelectObject.GDI32(?,00000000), ref: 00CEAFF2
Part of subcall function 00CEAF83: BeginPath.GDI32(?), ref: 00CEB009
Part of subcall function 00CEAF83: SelectObject.GDI32(?,00000000), ref: 00CEB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00D3EC20
LineTo.GDI32(00000000,00000003,?), ref: 00D3EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D3EC42
LineTo.GDI32(00000000,00000000,?), ref: 00D3EC52
EndPath.GDI32(00000000), ref: 00D3EC62
StrokePath.GDI32(00000000), ref: 00D3EC72

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2acef31de322f7a05f080d5846d367b68bddbda477d52a79379567822d15e211
Instruction ID: 1db0504528ffd4d9f2c8a09d127aacdcd9b241c69da47bd06a762439b630c6bb
Opcode Fuzzy Hash: 2acef31de322f7a05f080d5846d367b68bddbda477d52a79379567822d15e211
Instruction Fuzzy Hash: 6F111B7640024DBFEF129F94DC88EEA7F6DEB08351F048112BE089A2A0D7719D55DBB0

Function 00D0E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D0E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D0E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D0E1D8
ReleaseDC.USER32(00000000,00000000), ref: 00D0E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D0E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 00D0E209

Part of subcall function 00D09AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00D09A05,00000000,00000000,?,00D09DDB), ref: 00D0A53A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 7190a40691273859da9d8796c982fda220c24c0f41de1e4df19bcb57bfadec3f
Instruction ID: 97e33527218b2e6055d445c6613184243abccb061f9f83c28989522112f9179d
Opcode Fuzzy Hash: 7190a40691273859da9d8796c982fda220c24c0f41de1e4df19bcb57bfadec3f
Instruction Fuzzy Hash: 050171B5A00718BBEB109BA69C45B5ABFA9EB48351F044066EE08E73D0D6709C018B71

Function 00CD27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CD281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CD2825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CD2830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CD283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CD2843
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD284B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: dc722bb249536db0fd00e4ab15a5d99e3990e3d93ef794179dcc2e894fa783e0
Instruction ID: 7023ffb61c01483cd080682418d36ffca3c9e65fb027ffb652a9895d9d3a53a3
Opcode Fuzzy Hash: dc722bb249536db0fd00e4ab15a5d99e3990e3d93ef794179dcc2e894fa783e0
Instruction Fuzzy Hash: BD0167B0902B5EBDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5A864CBE5

Function 00D19AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: e3ee9dcf1d1810545d67e5c0673c57096afc65bb71b584dba02d4807cbd2b1df
Instruction ID: d793691feec35ae96099c171e87e6f388f3394a540adf21e2465c1d5153fe007
Opcode Fuzzy Hash: e3ee9dcf1d1810545d67e5c0673c57096afc65bb71b584dba02d4807cbd2b1df
Instruction Fuzzy Hash: 2A018132142311BBD7291B54FC68DEBB76AFF88702B480429F907D61A0DF65A844DB70

Function 00D17BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D17C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D17C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00D17C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D17C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D17C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D17C4C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ebd63a830c7416f5a805df04dbf9116566e8c10f2d3dee82e7abd9c80e23ce2e
Instruction ID: 0fcccb1aa97955b853f5af33434070694929b9fedf37dc1d4b0c93ae7b6dd224
Opcode Fuzzy Hash: ebd63a830c7416f5a805df04dbf9116566e8c10f2d3dee82e7abd9c80e23ce2e
Instruction Fuzzy Hash: 72F03A72241758BBE7315B529C0EEEF7BBDEFC6B12F000018FA01D1261DBA05A42C6B6

Function 00D19A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00D19A33
EnterCriticalSection.KERNEL32(?,?,?,?,00D45DEE,?,?,?,?,?,00CDED63), ref: 00D19A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00D45DEE,?,?,?,?,?,00CDED63), ref: 00D19A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00D45DEE,?,?,?,?,?,00CDED63), ref: 00D19A5E

Part of subcall function 00D193D1: CloseHandle.KERNEL32(?,?,00D19A6B,?,?,?,00D45DEE,?,?,?,?,?,00CDED63), ref: 00D193DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00D19A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00D45DEE,?,?,?,?,?,00CDED63), ref: 00D19A78

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d47996fabe4ea3f0016806115af32bd88e7e309224d7f89212d879c17f6f1fcc
Instruction ID: e4a2829daa3d823b875aa926bc448cd410008042430164265c403e8fba79cfbe
Opcode Fuzzy Hash: d47996fabe4ea3f0016806115af32bd88e7e309224d7f89212d879c17f6f1fcc
Instruction Fuzzy Hash: C3F0BE32142301ABD3211BA4FC9CDEA772AFF84302F040021FA03D51A0CF759840DB70

Function 00D2AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D2B006
CharUpperBuffW.USER32(?,?), ref: 00D2B115
VariantClear.OLEAUT32(?), ref: 00D2B298

Part of subcall function 00D19DC5: VariantInit.OLEAUT32(00000000), ref: 00D19E05
Part of subcall function 00D19DC5: VariantCopy.OLEAUT32(?,?), ref: 00D19E0E
Part of subcall function 00D19DC5: VariantClear.OLEAUT32(?), ref: 00D19E1A

Strings

AUTOIT.ERROR, xrefs: 00D2B11B
Incorrect Parameter format, xrefs: 00D2B03E, 00D2B20B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: b27eb00539f21b6f03241a9f55fedd279c8ba2ca33e80bcfea92209a14c615a1
Instruction ID: 2b4761cdc3193b2c10992b55d7e77be15a90773b0a94d9aaf0f003ab4ebe2358
Opcode Fuzzy Hash: b27eb00539f21b6f03241a9f55fedd279c8ba2ca33e80bcfea92209a14c615a1
Instruction Fuzzy Hash: A2918C70608301DFCB10EF24D58195AB7F4EF99714F04886EF99A8B3A1DB71E945CB62

Function 00D15347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEC6F4: _wcscpy.LIBCMT ref: 00CEC717

_memset.LIBCMT ref: 00D15438
GetMenuItemInfoW.USER32(?), ref: 00D15467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D15513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D1553D

Strings

0, xrefs: 00D15430

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 09acb389725efe3b6c38c5ad1d53997e008256dc2d47bc03fd961028fc5af8c1
Instruction ID: a0e46224f77fa2bf3ddd97fc8b4da8c041527ccaabd58ca1de287859bdda02c3
Opcode Fuzzy Hash: 09acb389725efe3b6c38c5ad1d53997e008256dc2d47bc03fd961028fc5af8c1
Instruction Fuzzy Hash: 8051E331114701EBE7159E28F8416EBB7E5ABC5310F08062AF8A6D3295EF78CD84C772

Function 00D3C4D7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F76550,?), ref: 00D3C544
ScreenToClient.USER32(?,00000002), ref: 00D3C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00D3C5DA

Strings

@U=u, xrefs: 00D3C630

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 87da30805c7b76acfd5b1b573a9e3e82dd293bf6cc86ac2f54f6ce97bba5606b
Instruction ID: 2ae7771be25007891bbe19c07d25c6676d281e7e88e05d9f5a7e8508e223fb75
Opcode Fuzzy Hash: 87da30805c7b76acfd5b1b573a9e3e82dd293bf6cc86ac2f54f6ce97bba5606b
Instruction Fuzzy Hash: A3515075A10205EFCF20DF68C881AAE77B6EF55320F149659F965E72A0D730ED41CBA0

Function 00D0C410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D0C462
__itow.LIBCMT ref: 00D0C49C

Part of subcall function 00D0C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00D0C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00D0C505
__itow.LIBCMT ref: 00D0C55A

Strings

@U=u, xrefs: 00D0C462, 00D0C505

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 7c699aa172373e8102cfcff30c394aa4e1a9f1ce543783aa2d00d31a83326d07
Instruction ID: 7875c0851ec57c616f3fa8fbf729bb9d0deadb6eeef396f4ec97e7067ddce915
Opcode Fuzzy Hash: 7c699aa172373e8102cfcff30c394aa4e1a9f1ce543783aa2d00d31a83326d07
Instruction Fuzzy Hash: F4418371A00209AFDF25EF54CC55BEE7BB9AF49700F04005AFA09A72D1DB70AA45DBB1

Function 00D0C189 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D0BC08,?,?,00000034,00000800,?,00000034), ref: 00D14335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D0C1D3

Part of subcall function 00D142D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D0BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00D14300

Part of subcall function 00D1422F: GetWindowThreadProcessId.USER32(?,?), ref: 00D1425A
Part of subcall function 00D1422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D0BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00D1426A
Part of subcall function 00D1422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D0BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00D14280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D0C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D0C28D

Strings

@U=u, xrefs: 00D0C1D3, 00D0C240, 00D0C28D
@, xrefs: 00D0C2A5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: bd2b6d8e39452cc3f88673fdcc437080ed2350f30e59580a3a170b5f79b6b0fb
Instruction ID: 130e38deec6c091e859ed2ed139e30b41e746fecdb07491691c19f11e4f4b983
Opcode Fuzzy Hash: bd2b6d8e39452cc3f88673fdcc437080ed2350f30e59580a3a170b5f79b6b0fb
Instruction Fuzzy Hash: 7E41487290021CBEDB11DFA4DC81AEEB7B8EB09300F044199FA59B7180DA716E85CB71

Function 00D10213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D102B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D102C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D10344

Strings

DllGetClassObject, xrefs: 00D102B7

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 56a8305608afdd40aa13016a3131502550ca4b1496da6a2f0d428a31b4f61693
Instruction ID: 1d45eb9c40eb7727abd533c81241fb9e814ecbe2b6b78a78ecedce7e3369c850
Opcode Fuzzy Hash: 56a8305608afdd40aa13016a3131502550ca4b1496da6a2f0d428a31b4f61693
Instruction Fuzzy Hash: CF4139B1600304AFDB15EF54D884A9A7FA9EF44311B1480A9AD19DF216DBF1E9C4CBB0

Function 00D15007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D15075
GetMenuItemInfoW.USER32 ref: 00D15091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 00D150D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D91708,00000000), ref: 00D15120

Strings

0, xrefs: 00D1506D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: fab24c466a83d79292b6026647dd04dfefa0509a022a83edbf789b0f78537f38
Instruction ID: 613cd1c58aefbf00ffe2019dea96fc955585a64b8b65cb26217fc2beb76cadeb
Opcode Fuzzy Hash: fab24c466a83d79292b6026647dd04dfefa0509a022a83edbf789b0f78537f38
Instruction Fuzzy Hash: EA419D70204701FFD7219F24F880BAAB7E5AB89324F14461EF99597296DB34E880CB72

Function 00D3B544 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D3B5D1

Strings

@U=u, xrefs: 00D3B620

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 8565a4101739c99cf05f720f2fbf6cc98c5d040a5a01038d3cff1fd3a942a4b7
Instruction ID: 247ba90103d6cd0a98d1c80848ee0679425bef08b6935dc50268ebb1bb431b19
Opcode Fuzzy Hash: 8565a4101739c99cf05f720f2fbf6cc98c5d040a5a01038d3cff1fd3a942a4b7
Instruction Fuzzy Hash: 4F319E74601208AFEF209F18CC86FA97B65EB05370F584513FB51DA2E2C730E9509B71

Function 00D30567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00D30587

Strings

none, xrefs: 00D30662
winapi, xrefs: 00D305F8
cdecl, xrefs: 00D305DE
stdcall, xrefs: 00D30609

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: ac193dd20f2e1f3e6852c9432ef0311490acc6e0559d6e53a9863f4feb1a70a8
Instruction ID: d6d0fdbdd5e3946f5b04a326643563fb72367415027445472238c2a3e2a2f363
Opcode Fuzzy Hash: ac193dd20f2e1f3e6852c9432ef0311490acc6e0559d6e53a9863f4feb1a70a8
Instruction Fuzzy Hash: 9631BE30500216ABCF00EF68C8519AEB7B8FF59350F10862AE826A77D5DB71E915CBA0

Function 00D243E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D24401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D24427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D24457
InternetCloseHandle.WININET(00000000), ref: 00D2449E

Part of subcall function 00D25052: GetLastError.KERNEL32(?,?,00D243CC,00000000,00000000,00000001), ref: 00D25067

Strings

, xrefs: 00D24450

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: e30b7ace8afcbb4ff034420763fd404b2bac4b275ac88c1134d7ca5dc36875a0
Instruction ID: 97b4d29f4059f3c084f99b42714883eee35c32f3d76c21f27ae2a2ccacd1b730
Opcode Fuzzy Hash: e30b7ace8afcbb4ff034420763fd404b2bac4b275ac88c1134d7ca5dc36875a0
Instruction Fuzzy Hash: C221C2B1500318BFE721AF54EC84EBF76EDEB58748F10801AF94AD6140DAB48D069771

Function 00D390E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CED1BA
Part of subcall function 00CED17C: GetStockObject.GDI32(00000011), ref: 00CED1CE
Part of subcall function 00CED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CED1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D3915C
LoadLibraryW.KERNEL32(?), ref: 00D39163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D39178
DestroyWindow.USER32(?), ref: 00D39180

Strings

SysAnimate32, xrefs: 00D39137

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 660cfb0cc3e7365e98d78325b80d18648bb1aed7e1e6bd5d2f5873495bc18419
Instruction ID: eda1bfdb0a900239b9b2f7b96ebf485f93ec04fb2e395216d1a66dab95223b55
Opcode Fuzzy Hash: 660cfb0cc3e7365e98d78325b80d18648bb1aed7e1e6bd5d2f5873495bc18419
Instruction Fuzzy Hash: 02219F7120430ABBEF204F64DC95EBBB7ADEF99364F140618F955A2190C7B1DC52A770

Function 00D19568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D19588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D195B9
GetStdHandle.KERNEL32(0000000C), ref: 00D195CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D19605

Strings

nul, xrefs: 00D19600

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 66f4137d2ca61245a5a035c8947c8076a0371bccc94c110e090894600dba39ad
Instruction ID: 9d5b9aef197e752d88605dd67e9c8e517ec299adc2dc1b64504c87a16ac7dbae
Opcode Fuzzy Hash: 66f4137d2ca61245a5a035c8947c8076a0371bccc94c110e090894600dba39ad
Instruction Fuzzy Hash: 1A213D70500305ABEB219F69EC25ADAB7B9AF45724F244A19FDA1E72D0DB70D981CB30

Function 00D19634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D19653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D19683
GetStdHandle.KERNEL32(000000F6), ref: 00D19694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D196CE

Strings

nul, xrefs: 00D196C9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b579a2e63b84f22100f2fca18d50a7385a2c6780978505a11ebed2bf671c2505
Instruction ID: cd8046f1279ac6ed047b937e821fe82ef5597ee3ebcf2caee4caef37182e2926
Opcode Fuzzy Hash: b579a2e63b84f22100f2fca18d50a7385a2c6780978505a11ebed2bf671c2505
Instruction Fuzzy Hash: 73216071600305ABDB209F69AC74EDAB7E8AF55724F240A19FCA1D72D0EB70D881CB75

Function 00D1DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D1DB5E
__swprintf.LIBCMT ref: 00D1DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,00D6DC00), ref: 00D1DBB5

Strings

%lu, xrefs: 00D1DB71

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 4b76c70967a5739b8709f901723c9bfc4fd4e0144ba99fff665013fae33a3ade
Instruction ID: 47cf10dfde64109fa8eef3051c43ee9ce7d99a1fd5750980d1f8c9a993668af0
Opcode Fuzzy Hash: 4b76c70967a5739b8709f901723c9bfc4fd4e0144ba99fff665013fae33a3ade
Instruction Fuzzy Hash: 9F216035A00209AFCB10EF64D985DAEB7B9EF49704B014069FA09D7351DB71EA41DB71

Function 00D0C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D0C84A
Part of subcall function 00D0C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0C85D
Part of subcall function 00D0C82D: GetCurrentThreadId.KERNEL32 ref: 00D0C864
Part of subcall function 00D0C82D: AttachThreadInput.USER32(00000000), ref: 00D0C86B

GetFocus.USER32 ref: 00D0CA05

Part of subcall function 00D0C876: GetParent.USER32(?), ref: 00D0C884

GetClassNameW.USER32(?,?,00000100), ref: 00D0CA4E
EnumChildWindows.USER32(?,00D0CAC4), ref: 00D0CA76
__swprintf.LIBCMT ref: 00D0CA90

Strings

%s%d, xrefs: 00D0CA8A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: e16ff54df6bfaabaed17585aa2023acde8011473fc7f06b22a6c30b91a14ce0c
Instruction ID: 4c8c8eb046042c454df0cdeb15e764d5be1c5ba4c7b14bb3a76ea0268c0fe8f2
Opcode Fuzzy Hash: e16ff54df6bfaabaed17585aa2023acde8011473fc7f06b22a6c30b91a14ce0c
Instruction Fuzzy Hash: 581181716103097BCB11BFA09C85FE93779AF48714F049166FE0CAA182DB709546EB74

Function 00CED17C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CED1BA
GetStockObject.GDI32(00000011), ref: 00CED1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CED1D8

Strings

@U=u, xrefs: 00CED1D8

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: f64998194852572de2f0cb7a5aa1cde1dcffe03b4c3c2a658ea6d7de1ae67174
Instruction ID: ec1b6f4bd6dfb55d22666fd16cf3dca547a79dd603db2f39d01a18becef925d3
Opcode Fuzzy Hash: f64998194852572de2f0cb7a5aa1cde1dcffe03b4c3c2a658ea6d7de1ae67174
Instruction Fuzzy Hash: A9118B7250164ABFEB124F91DC50EEEBB6AFF08365F040102FE1692150C7319D609BB0

Function 00D31945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D319F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D31A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D31B49
CloseHandle.KERNEL32(?), ref: 00D31BBF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 742b76df3500565a19152954435d54b52e7da17e49c5db862d3990f244da85e2
Instruction ID: 5eaa14f22c3e77e9320b796ff65d03c6bd898f65cd3a342b4dd11b136b87b473
Opcode Fuzzy Hash: 742b76df3500565a19152954435d54b52e7da17e49c5db862d3990f244da85e2
Instruction Fuzzy Hash: 61817475A00305ABDF10AF65C886BADBBE5FF04720F188459F915AF382D7B4E941DBA0

Function 00D30688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00D306EE
GetProcAddress.KERNEL32(00000000,?), ref: 00D3077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D3079B
GetProcAddress.KERNEL32(00000000,?), ref: 00D307E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 00D307FB

Part of subcall function 00CEE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00D1A574,?,?,00000000,00000008), ref: 00CEE675
Part of subcall function 00CEE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00D1A574,?,?,00000000,00000008), ref: 00CEE699

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: e220a0fe1ccab37cbfa70e474b2279c707b2f5c92810c649fb66de5dce0503de
Instruction ID: afebdf5622d8b3ac1af56f94502100cd3eaa010f86f65ef455475acfb35737da
Opcode Fuzzy Hash: e220a0fe1ccab37cbfa70e474b2279c707b2f5c92810c649fb66de5dce0503de
Instruction Fuzzy Hash: 04511A75A00205DFCB10EFA8C495DADBBB5BF58310F148056EA56AB352DB30ED45DBA0

Function 00D32E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D33C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D32BB5,?,?), ref: 00D33C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D32EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D32F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D32F75
RegCloseKey.ADVAPI32(?,?), ref: 00D32FA1
RegCloseKey.ADVAPI32(00000000), ref: 00D32FAE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: a34c228a027f335b584d6008cb8a113ffa7d9f28de06f85ec7e82f1ff8e73b56
Instruction ID: 0aa3a588ee2bc85f444a792592457c2fab1bf23f792c93757a8dc9d332308776
Opcode Fuzzy Hash: a34c228a027f335b584d6008cb8a113ffa7d9f28de06f85ec7e82f1ff8e73b56
Instruction Fuzzy Hash: D0515B71608304AFD704EF64C881E6AB7F9FF88314F04481EF69597291DB30E905DB62

Function 00D21206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D212B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D212DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D2131C

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D21341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D21349

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 7dcc0a8dfd2b8ba7cfb72bfdbd549502e332c7f74bf74e47752d1f32b5867736
Instruction ID: 3ac8e3f28116ddcedaa5910ed8846783e0621b98deece498d9be9b9e337dc8ac
Opcode Fuzzy Hash: 7dcc0a8dfd2b8ba7cfb72bfdbd549502e332c7f74bf74e47752d1f32b5867736
Instruction Fuzzy Hash: DB410D39A00615DFDF01EF64C981AAEBBF5FF18314B148099E90AAB361CB31ED41DB61

Function 00CEB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00CEB64F
ScreenToClient.USER32(00000000,000000FF), ref: 00CEB66C
GetAsyncKeyState.USER32(00000001), ref: 00CEB691
GetAsyncKeyState.USER32(00000002), ref: 00CEB69F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 74badc01c36c3f90f0f2c50eebf861880eecb53ac0069b9e4b94d3b15ed7891a
Instruction ID: 74482437fdfe62cb2af919b2f07d0d161a1cd58fd853b0101fcb61f1f49b3ed9
Opcode Fuzzy Hash: 74badc01c36c3f90f0f2c50eebf861880eecb53ac0069b9e4b94d3b15ed7891a
Instruction Fuzzy Hash: 1C416031604259BFCF299F65C844AEABB75FF05324F104319F86996290C731AE54EFB1

Function 00D0B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D0B369
PostMessageW.USER32(?,00000201,00000001), ref: 00D0B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D0B41B
PostMessageW.USER32(?,00000202,00000000), ref: 00D0B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D0B431

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8a0eed2aface8a6d92ce4c8900ee16592fd11f6ac247ee14cbcbede5d851fd1d
Instruction ID: 26d75be9edac6dcca36804d257179f12751c79cd4ffefd15a023db18f8576946
Opcode Fuzzy Hash: 8a0eed2aface8a6d92ce4c8900ee16592fd11f6ac247ee14cbcbede5d851fd1d
Instruction Fuzzy Hash: 8B31DF71904319EBDB14CF68D948B9E3BB5EB00329F10422AF824E62D1C7B0DA50CBA0

Function 00D16318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00CD50E6: _wcsncpy.LIBCMT ref: 00CD50FA

GetFileAttributesW.KERNEL32(?,?,?,?,00D160C3), ref: 00D16369
GetLastError.KERNEL32(?,?,?,00D160C3), ref: 00D16374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00D160C3), ref: 00D16388
_wcsrchr.LIBCMT ref: 00D163AA

Part of subcall function 00D16318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00D160C3), ref: 00D163E0

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 2e9a2934a35a4a4b0a2a7921f449ec4093191bb5792bfd75830a28e8e500cea9
Instruction ID: 7c7334a38f364dc22cdf8f6bd93487ac02a78a0b5a53b90c428379351a9c1a3b
Opcode Fuzzy Hash: 2e9a2934a35a4a4b0a2a7921f449ec4093191bb5792bfd75830a28e8e500cea9
Instruction Fuzzy Hash: 25210531504315AADB25AB78BC42FEA33ACEF163A1F2C40A9F565C31C0EF60D9C19A75

Function 00D28B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00D2A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D28BD3
WSAGetLastError.WSOCK32(00000000), ref: 00D28BE2
connect.WSOCK32(00000000,?,00000010), ref: 00D28BFE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: fdf5eb2e018a315513c95b8dc9df437a34fa3c630fc7cddcc689dcbbe31a3ee0
Instruction ID: 166d320826adc9d8164376e59dd7dd75ea3513b41d1a793083e72bfc3555a9f1
Opcode Fuzzy Hash: fdf5eb2e018a315513c95b8dc9df437a34fa3c630fc7cddcc689dcbbe31a3ee0
Instruction Fuzzy Hash: 4321AC31200224AFDB10AF28DC85B7E77A9EF58725F044449F946EB392CB70AC019B71

Function 00D28420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D28441
GetForegroundWindow.USER32 ref: 00D28458
GetDC.USER32(00000000), ref: 00D28494
GetPixel.GDI32(00000000,?,00000003), ref: 00D284A0
ReleaseDC.USER32(00000000,00000003), ref: 00D284DB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 08ff365c74880a20da851cbc3cace997e15ba1da10a499e0371b4fb3d3307322
Instruction ID: 6f36388d9c887e2ab70c723cfe13ac42af0b490d1615f2921283abed9d024154
Opcode Fuzzy Hash: 08ff365c74880a20da851cbc3cace997e15ba1da10a499e0371b4fb3d3307322
Instruction Fuzzy Hash: D1216F75A00314AFD710EFA4D885AAEBBE6EF48301F048479E95AD7351DA74AC41DB70

Function 00CEAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CEAFE3
SelectObject.GDI32(?,00000000), ref: 00CEAFF2
BeginPath.GDI32(?), ref: 00CEB009
SelectObject.GDI32(?,00000000), ref: 00CEB033

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d58e7820ea376f1516d4204b34c35e4332cf6d2b2e664c389baca1fb4ae25aac
Instruction ID: de0df39a4de851ad4a84d738d961815d4b6c6b2437d9c081fdb624ffa28afd85
Opcode Fuzzy Hash: d58e7820ea376f1516d4204b34c35e4332cf6d2b2e664c389baca1fb4ae25aac
Instruction Fuzzy Hash: 0B2162B5C00346AFDB219F96EC48BAA7B79BB10356F14431AE425D22A0D37069518B71

Function 00CF217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00CF21A9
CreateThread.KERNEL32(?,?,00CF22DF,00000000,?,?), ref: 00CF21ED
GetLastError.KERNEL32 ref: 00CF21F7
_free.LIBCMT ref: 00CF2200
__dosmaperr.LIBCMT ref: 00CF220B

Part of subcall function 00CF7C0E: __getptd_noexit.LIBCMT ref: 00CF7C0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 94541ae767f69a3603b20866e59ee15f6e689b5015f0fe6281c3b2acbd0e10eb
Instruction ID: ef431f76e513939703598c4f3eee5d23a15f72faa9210ef32220579ce1f62734
Opcode Fuzzy Hash: 94541ae767f69a3603b20866e59ee15f6e689b5015f0fe6281c3b2acbd0e10eb
Instruction Fuzzy Hash: 6711A53310430EAFAB61AFA5DC41DBB3B99EF057707110529FB24C6151DB719911A6A3

Function 00D0ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00D0ABD7
GetLastError.KERNEL32(?,00D0A69F,?,?,?), ref: 00D0ABE1
GetProcessHeap.KERNEL32(00000008,?,?,00D0A69F,?,?,?), ref: 00D0ABF0
HeapAlloc.KERNEL32(00000000,?,00D0A69F,?,?,?), ref: 00D0ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00D0AC0E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 38263c242ae4c0c87769d94bc4326f08c79d21c6cf166df50950285e3701be98
Instruction ID: 1265b7bc82925417b81a25b7e329ad4092d09e838bb3862d6d8b18a9f994b533
Opcode Fuzzy Hash: 38263c242ae4c0c87769d94bc4326f08c79d21c6cf166df50950285e3701be98
Instruction Fuzzy Hash: 56013175200304BFEB204FA9DC58E6B3BADEF8A7557150429F949C3290DA71DC41CB75

Function 00D09ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00D09ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00D09AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00D09B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00D09B15
CLSIDFromString.OLE32(?,?), ref: 00D09B21

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4b7627bb277b15a6de50993897151988cea5a992883e17ac4290e1fe6e242c97
Instruction ID: 9b3a7ffb8f2fef77bad9ea9b6890fc159437c480d7df55146b920dade7606ad4
Opcode Fuzzy Hash: 4b7627bb277b15a6de50993897151988cea5a992883e17ac4290e1fe6e242c97
Instruction Fuzzy Hash: E3014B76600319BFDB214FA8ED94BAABEEEEB44762F148024FD09D2251D770DD409BB0

Function 00D17A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D17A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00D17A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D17A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00D17A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D17AD0

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cb6f469cfc1aa5ed07c71e76ce953e0fdad0252625939e36d57bd46020e0fa93
Instruction ID: 634fc6e0433532be5bad185576992bca1e697724f4403f1f5fab833c2cb3abb2
Opcode Fuzzy Hash: cb6f469cfc1aa5ed07c71e76ce953e0fdad0252625939e36d57bd46020e0fa93
Instruction Fuzzy Hash: B3010535D04B19ABCF10ABA5E848AEDBB79FF08752F040455E946F2260DF30969087B1

Function 00D0AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D0AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D0AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0AB10

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bf1a79e07faf3ae989202516f9d751f077ffaffe016140bb8efd94ec3fdcc08a
Instruction ID: ba482cfa7cc2a7ba6c47b1c2a5a2b8395c83374c195511f4ea42a877613cef6d
Opcode Fuzzy Hash: bf1a79e07faf3ae989202516f9d751f077ffaffe016140bb8efd94ec3fdcc08a
Instruction Fuzzy Hash: 14F04F712013086FEB210FA8EC88F6B3B6EFF46755F440029F946C7290CA609841CA71

Function 00D0AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D0AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D0AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D0AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D0AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D0AAAF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9823e89b69b4958279b11887bf33bbd9fd7457a85de7dc2be9c0ee434a4c60d9
Instruction ID: 40deaa5d3d553185de072e6ae113e98e1b3267b9a5aaed724d35ce939b880077
Opcode Fuzzy Hash: 9823e89b69b4958279b11887bf33bbd9fd7457a85de7dc2be9c0ee434a4c60d9
Instruction Fuzzy Hash: 2FF04F712103046FEB215FA8AC89F6B3BADFF4A755F04041AFD45C72D1DA609C41CA71

Function 00D0EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D0EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D0ECAB
MessageBeep.USER32(00000000), ref: 00D0ECC3
KillTimer.USER32(?,0000040A), ref: 00D0ECDF
EndDialog.USER32(?,00000001), ref: 00D0ECF9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 88f98f4fc2075c5386e4bf3d03522404fbf53c93adf4061c26864dfb0a7537e9
Instruction ID: fcbf950e44407f9f36fb7c5780e8e7d837dc9d9dfeaf43b402bd0561a077a221
Opcode Fuzzy Hash: 88f98f4fc2075c5386e4bf3d03522404fbf53c93adf4061c26864dfb0a7537e9
Instruction Fuzzy Hash: 0A018130500705ABFB355B50DE4EB967BB9FB00706F040959FA87A15E0EBF1AA84CB74

Function 00CEB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CEB0BA
StrokeAndFillPath.GDI32(?,?,00D4E680,00000000,?,?,?), ref: 00CEB0D6
SelectObject.GDI32(?,00000000), ref: 00CEB0E9
DeleteObject.GDI32 ref: 00CEB0FC
StrokePath.GDI32(?), ref: 00CEB117

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3a22da2adb19da3f19ced0d87ae9feb8806896ce247649eb6df587be852cc7a0
Instruction ID: 34114b0ba2b813e75393f469dacdb0bab26f35d482cbaa2dde106404d1fcea37
Opcode Fuzzy Hash: 3a22da2adb19da3f19ced0d87ae9feb8806896ce247649eb6df587be852cc7a0
Instruction Fuzzy Hash: 98F0B679400745AFDB229F6AEC097693B65B710362F088316F829C52F0C7319965DF70

Function 00D1F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D1F2DA
CoCreateInstance.OLE32(00D5DA7C,00000000,00000001,00D5D8EC,?), ref: 00D1F2F2
CoUninitialize.OLE32 ref: 00D1F555

Strings

.lnk, xrefs: 00D1F28B, 00D1F290, 00D1F29E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: af24917bea506428c9607d3ea63449dd3c2b96d9aa1ce98a4936220a7380e7cd
Instruction ID: 86ce02655902dc3fc41dc4de51af8ed959b755c82e9d4f5a38e1487512c240af
Opcode Fuzzy Hash: af24917bea506428c9607d3ea63449dd3c2b96d9aa1ce98a4936220a7380e7cd
Instruction Fuzzy Hash: 82A10C72104301AFD700EF64D881EABB7EDEF98714F00491EF65597292EB70EA49DB62

Function 00D1E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD53B1,?,?,00CD61FF,?,00000000,00000001,00000000), ref: 00CD662F

CoInitialize.OLE32(00000000), ref: 00D1E85D
CoCreateInstance.OLE32(00D5DA7C,00000000,00000001,00D5D8EC,?), ref: 00D1E876
CoUninitialize.OLE32 ref: 00D1E893

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

Strings

.lnk, xrefs: 00D1E83B, 00D1E84D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 239ad7bc5f5eb39db0e8342e031647703483863ab841a50835aee2c3c1cc778f
Instruction ID: 7a24db8e4f95f4818da7f1f4c8aac4dc588bd340558631d326df0256a7baeb06
Opcode Fuzzy Hash: 239ad7bc5f5eb39db0e8342e031647703483863ab841a50835aee2c3c1cc778f
Instruction Fuzzy Hash: 7FA13575604301AFCB14EF14C48495ABBE5FF88720F148959F99A9B3A1CB31ED85CBA1

Function 00CF325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CF32ED

Part of subcall function 00CFE0D0: __87except.LIBCMT ref: 00CFE10B

Strings

pow, xrefs: 00CF32C5, 00CF32E2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b7e8b7148b2184909ef2d8c169f534c8243c405ab6c3c02bbdf5f301a506f656
Instruction ID: cfa5507a8f13979bf50f04212e04cb5c7b3b686a37bcbc6d2aa117faf54e5a82
Opcode Fuzzy Hash: b7e8b7148b2184909ef2d8c169f534c8243c405ab6c3c02bbdf5f301a506f656
Instruction Fuzzy Hash: 5F517D31A0834DA6CB95B714CD0137E2B949B40710F208D29F6E5C22FAEF748F89EA57

Function 00D14606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00D6DC50,?,0000000F,0000000C,00000016,00D6DC50,?), ref: 00D14645

Part of subcall function 00CD936C: __swprintf.LIBCMT ref: 00CD93AB
Part of subcall function 00CD936C: __itow.LIBCMT ref: 00CD93DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00D146C5

Strings

REMOVE, xrefs: 00D14676
THIS, xrefs: 00D14703

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: bd930a2cf9fec94c5386a97517e8a969ba4dafaa1983cc35bdc0822812f03949
Instruction ID: d424437c6ee6d808506b5d6500000c982ad9cdb9adde872e3c214df8e64d747a
Opcode Fuzzy Hash: bd930a2cf9fec94c5386a97517e8a969ba4dafaa1983cc35bdc0822812f03949
Instruction Fuzzy Hash: C741A474A00209AFCF00EFA4D881AEDB7B5FF49314F188059E956AB392DB30DD85DB60

Function 00D3A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D6DC00,00000000,?,?,?,?), ref: 00D3A6D8
GetWindowLongW.USER32 ref: 00D3A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D3A705

Strings

SysTreeView32, xrefs: 00D3A6AA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: baff5306edb1ebfcdc08d85805e7da00dd3753dd3cd8814c6120cfb8803cc1a9
Instruction ID: 5bbc94d696ca5eb40fd204fcb5d96583e6a9e1c48ae9d0828db2860c51196fe0
Opcode Fuzzy Hash: baff5306edb1ebfcdc08d85805e7da00dd3753dd3cd8814c6120cfb8803cc1a9
Instruction Fuzzy Hash: D8319071601606AFDB258F38CC85BEA77A9FB49324F284725F8B5D32E0D770AC519B60

Function 00D3A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D3A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D3A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D3A196

Strings

SysMonthCal32, xrefs: 00D3A129

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e9575e8ec4318dafceafd9778371ef5ced5b52b62838714b267c00250ec65423
Instruction ID: e8fabc39e8dbec1470fef00a0a53b2324bac54044ebe3d3f2fe98635e9729efa
Opcode Fuzzy Hash: e9575e8ec4318dafceafd9778371ef5ced5b52b62838714b267c00250ec65423
Instruction Fuzzy Hash: B8219F32610218ABEF158FA4CC42FEA3B7AEF48724F150214FE55AB1D0D6B5AC55DBB0

Function 00D3A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D3A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D3A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D3A956

Strings

msctls_updown32, xrefs: 00D3A8BB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f1033c1f737ef1caa4d4fa79dfe0015c8c1ed8afa3bd910a88743a7837be5713
Instruction ID: 67f4714bf7bd36037adbb117fba6362365458fd6f3575b3061f6251be9321daf
Opcode Fuzzy Hash: f1033c1f737ef1caa4d4fa79dfe0015c8c1ed8afa3bd910a88743a7837be5713
Instruction Fuzzy Hash: F1218EB560020AAFDB10DF28CC91E6737ADEB5A3A4F490059FA449B3A1CA30EC118B71

Function 00D399A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D39A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D39A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D39A65

Strings

Listbox, xrefs: 00D399FD

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 1c6c575c0c3752447770fb134fc8cf52dd1e7444a22be2b66328b3d078df345f
Instruction ID: 52d059d2d5233d779e84b1c8847d1fc2ac6de979ef7a53c47bc0e9daade47a6e
Opcode Fuzzy Hash: 1c6c575c0c3752447770fb134fc8cf52dd1e7444a22be2b66328b3d078df345f
Instruction Fuzzy Hash: CD21C832610218BFDB218F54CC45FBF7B6AEF89750F054125F94497190C6B19C518BB0

Function 00D0B5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D0B5D2
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D0B5E9
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00D0B621

Strings

@U=u, xrefs: 00D0B621

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 98a3f411486d2b3c786e87d9dc86b5e5cc7a76292ec154ee6342cccb0d2236c2
Instruction ID: 2e6e8d509ccc052a79b26580918e859d4a5d6afb256aba3fe6e90f600e265f67
Opcode Fuzzy Hash: 98a3f411486d2b3c786e87d9dc86b5e5cc7a76292ec154ee6342cccb0d2236c2
Instruction Fuzzy Hash: C8218172604208BFDF10DFA8C842AAEB7BDEF44350F54045BE509E7290DB72BE519AB4

Function 00D287A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00D287F3
SendMessageW.USER32(0000000C,00000000,?), ref: 00D28834
SendMessageW.USER32(0000000C,00000000,?), ref: 00D2885C

Strings

@U=u, xrefs: 00D287F3, 00D28834, 00D2885C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3a931ce544c0d4ef67f2edfd33057e62d667025f6fb4f3a93a6ddff88f7613f2
Instruction ID: ccf24453990edc4d3d79d69aad7d1b160ef8ae9281c1ebd54d4818feb383adf9
Opcode Fuzzy Hash: 3a931ce544c0d4ef67f2edfd33057e62d667025f6fb4f3a93a6ddff88f7613f2
Instruction Fuzzy Hash: 07213B79600611EFD710EB19E881D2AB7E5FB09710B448152FA09DB7B1CB31FC91DBA4

Function 00D3A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D3A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D3A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D3A48F

Strings

msctls_trackbar32, xrefs: 00D3A444

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4986600599265f31fa9023215e6a95e77dda72fa3bea51b6a217846c4d11292e
Instruction ID: 86160df33ba68f70121a573c0bb66f15a372d6e9ee5f4fa8a5f44a7df826b376
Opcode Fuzzy Hash: 4986600599265f31fa9023215e6a95e77dda72fa3bea51b6a217846c4d11292e
Instruction Fuzzy Hash: 8211C671240308BEEF245F69CC49FAB3B69EF89764F054118FA89A61D1D6B2E811DB34

Function 00D39617 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D39699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D396A8

Strings

@U=u, xrefs: 00D396A8
edit, xrefs: 00D3967D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 149954a2a4372228bdde65692b518556d8bfb189c357c165ff2aab7c6904c961
Instruction ID: 78bca78077d2fd6c64e5b916da0cf41d7304dd4e2fc32f69991a761a8ba71dd4
Opcode Fuzzy Hash: 149954a2a4372228bdde65692b518556d8bfb189c357c165ff2aab7c6904c961
Instruction Fuzzy Hash: 71118C71502208ABEB215FA4DCA2EEB7B6AEB053B8F144314F965932E0C7B1DC519B70

Function 00D0B781 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D0B7EF

Strings

@U=u, xrefs: 00D0B7EF
ListBox, xrefs: 00D0B7B9
ComboBox, xrefs: 00D0B78B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: 74573e90d6f4b3e4641f7ce79533709a598b97cc3dba86be74a728121c05b8d2
Instruction ID: 95ee5e7bcd7298c1a6780d51cb2d6b811aea4b4e8251e990e2ac599e4c38bda9
Opcode Fuzzy Hash: 74573e90d6f4b3e4641f7ce79533709a598b97cc3dba86be74a728121c05b8d2
Instruction Fuzzy Hash: 6C01B571640115AFCB04EBA4CC52AFE3369AF46360704061BF5B5573D1EB709908DB70

Function 00D0B67D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D0B6EB

Strings

@U=u, xrefs: 00D0B6EB
ListBox, xrefs: 00D0B6B5
ComboBox, xrefs: 00D0B687

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: d52f8a603b1619bad50d46ef4206f9a2963d38935cb50da5757d897ba591e8e3
Instruction ID: 638459e4c7f9e6223bfcac46266faa57ea3912a54f90abb77cdaea29758e98f6
Opcode Fuzzy Hash: d52f8a603b1619bad50d46ef4206f9a2963d38935cb50da5757d897ba591e8e3
Instruction Fuzzy Hash: 7901F2B1640109AFCB04EBA4C952FFF33A9DF06300F50001BB946B72C1EB509E089BB5

Function 00D0B700 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D0B76C

Strings

@U=u, xrefs: 00D0B76C
ListBox, xrefs: 00D0B738
ComboBox, xrefs: 00D0B70A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$ComboBox$ListBox
API String ID: 3850602802-2258501812
Opcode ID: 1c9fc31ab3b07e5e0eea5603f6731042d5435b440e45c70fd014be9b61c16e4a
Instruction ID: 19d787a2de7bad2d2354ef577f9f10aeb8f4e819c4bf076767ba5089629548dc
Opcode Fuzzy Hash: 1c9fc31ab3b07e5e0eea5603f6731042d5435b440e45c70fd014be9b61c16e4a
Instruction Fuzzy Hash: 6F01ADB1640209BBCB04EBA4C942BFE73AD9F45354B14001BB946B32D2EB609E099BB5

Function 00D3D974 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00D91628,00D404C9,000000FC,?,00000000,00000000,?,?,?,00D4E47E,?,?,?,?,?), ref: 00D3D976
GetFocus.USER32 ref: 00D3D97E

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

Part of subcall function 00CEB526: GetWindowLongW.USER32(?,000000EB), ref: 00CEB537

SendMessageW.USER32(00F76550,000000B0,000001BC,000001C0), ref: 00D3D9F0

Strings

@U=u, xrefs: 00D3D9F0

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 411893cfcfeae5a3bb3e400d48d63bf1ba6b2202e698a7658238671f30ab9db8
Instruction ID: 2fbc613e0ec47086ac5ce06f1ea2ad067e8381e23019d91f5cb8c8cfd0d36863
Opcode Fuzzy Hash: 411893cfcfeae5a3bb3e400d48d63bf1ba6b2202e698a7658238671f30ab9db8
Instruction Fuzzy Hash: 1A0140366007418BC7249B28E884B6677ABBB89315F18036AE819C73A1DB31AC46CF70

Function 00CD1000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD1052

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00CD101C
GetParent.USER32 ref: 00D42026
InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?), ref: 00D4202D

Strings

@U=u, xrefs: 00CD101C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: edb205dfdc7ed8cf6080e2cf54c7281fe04acc22974a08bd7b037d9537ab907e
Instruction ID: 27cd83a0b49dee7a57bcf3b05ca0735139abed8a0d9b5d305ad3685cc91ea006
Opcode Fuzzy Hash: edb205dfdc7ed8cf6080e2cf54c7281fe04acc22974a08bd7b037d9537ab907e
Instruction Fuzzy Hash: 2AF030311403D8FBEF312F61DC49F957BA9AB12791F144016FE849B2A1C6A36891EB70

Function 00CF2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00CF2350,?), ref: 00CF22A1
GetProcAddress.KERNEL32(00000000), ref: 00CF22A8

Strings

combase.dll, xrefs: 00CF229C
RoInitialize, xrefs: 00CF2290

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 4a8eac34500f03c06a13f298e7356e23043d895a59b0777ef5d307e7e84145d0
Instruction ID: 4f2ddf8ee3c73546f0fb9e9b134fc83cc91a468087a2d9a94d618b01c2737eb0
Opcode Fuzzy Hash: 4a8eac34500f03c06a13f298e7356e23043d895a59b0777ef5d307e7e84145d0
Instruction Fuzzy Hash: A9E01A706A0701AFEB605F74EC49B253A6AA710712F104022BA12E52A0CBB84088CF35

Function 00CF235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CF2276), ref: 00CF2376
GetProcAddress.KERNEL32(00000000), ref: 00CF237D

Strings

RoUninitialize, xrefs: 00CF2365
combase.dll, xrefs: 00CF2371

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 71a7d1372dad47714e428b1100483fd14ca3227d89060632ed90f48e010ddff3
Instruction ID: c7501a9c105a29ce4982cfb3c4da324e28fe038194c13634cc694aa8dc57b696
Opcode Fuzzy Hash: 71a7d1372dad47714e428b1100483fd14ca3227d89060632ed90f48e010ddff3
Instruction Fuzzy Hash: 5BE0B6B4554304AFEB705F60FD0DB253A6ABB10703F100416FA09E22B8CBB85548DB3A

Function 00D4AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D4AC60
__swprintf.LIBCMT ref: 00D4AC94

Strings

%.3d, xrefs: 00D4AC6E
WIN_XPe, xrefs: 00D4ACD3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 043a2acccfe524f6a47630a6ae7989a3d3cb4f88ba33d91f85baca497497877e
Instruction ID: f640e3cc340ef5663bf75df8eaf4bd61a330b875136a10dfd21414749bc85f57
Opcode Fuzzy Hash: 043a2acccfe524f6a47630a6ae7989a3d3cb4f88ba33d91f85baca497497877e
Instruction Fuzzy Hash: 38E0C27184465CDBCB90A744CD84DF9737CA704701F1000C3B98AE1000D634CB84AF33

Function 00CD42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00CD42EC,?,00CD42AA,?), ref: 00CD4304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CD4316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CD4310
kernel32.dll, xrefs: 00CD42FF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 96e227ba8fcdb2f0ad45cc8517595066213f913d9722267dbb5cd48351e6fabc
Instruction ID: 8391f6b4b773ef55594a65c75789f5a78dc99ba3822a92a2e268d858ea0e2c7b
Opcode Fuzzy Hash: 96e227ba8fcdb2f0ad45cc8517595066213f913d9722267dbb5cd48351e6fabc
Instruction Fuzzy Hash: D6D0A770400B12DFC7346F34E80CA0176E8EB04702B10441BFA65D2370D7B0C8848B30

Function 00D32205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D321FB,?,00D323EF), ref: 00D32213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00D32225

Strings

GetProcessId, xrefs: 00D3221F
kernel32.dll, xrefs: 00D3220E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: c7dafe5ce9dde2772aff8c1448fbc8651eb8a716837e16a6203175e6d23b19d8
Instruction ID: c1c3371ab2894fb326af48c7f7648dee89e64b6bee6377af94db0e1c5644ac2b
Opcode Fuzzy Hash: c7dafe5ce9dde2772aff8c1448fbc8651eb8a716837e16a6203175e6d23b19d8
Instruction Fuzzy Hash: 71D0A738800B139FC7315F30FC08A1276F9EB08301F144419FC41E2250D770D88487B0

Function 00CD434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00CD41BB,00CD4341,?,00CD422F,?,00CD41BB,?,?,?,?,00CD39FE,?,00000001), ref: 00CD4359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CD436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00CD4365
kernel32.dll, xrefs: 00CD4354

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 53719b4c3abe344478124367deb5bd3005ea12253baa50a17244c6b8d7315fab
Instruction ID: 6d537a0f55d62071ace60dba4cd6402e97393dc15cbd04548899bf2e8e15af00
Opcode Fuzzy Hash: 53719b4c3abe344478124367deb5bd3005ea12253baa50a17244c6b8d7315fab
Instruction Fuzzy Hash: 9AD0A730400B129FC7347F34E808A0176E8AB10716F10441AF995E2360D7B0D8848B30

Function 00D10564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00D1052F,?,00D106D7), ref: 00D10572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00D10584

Strings

oleaut32.dll, xrefs: 00D1056D
UnRegisterTypeLibForUser, xrefs: 00D1057E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 081e2b24f4f2708e116eff02c8ae5cdbe360c722236946898cc37ce525afd308
Instruction ID: 0e152c18528ba53e051dc8cf9bd384f2ca4f20f922f56523a0fd46f2f47dd5ec
Opcode Fuzzy Hash: 081e2b24f4f2708e116eff02c8ae5cdbe360c722236946898cc37ce525afd308
Instruction Fuzzy Hash: 1DD09E70504712AED7207F76A808A527BE5AF04711B55851AED55D2250DAB0D4C4CB70

Function 00D10539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00D1051D,?,00D105FE), ref: 00D10547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00D10559

Strings

RegisterTypeLibForUser, xrefs: 00D10553
oleaut32.dll, xrefs: 00D10542

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: b945c91a5ebf5a45e33b3fb806d4d0873cbd9fc284065b224b273d17652df818
Instruction ID: d67cedf5ea43cc6a64f2240fe48e5f390b3301c2d52234c81e0e5c0411a89df6
Opcode Fuzzy Hash: b945c91a5ebf5a45e33b3fb806d4d0873cbd9fc284065b224b273d17652df818
Instruction Fuzzy Hash: 5ED0C770544B12AFD730AF75FC08A517AE5AF14752B15C41DE956D2250DAB0C8C4CB70

Function 00D2ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D2ECBE,?,00D2EBBB), ref: 00D2ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D2ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 00D2ECE2
kernel32.dll, xrefs: 00D2ECD1

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: e4dd20779c5a7d3ab748be567a36ceeaf24c8a53149a46bbe00c5548265a2f28
Instruction ID: 02077b380620c74489780abd5a149467219fdceafcf9ce4017fd9b35ed60d178
Opcode Fuzzy Hash: e4dd20779c5a7d3ab748be567a36ceeaf24c8a53149a46bbe00c5548265a2f28
Instruction Fuzzy Hash: 60D0A730400B339FCB306FB4F848B12BBE8AB10305B14841AFC45D2350DBB0C8849730

Function 00D2BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00D2BAD3,00000001,00D2B6EE,?,00D6DC00), ref: 00D2BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D2BAFD

Strings

kernel32.dll, xrefs: 00D2BAE6
GetModuleHandleExW, xrefs: 00D2BAF7

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 7099c3dd9dbd0deb2ba38529dca87de54fc592b5c569bd869db3b43b4b7af1bb
Instruction ID: be1fd1324215bc2f5281c2149929a9c6a30c909656e619a5be951bae00266b29
Opcode Fuzzy Hash: 7099c3dd9dbd0deb2ba38529dca87de54fc592b5c569bd869db3b43b4b7af1bb
Instruction Fuzzy Hash: 63D05E30800B229EC7306F30B848A1277E8AB10315B14481AB883D2250EBB0C884C730

Function 00D33BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00D33BD1,?,00D33E06), ref: 00D33BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D33BFB

Strings

RegDeleteKeyExW, xrefs: 00D33BF5
advapi32.dll, xrefs: 00D33BE4

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 8058f2406c9516516d382d9b87197d2c26bfa54d2cda56ec9596ef5e95af00fd
Instruction ID: 6270c7e941b817b2d405629a2a6f40664366860c3a5121f03aad6cb1ac9392c9
Opcode Fuzzy Hash: 8058f2406c9516516d382d9b87197d2c26bfa54d2cda56ec9596ef5e95af00fd
Instruction Fuzzy Hash: 03D0C770500B539FD7306F75E909A93BEF5AB05715F145419E855E2250E6B0D4C48F70

Function 00D09B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f1b6ca6cf4d5a8c17acea71f55a15baff78cea1afc40c12ec9cae9c9ca5739
Instruction ID: 6a83d944a015a0dc96e123b8378d34b9e763ce4dc987fd6d22578020cd0facf8
Opcode Fuzzy Hash: 27f1b6ca6cf4d5a8c17acea71f55a15baff78cea1afc40c12ec9cae9c9ca5739
Instruction Fuzzy Hash: C5C14B75A0021AEFDB14CF94C8A4BAEF7B5FF48700F144598E949AB292D730DE41DBA4

Function 00D2AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D2AAB4
CoUninitialize.OLE32 ref: 00D2AABF

Part of subcall function 00D10213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1027B

VariantInit.OLEAUT32(?), ref: 00D2AACA
VariantClear.OLEAUT32(?), ref: 00D2AD9D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 3964e8f7f8cc196b57c9b649b406c7dbc5a54e5b8387c8c7c1c3f3fbc049dd58
Instruction ID: c24602fd8e0b5792c79ae18d0a02bfa044e68dde682babedb58d371efda8ce21
Opcode Fuzzy Hash: 3964e8f7f8cc196b57c9b649b406c7dbc5a54e5b8387c8c7c1c3f3fbc049dd58
Instruction Fuzzy Hash: 3FA16A792047119FCB10EF18D481B1AB7E5FF98724F148449FA969B3A2CB30ED40DBA6

Function 00D091CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D091DD
SysAllocString.OLEAUT32(?), ref: 00D09286
VariantCopy.OLEAUT32 ref: 00D092B5
VariantClear.OLEAUT32(?), ref: 00D092DC

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 934a8568d9b72c41e9e11e87e6a24284efe6f02738c9cf7674006cd598e67d70
Instruction ID: d0b22c829180490eefadfdc2b4007ecb73698add8ed64274169989fd5c64e71e
Opcode Fuzzy Hash: 934a8568d9b72c41e9e11e87e6a24284efe6f02738c9cf7674006cd598e67d70
Instruction Fuzzy Hash: 56515030604306ABDB24AF66D4B576EF3E5EF44310B24981FE59ACB2D2DB70D8819B35

Function 00D1390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D13966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00D13982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00D139EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00D13A4D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 751538681cebda277ea18290af3f89d510a177089b065f29536be643ccaae325
Instruction ID: c16ed06145acaf734a43ae5d3ff3c1f6cd412f17725117e12a43065b0758a5f1
Opcode Fuzzy Hash: 751538681cebda277ea18290af3f89d510a177089b065f29536be643ccaae325
Instruction Fuzzy Hash: 7B41E470A44248BAEF308B64E805BFDBBB99B55321F08015AF4C1A62C1CFB58AD5DB75

Function 00D1E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D1E742
GetLastError.KERNEL32(?,00000000), ref: 00D1E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D1E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D1E7B9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a1b0afb7a8ed1c69ff2f234acb0c5f63122ae21d1fdb6c871982297f3df30b66
Instruction ID: 9300409aa29b28d04b7b54e8c7489e54d2ab9479b0f66ccf39f7e40998cd3978
Opcode Fuzzy Hash: a1b0afb7a8ed1c69ff2f234acb0c5f63122ae21d1fdb6c871982297f3df30b66
Instruction Fuzzy Hash: 34412939600610DFDB11EF15C444A4DBBE5FF59720B198489ED469B3A2CB70FD40DBA1

Function 00D3D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D3D807
GetWindowRect.USER32(?,?), ref: 00D3D87D
PtInRect.USER32(?,?,00D3ED5A), ref: 00D3D88D
MessageBeep.USER32(00000000), ref: 00D3D8FE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: a95a9d675bafe406af171f0a405d25b611d789e6a0677110f4aa4206d50fa289
Instruction ID: 106f084a30adc3fd2625825db6295fb80b5634c9538ba6902bab20446708dcd9
Opcode Fuzzy Hash: a95a9d675bafe406af171f0a405d25b611d789e6a0677110f4aa4206d50fa289
Instruction Fuzzy Hash: 24416875A00219DFCB21DF58E884BA9BBB6FB49311F1881AAE814DB361D730E945CF70

Function 00D13A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00D13AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D13AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00D13B34
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00D13B92

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 83798cb4a4b1511857c09bb960161f32134579b088018f3e0e8d0dcc67bef2f2
Instruction ID: 74612b91b22dc72008dcd546f9f1f12a9a4e07b0f60d10c135719494b99ca3d9
Opcode Fuzzy Hash: 83798cb4a4b1511857c09bb960161f32134579b088018f3e0e8d0dcc67bef2f2
Instruction Fuzzy Hash: A9312470A08358BEEF348BA4E9197FE7BA69B55310F08011AE481922D1EF758BC5C771

Function 00D04004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D04038
__isleadbyte_l.LIBCMT ref: 00D04066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00D04094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00D040CA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7dc76931bc2c8a126eb064d4eff6ee669e6147aa17b8e9815a25286383a0f912
Instruction ID: d2a14e8f43b7757d65edf776399c57d8c56e45d6b40f4a96a4f23550533e1eaa
Opcode Fuzzy Hash: 7dc76931bc2c8a126eb064d4eff6ee669e6147aa17b8e9815a25286383a0f912
Instruction Fuzzy Hash: 3C31A171600206AFDB219F65C844FBB7BA5FF40351F194428EB69A71D1E731E890D7A0

Function 00D3F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

GetCursorPos.USER32(?), ref: 00D3F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D4E4C0,?,?,?,?,?), ref: 00D3F226
GetCursorPos.USER32(?), ref: 00D3F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D4E4C0,?,?,?), ref: 00D3F2A6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a594ea016f97bc0e9856b4b6422c86069bd4f599d3d88cfb2e9e2482656f268a
Instruction ID: f09d5c2e64726c5a52df8c5005ed12f426c205d8cdcd60ef8e36eb475211ed8a
Opcode Fuzzy Hash: a594ea016f97bc0e9856b4b6422c86069bd4f599d3d88cfb2e9e2482656f268a
Instruction Fuzzy Hash: 11217E3D900118EFCB258F94D858EEB7BB5EB0A711F084069F905C72A1D3309D61DB74

Function 00D2431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D24358

Part of subcall function 00D243E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D24401
Part of subcall function 00D243E2: InternetCloseHandle.WININET(00000000), ref: 00D2449E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b7d936dafbd48235c9baf65f6cfb8aa01d820af0392489365ebcf716b8726350
Instruction ID: dc68fe8d9119127bb2f9d706d83caef8570882fd4db752418844ac8eafcae572
Opcode Fuzzy Hash: b7d936dafbd48235c9baf65f6cfb8aa01d820af0392489365ebcf716b8726350
Instruction Fuzzy Hash: 85219231240715BBEB11DF60EC00FBBB7A9FF68719F14401ABE5696650DB72D82197B0

Function 00D28A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00D28AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00D28AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00D28AFF
WSAGetLastError.WSOCK32(00000000), ref: 00D28B16

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: c758297532f70304b23a58827052683fa8a23649d7ed08e1d209bdfb5adcd8b2
Instruction ID: 362bc0cd3f66893052a5455d0fe529fa702a9d11037bed01cb4a72be7b38ac01
Opcode Fuzzy Hash: c758297532f70304b23a58827052683fa8a23649d7ed08e1d209bdfb5adcd8b2
Instruction Fuzzy Hash: 0B219672A002249FC7219F69D885A9EBBECEF59310F00416AF84AD7351DB74DD418FB0

Function 00D38A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D38AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D38AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D38ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D38ADC

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 16164643a3d03d4428ac38b68913b5193dcfa7353828ecb204613787ec31febc
Instruction ID: 439516dc8dd92d28213a2a708c5891ba4678c38e02863d2828050e4e5aeb8611
Opcode Fuzzy Hash: 16164643a3d03d4428ac38b68913b5193dcfa7353828ecb204613787ec31febc
Instruction Fuzzy Hash: B5119031245615AFE714AB28CC05FBA77A9EF85321F18411AF916C73E2CB70AC4197B4

Function 00D10AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D10ABB,?,?,?,00D1187A,00000000,000000EF,00000119,?,?), ref: 00D11E77
Part of subcall function 00D11E68: lstrcpyW.KERNEL32(00000000,?,?,00D10ABB,?,?,?,00D1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00D11E9D
Part of subcall function 00D11E68: lstrcmpiW.KERNEL32(00000000,?,00D10ABB,?,?,?,00D1187A,00000000,000000EF,00000119,?,?), ref: 00D11ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00D10AD4
lstrcpyW.KERNEL32(00000000,?,?,00D1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00D10AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D1187A,00000000,000000EF,00000119,?,?,00000000), ref: 00D10B2E

Strings

cdecl, xrefs: 00D10B25

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 31c525439588cee28f5e3b09766817cea51f1fc557b5121ccdae34c5dc0968df
Instruction ID: 71711e2353a9c4d8e216cfdb9fc3dd4cc724a82725f4276f5b016e99cdc86a7a
Opcode Fuzzy Hash: 31c525439588cee28f5e3b09766817cea51f1fc557b5121ccdae34c5dc0968df
Instruction Fuzzy Hash: BF11A236100305BFDB25AF64E805DBA7BA9FF45350B80406AF905CB250EF719881C7B0

Function 00D02F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D02FB5

Part of subcall function 00CF395C: __FF_MSGBANNER.LIBCMT ref: 00CF3973
Part of subcall function 00CF395C: __NMSG_WRITE.LIBCMT ref: 00CF397A
Part of subcall function 00CF395C: RtlAllocateHeap.NTDLL(00F50000,00000000,00000001,00000001,00000000,?,?,00CEF507,?,0000000E), ref: 00CF399F

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 59444f7399c717c211de61b5eb237ebcd7624389bce471d35be7732b87bfe99e
Instruction ID: 65dc637629098124dd9867bd2011e8e70b782c11430e5f453cfef472deb875b3
Opcode Fuzzy Hash: 59444f7399c717c211de61b5eb237ebcd7624389bce471d35be7732b87bfe99e
Instruction Fuzzy Hash: 6C11A73250A316ABDB713F70AC497793F98AF443A1F284925FE4DD6191DB30C940AAB1

Function 00D1058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00D105AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D105C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D105DD
FreeLibrary.KERNEL32(?), ref: 00D10632

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 103b1eeeae365b66976d2070b1469dfc03bdfbb8beab965475b450ba48e6bd08
Instruction ID: e0acb9e44359d0a892c3b16dbe689e8dffe9bcc326d4d595d9c0855df309cfea
Opcode Fuzzy Hash: 103b1eeeae365b66976d2070b1469dfc03bdfbb8beab965475b450ba48e6bd08
Instruction Fuzzy Hash: 38215C71900309BBDB20AF91EC88ADABBB9EB40704F008469E956D6150DBB0EAD59B70

Function 00D16713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D16733
_memset.LIBCMT ref: 00D16754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00D167A6
CloseHandle.KERNEL32(00000000), ref: 00D167AF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 0bd01f9508228e5b1d3f49ec3a928fdc7bac206800cee7e9ab9026eb3a0dcb84
Instruction ID: 554224042ae6fc609cef22b264aba1cc80ab514abaea0dd9198ca5870203f8c9
Opcode Fuzzy Hash: 0bd01f9508228e5b1d3f49ec3a928fdc7bac206800cee7e9ab9026eb3a0dcb84
Instruction Fuzzy Hash: 1E1194759013287AE73057A5AC4DFEABABCEB44764F10419AF904E71D0D6748E80CA75

Function 00D0B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D0AA79
Part of subcall function 00D0AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D0AA83
Part of subcall function 00D0AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D0AA92
Part of subcall function 00D0AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D0AA99
Part of subcall function 00D0AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D0AAAF

GetLengthSid.ADVAPI32(?,00000000,00D0ADE4,?,?), ref: 00D0B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D0B227
HeapAlloc.KERNEL32(00000000), ref: 00D0B22E
CopySid.ADVAPI32(?,00000000,?), ref: 00D0B247

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 1d1a2690d8d3aa10468f58704a6171fecfd3a963b0027cce99dc9a15f7ad3aa4
Instruction ID: 6576af0d2f8e86fa6ac96bf07819804d53cb70daf7e7914b4f45c4341347b114
Opcode Fuzzy Hash: 1d1a2690d8d3aa10468f58704a6171fecfd3a963b0027cce99dc9a15f7ad3aa4
Instruction Fuzzy Hash: A711B271A00305AFCB149F68CC44BAEB7A9EF84318B14802EE946D7290D7319E44CB34

Function 00D0B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D0B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D0B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D0B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D0B4DB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4aee79d5979e78b30ced386ce7d3c45b4c7ee2d9e5ea28f013ee079dc459cc93
Instruction ID: dd5b0ca76c240089fb1efc8e9e4bcc95d8d2a13df658ba3e2b018638ddfb12b0
Opcode Fuzzy Hash: 4aee79d5979e78b30ced386ce7d3c45b4c7ee2d9e5ea28f013ee079dc459cc93
Instruction Fuzzy Hash: 1A11187A900218FFDB11DFA9C985F9DBBB4FB08714F204092EA04B7295D771AE11DBA4

Function 00CEB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00CEB5A5
GetClientRect.USER32(?,?), ref: 00D4E69A
GetCursorPos.USER32(?), ref: 00D4E6A4
ScreenToClient.USER32(?,?), ref: 00D4E6AF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 68c4881c270d415b45dbfd620202685d67cc5907f5891b9eebe5b7d89f6b42fa
Instruction ID: b7ceb3ad015beb4c5a627fb72e12ba4d37ff293931fba9c474c264c877eb286b
Opcode Fuzzy Hash: 68c4881c270d415b45dbfd620202685d67cc5907f5891b9eebe5b7d89f6b42fa
Instruction Fuzzy Hash: 9911363190126ABBCB10DF95D8858BE7BBAFB09305F000851E952E7240D730AA82CBB1

Function 00D1732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D17352
MessageBoxW.USER32(?,?,?,?), ref: 00D17385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D1739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D173A2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 895e0cf7707c9a1a8e1d1206d664f8f635defdff5ec69612047520a9e56b11f6
Instruction ID: f1efc52888fa2886a79899a70706ed19aabf5306683e5234da529caac9b61553
Opcode Fuzzy Hash: 895e0cf7707c9a1a8e1d1206d664f8f635defdff5ec69612047520a9e56b11f6
Instruction Fuzzy Hash: AA11E172A08304BFC7019BA8AC09ADE7BAA9B45311F044216FD35D33A1DA708D4097B5

Function 00D04DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00D04E16

Part of subcall function 00D054F5: __fltout2.LIBCMT ref: 00D0551E

__cftog_l.LIBCMT ref: 00D04E3C
__cftoe_l.LIBCMT ref: 00D04E6E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: d073642b3603ed60a22c608c30b56bb8b6549f2583cfb830f7038cd29fa6a8d7
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: D70148B600014ABBCF125E84DC05DEE3F22BB18350B588455FE2C590B5D336CAB2ABA1

Function 00CF7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CF7A0D: __getptd_noexit.LIBCMT ref: 00CF7A0E

__lock.LIBCMT ref: 00CF748F
InterlockedDecrement.KERNEL32(?), ref: 00CF74AC
_free.LIBCMT ref: 00CF74BF
InterlockedIncrement.KERNEL32(00F648B0), ref: 00CF74D7

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: c59db5f27bce01eaeaa68f98909ac6d6d6c1b9a7c30674f82758619322d1bdcd
Instruction ID: 94c69eda1fe5b647ad0d9fa0c38df77ecfbbdf664839860414e6a32ff4bd0f07
Opcode Fuzzy Hash: c59db5f27bce01eaeaa68f98909ac6d6d6c1b9a7c30674f82758619322d1bdcd
Instruction Fuzzy Hash: 7501D6329097199BD7A1AF68940577DBF60BF04710F194216FA34A3790C7345A41DFE3

Function 00CF7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00CF7AD8

Part of subcall function 00CF7CF4: __mtinitlocknum.LIBCMT ref: 00CF7D06
Part of subcall function 00CF7CF4: EnterCriticalSection.KERNEL32(00000000,?,00CF7ADD,0000000D), ref: 00CF7D1F

InterlockedIncrement.KERNEL32(?), ref: 00CF7AE5
__lock.LIBCMT ref: 00CF7AF9
___addlocaleref.LIBCMT ref: 00CF7B17

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: a95e9390be2c72717fd7e95be4b15f15b19812491d0a1682d5e056a11725c199
Instruction ID: d5d31d90c96ef1245149741fb931064cee93b5c7d65458601194d76115333b5a
Opcode Fuzzy Hash: a95e9390be2c72717fd7e95be4b15f15b19812491d0a1682d5e056a11725c199
Instruction Fuzzy Hash: AC018471404B04DFD760EF75C905759B7F0EF40325F20890EE595977A0CB70A644DB22

Function 00D3E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D3E33D
_memset.LIBCMT ref: 00D3E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D93D00,00D93D44), ref: 00D3E37B
CloseHandle.KERNEL32 ref: 00D3E38D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 6b402da4fb19e7a66ce0ffd2d5a449df2a83b0efbe919ba57d1ebf84d396653a
Instruction ID: 696c3ea6c1f794093c4c0c968f30615f07b9aedc1d8663df7d89f6f7a279a8d6
Opcode Fuzzy Hash: 6b402da4fb19e7a66ce0ffd2d5a449df2a83b0efbe919ba57d1ebf84d396653a
Instruction Fuzzy Hash: D7F05EF1540304BAE7101B60AC5AF777E5CDB04B55F004422BF08D62E2D3759E0096B9

Function 00D3EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CEAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00CEAFE3
Part of subcall function 00CEAF83: SelectObject.GDI32(?,00000000), ref: 00CEAFF2
Part of subcall function 00CEAF83: BeginPath.GDI32(?), ref: 00CEB009
Part of subcall function 00CEAF83: SelectObject.GDI32(?,00000000), ref: 00CEB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D3EA8E
LineTo.GDI32(00000000,?,?), ref: 00D3EA9B
EndPath.GDI32(00000000), ref: 00D3EAAB
StrokePath.GDI32(00000000), ref: 00D3EAB9

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6d5becef59aaf8238e333814cb6bec82277f611530656920a452be628eb2773d
Instruction ID: e1436a308aa8a176328cd7c7cc22d541ecce11f4b0fd73bcd877d29d462cbf3f
Opcode Fuzzy Hash: 6d5becef59aaf8238e333814cb6bec82277f611530656920a452be628eb2773d
Instruction Fuzzy Hash: 40F05E3200535ABBDB22AF98AC09FCA3F1AAF06312F084102FE11A12E187B45561DBB5

Function 00D0C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D0C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0C85D
GetCurrentThreadId.KERNEL32 ref: 00D0C864
AttachThreadInput.USER32(00000000), ref: 00D0C86B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b89533d07e8378bf63211bc47dd45901aac5c2317052a5e64fe4b1c0d712aca5
Instruction ID: 7584d0e44094e593c87646141aa14cfe2922748f515ce029e8a9dbde1d92f031
Opcode Fuzzy Hash: b89533d07e8378bf63211bc47dd45901aac5c2317052a5e64fe4b1c0d712aca5
Instruction Fuzzy Hash: FFE03971141328BADB201BA29C0DFDB7F1DEF167A2F408121BA0DC45A0C6B1C581DBF0

Function 00D0B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D0B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D0AC9D), ref: 00D0B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D0AC9D), ref: 00D0B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D0AC9D), ref: 00D0B0F1

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6c53c070e89182ca6dc71f4ec5c826c0c60728731e15c41ab9b66bab3e8238ae
Instruction ID: 18be8f18e29b8485092eb01c0e2b535e2d83a1096e4c63b8b0a1a16a917a4a38
Opcode Fuzzy Hash: 6c53c070e89182ca6dc71f4ec5c826c0c60728731e15c41ab9b66bab3e8238ae
Instruction Fuzzy Hash: 65E04F326013129BD7301FB69C0CB473BA9AF557A2F118828AA45D6180EA2484418770

Function 00CEB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CEB496
SetTextColor.GDI32(?,000000FF), ref: 00CEB4A0
SetBkMode.GDI32(?,00000001), ref: 00CEB4B5
GetStockObject.GDI32(00000005), ref: 00CEB4BD
GetWindowDC.USER32(?,00000000), ref: 00D4DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D4DE38
GetPixel.GDI32(00000000,?,00000000), ref: 00D4DE51
GetPixel.GDI32(00000000,00000000,?), ref: 00D4DE6A
GetPixel.GDI32(00000000,?,?), ref: 00D4DE8A
ReleaseDC.USER32(?,00000000), ref: 00D4DE95

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 0198c7555202cb44ba872adc803548bcc65e46a29eb628337388e8456f81b692
Instruction ID: 3675c89c6dcba2cc1e2c032722606368187089140a639ccebbab4d57657f3ea6
Opcode Fuzzy Hash: 0198c7555202cb44ba872adc803548bcc65e46a29eb628337388e8456f81b692
Instruction Fuzzy Hash: 86E0ED31500740AFDB315B75EC09BD93B12AB52336F14C666FAB9D81E5C7B18A81DB31

Function 00D0B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D0B2DF
UnloadUserProfile.USERENV(?,?), ref: 00D0B2EB
CloseHandle.KERNEL32(?), ref: 00D0B2F4
CloseHandle.KERNEL32(?), ref: 00D0B2FC

Part of subcall function 00D0AB24: GetProcessHeap.KERNEL32(00000000,?,00D0A848), ref: 00D0AB2B
Part of subcall function 00D0AB24: HeapFree.KERNEL32(00000000), ref: 00D0AB32

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 613e0348215b7ec83a17833884213566c720eaf0beb4ef856d1819f350d44d7f
Instruction ID: 89a3f43bfd3408902d676b145e7316975afda5974038994790a60e58159449ec
Opcode Fuzzy Hash: 613e0348215b7ec83a17833884213566c720eaf0beb4ef856d1819f350d44d7f
Instruction Fuzzy Hash: 29E0BF36104305BBDB112B95DC08859FBA7FF893223108221FA25C1671CB329471EB71

Function 00D4B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D4B29A
GetDC.USER32(00000000), ref: 00D4B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D4B2C3
ReleaseDC.USER32 ref: 00D4B2E2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 40c8aa828c0c3c59b7676979a84707bef04842d8ec67e2d5e8c1d93512e4be08
Instruction ID: f1277ad771c51d5d2e9b4e937e2b447c63e163df6ce7da96682035b96c42e102
Opcode Fuzzy Hash: 40c8aa828c0c3c59b7676979a84707bef04842d8ec67e2d5e8c1d93512e4be08
Instruction Fuzzy Hash: 6FE09AB1500308EFDB115F71D84866D7BAAEB4C362F118816FD5AC7351DAB498419B74

Function 00D4B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D4B2AE
GetDC.USER32(00000000), ref: 00D4B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D4B2C3
ReleaseDC.USER32 ref: 00D4B2E2

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 51e8658a61ec94ac3035394e7b00672c7904b278ab13a34b4f1f1dbfb68fbaac
Instruction ID: c81276c6438edd1a141951f9339e9d12ac8d9e5d22a871e1082a49ee5f954c42
Opcode Fuzzy Hash: 51e8658a61ec94ac3035394e7b00672c7904b278ab13a34b4f1f1dbfb68fbaac
Instruction Fuzzy Hash: 4CE046B1500308EFDB105F71CC4862D7BAAEB4C362F118809FD5ACB351CBB898428B30

Function 00D1C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CD44ED: __fread_nolock.LIBCMT ref: 00CD450B

_wcscmp.LIBCMT ref: 00D1C65D
_wcscmp.LIBCMT ref: 00D1C670

Strings

FILE, xrefs: 00D1C5A5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d824997917197011972327ed2d5517cd4510bff9de473f8f251be6441aadf3c7
Instruction ID: 7fcc6605b77d21d4996264b3243146123918412ed1bf77080b323e3f03d9c49e
Opcode Fuzzy Hash: d824997917197011972327ed2d5517cd4510bff9de473f8f251be6441aadf3c7
Instruction Fuzzy Hash: D641D572A0420ABBDF20AAA49C41FEF77B9EF49714F00407AF705EB191DA719A44DB61

Function 00D3A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D3A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D3A86F

Strings

', xrefs: 00D3A7C3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f9d0af6cb2b1ba60795cd25b8b9a2a897a0b1b53b38981158dc9a5ddb830d85a
Instruction ID: cc26fe8158abf63ff64506760504fe7801df67973948b213b28e7223dffcb6fc
Opcode Fuzzy Hash: f9d0af6cb2b1ba60795cd25b8b9a2a897a0b1b53b38981158dc9a5ddb830d85a
Instruction Fuzzy Hash: E741E7B4E013099FDB14CF68C881BDA7BB9FB08300F14006AE945EB341D770A946CFA1

Function 00D25180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D25190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00D251C6

Strings

|, xrefs: 00D251B5

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: db649499f71a898a01487cab7347e21fe26e1a11ae5d0dffdea24623bc36322b
Instruction ID: d9d831be66a02328244c0d5ec44b5c0d626add4273f5dd3ba76844f1f9c48d77
Opcode Fuzzy Hash: db649499f71a898a01487cab7347e21fe26e1a11ae5d0dffdea24623bc36322b
Instruction Fuzzy Hash: BA311971C00119EBCF01AFA4DC85EEE7FB9FF28704F10005AF915A6266DA35A906DBA0

Function 00D3975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D3980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D3984A

Strings

static, xrefs: 00D397AA

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: aee43642fb89cf3e792f4201d80739f1899a211c01f4c2618d11dc7e201a3fb6
Instruction ID: 20b02114cdc376521e4676dbcb46c4ad3fe9c20b7b7bc10668e66bc51f7eadf6
Opcode Fuzzy Hash: aee43642fb89cf3e792f4201d80739f1899a211c01f4c2618d11dc7e201a3fb6
Instruction Fuzzy Hash: 0E317C71110604AEEB109F78CC91BBBB3A9FF99760F148619F8A9C7190CA71AC82D770

Function 00D0C2DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D0C2F7
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D0C331

Strings

@U=u, xrefs: 00D0C2F7, 00D0C331

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d4e8a4815d85583262790555436c50797fb635eecb22b862cdcb4e2a5e0114b5
Instruction ID: c2fa8cdd118be6f54defccc6a892d31ed072cac91d0178310e0cc3b0fb4e7de2
Opcode Fuzzy Hash: d4e8a4815d85583262790555436c50797fb635eecb22b862cdcb4e2a5e0114b5
Instruction Fuzzy Hash: 5721EB72D10315ABCB11AF58C881EEEB7B5EF88700B158116EA19A72D0EB709D42D770

Function 00D15157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D151C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D15201

Strings

0, xrefs: 00D151BF

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: eb2441463f843cf6041b0e059e150fdfcadcb5b4e082b43a8569fdf6b4c9b0d5
Instruction ID: 738a3e05eae5c6825d78f385207d1d6349c7dcf2503f58b6db5f8ab61a1afcf5
Opcode Fuzzy Hash: eb2441463f843cf6041b0e059e150fdfcadcb5b4e082b43a8569fdf6b4c9b0d5
Instruction Fuzzy Hash: 7531E532600305FBEB25CF99F845BEDBBF4AF86354F180019E982A6194DB789984CB34

Function 00D2658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00D26608

Strings

AUTOITCALLVARIABLE%d, xrefs: 00D265FA
, $, xrefs: 00D26648

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: e6b4587abf9adbcc60b57f5408667e823bf6755553e51b985dc3752e24ac6d15
Instruction ID: 0c4146e6f04459291a73268eb3dc4e8b9ea542fe8d81942e40a1122d61e74330
Opcode Fuzzy Hash: e6b4587abf9adbcc60b57f5408667e823bf6755553e51b985dc3752e24ac6d15
Instruction Fuzzy Hash: 4F218E71600228AFCF10EFA4D882AAE77B4EF54744F10049AF505AB281DA70EA49DBB5

Function 00D3955E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D17DB1: GetLocalTime.KERNEL32 ref: 00D17DBE
Part of subcall function 00D17DB1: _wcsncpy.LIBCMT ref: 00D17DF3
Part of subcall function 00D17DB1: _wcsncpy.LIBCMT ref: 00D17E25
Part of subcall function 00D17DB1: _wcsncpy.LIBCMT ref: 00D17E58
Part of subcall function 00D17DB1: _wcsncpy.LIBCMT ref: 00D17E9A

SendMessageW.USER32(?,00001002,00000000,?), ref: 00D395F8

Strings

@U=u, xrefs: 00D395F8
SysDateTimePick32, xrefs: 00D395B6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: c410d810e97e95d6892a484e1290f237931f7eb48eb712ea1c1aa006d76ab052
Instruction ID: 0fd1ea3bcca92ab92a598961f188cf4a6493ab1a19462c5c69f6c8cbc5c87db7
Opcode Fuzzy Hash: c410d810e97e95d6892a484e1290f237931f7eb48eb712ea1c1aa006d76ab052
Instruction Fuzzy Hash: 8C21D332340208AFEF229E64DC92FEE736AEB44760F140519F951AB2D0D6B1EC8197B0

Function 00D0BB97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D0BBB0

Part of subcall function 00D1422F: GetWindowThreadProcessId.USER32(?,?), ref: 00D1425A
Part of subcall function 00D1422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D0BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00D1426A
Part of subcall function 00D1422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D0BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00D14280

Part of subcall function 00D1430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D0BC08,?,?,00000034,00000800,?,00000034), ref: 00D14335

SendMessageW.USER32(?,00001073,00000000,?), ref: 00D0BC17

Part of subcall function 00D142D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D0BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00D14300

Strings

@U=u, xrefs: 00D0BBB0, 00D0BC17

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: e2c3315509f5c34c63560d4d51783b8a4fce864dc62bf12ba579de301540e4a5
Instruction ID: fd38661f94a70399c62887451226e1f11237897e90a197ccb2dfb008b5c42bb9
Opcode Fuzzy Hash: e2c3315509f5c34c63560d4d51783b8a4fce864dc62bf12ba579de301540e4a5
Instruction Fuzzy Hash: C3215E31901218AAEF21ABA4DC41FDEBBB9FF04350F100196F648A71D0EE705A84DBB4

Function 00D393CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D3945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D39467

Strings

Combobox, xrefs: 00D39429

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 718f2f82e7c900fc46746e8aae47f715ee9caa12618abae559d63e9fb676b9a4
Instruction ID: 36873441d616b816bef4d9bb565cc0479de4cbc82ffcbcff73cd5651fbe65719
Opcode Fuzzy Hash: 718f2f82e7c900fc46746e8aae47f715ee9caa12618abae559d63e9fb676b9a4
Instruction Fuzzy Hash: A611B2B13002096FEF219F54DC90EBB776EEB883A4F140125F919972D0D6B19C528774

Function 00D3C3DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00D3C45F, 00D3C488

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 04980bda254dfd12f6037325a3ca2024c6e51cb40956d75e4eed0f3f52327de5
Instruction ID: 3a5ed6f2a70c903022807a6a2b540d736f86a49dd1c2838aeb7fb4ba90c57c72
Opcode Fuzzy Hash: 04980bda254dfd12f6037325a3ca2024c6e51cb40956d75e4eed0f3f52327de5
Instruction Fuzzy Hash: B5119D7522432CBEEF218FA48D25FB937A4EB05710F089115FA56FA1D0D6B1EA10EB71

Function 00D0D4F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD103B: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD1052

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D0D54E
_strlen.LIBCMT ref: 00D0D559

Strings

@U=u, xrefs: 00D0D54E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: dcaaf2f6c5c2ee0dd8b007f3fafab7a4b80e8e71e48199527cb8e27b45086e97
Instruction ID: 6c07afd4324e761cfe67c828dab40b689447f7534cef15a089526b1df22c67a7
Opcode Fuzzy Hash: dcaaf2f6c5c2ee0dd8b007f3fafab7a4b80e8e71e48199527cb8e27b45086e97
Instruction Fuzzy Hash: B111A731200105A7CB04BEA9DC86ABE77A9DF56344F10443BFA0A9B2D2DE60D946A770

Function 00D398FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CED17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CED1BA
Part of subcall function 00CED17C: GetStockObject.GDI32(00000011), ref: 00CED1CE
Part of subcall function 00CED17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CED1D8

GetWindowRect.USER32(00000000,?), ref: 00D39968
GetSysColor.USER32(00000012), ref: 00D39982

Strings

static, xrefs: 00D39945

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 20940f8f1d25e5f482561ae0173772192fd064db00ff07423a0e588eb14317eb
Instruction ID: 1c2ac55ebffcb7ac9f2c068f07459a77e1726c82fb3ece33c54f7c1a55c95a51
Opcode Fuzzy Hash: 20940f8f1d25e5f482561ae0173772192fd064db00ff07423a0e588eb14317eb
Instruction Fuzzy Hash: 3011567252020AAFDB04DFB8CC45EEABBA8FB08314F051628F956E2250E774E811DB70

Function 00D15262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D152D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D152F4

Strings

0, xrefs: 00D152CE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 75547b38f898d4b7a022a19ebfd067125a36a6f6c1a0d3f910552ee97d833d7f
Instruction ID: 53c82fc0f42284e24f1ef1858ea62874e279d1ed6bc4696d1b1c4b75a5223494
Opcode Fuzzy Hash: 75547b38f898d4b7a022a19ebfd067125a36a6f6c1a0d3f910552ee97d833d7f
Instruction Fuzzy Hash: 3D110336901715FBDB20DAD8F804BDD77A8AB85750F180111E961E7298DBB4ED40D7B0

Function 00D24D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D24DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D24E1E

Strings

<local>, xrefs: 00D24DE6

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fe77c96a958d6a0bc43ee7d12d4b10776ed43829e63a3faaf676a78c7a72b186
Instruction ID: 88cfa53a7a298d027ab60d5182c5d082770baa5f84b28584cc84eec42da14926
Opcode Fuzzy Hash: fe77c96a958d6a0bc43ee7d12d4b10776ed43829e63a3faaf676a78c7a72b186
Instruction Fuzzy Hash: 6C1170B0501231BBDB258F61D889EFBFAA8FF26759F10822AF95596140E770A944C6F0

Function 00D3B1DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00D3B22B

Strings

@U=u, xrefs: 00D3B22B, 00D3B267

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: bf52bbb6328c56c9d6a2d48bfe9b5dd88138c7902d447330ea72617446feb5cb
Instruction ID: bd338af2c0d104676a58304b5e231772010899fa2d93315d04b8fd20aee5c21b
Opcode Fuzzy Hash: bf52bbb6328c56c9d6a2d48bfe9b5dd88138c7902d447330ea72617446feb5cb
Instruction Fuzzy Hash: 2C21D379A0020AEF8F15CF98C840CAE7BB6FB4D350B044256FE06A3320D731E951DBA4

Function 00D392B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00D39327

Strings

@U=u, xrefs: 00D39327
button, xrefs: 00D392FE

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: c6604c9e7f7f02bb4cdb068a4750310c1dc7840e42273afadbb46ad37aa90efb
Instruction ID: ebd0a88fcf0665b72218a253077b9eaa28958785f38a91891177df2a6c0938cc
Opcode Fuzzy Hash: c6604c9e7f7f02bb4cdb068a4750310c1dc7840e42273afadbb46ad37aa90efb
Instruction Fuzzy Hash: 8811ED72150209ABDF118F64CC11FEA776AFF08364F090214FE95A71E0C7B2E861AB34

Function 00D3A587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D3A5D3

Strings

@U=u, xrefs: 00D3A5D3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 313c72061f47884e3304b4cb3cfac2c512cb84c08ee9c78bc39c0c0a3ebf83c0
Instruction ID: 3eda4249392cf20a0732c4c58e539f86e845367a4fd57439a26ce9391c39ee03
Opcode Fuzzy Hash: 313c72061f47884e3304b4cb3cfac2c512cb84c08ee9c78bc39c0c0a3ebf83c0
Instruction Fuzzy Hash: 9611AF31600744AFDB20CF288892AE6BBE5BF05314F14450DE9EA87291D7716941DB70

Function 00D2A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00D2A84E
htons.WSOCK32(00000000,?,00000000), ref: 00D2A88B

Strings

255.255.255.255, xrefs: 00D2A866

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 751f40c0bc94e7ba52ce9d03054188d1a37eba9e5d63582b0f449bfa8f8ce389
Instruction ID: ef3483686d5311a814f9d350375b28c9684e96c75720356ca76b6a198a26f9fc
Opcode Fuzzy Hash: 751f40c0bc94e7ba52ce9d03054188d1a37eba9e5d63582b0f449bfa8f8ce389
Instruction Fuzzy Hash: 45012238200315ABCB20AF68EC86FA9F764EF14318F108426F9169B3D1D731E801C772

Function 00D3F2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEB34E: GetWindowLongW.USER32(?,000000EB), ref: 00CEB35F

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00D4E44F,?,?,?), ref: 00D3F344

Part of subcall function 00CEB526: GetWindowLongW.USER32(?,000000EB), ref: 00CEB537

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00D3F32A

Strings

@U=u, xrefs: 00D3F32A

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: bfda1789b9428397612b04b7ff0f872ca1d6b802b7eeb8ec54573c2fc28bb1a0
Instruction ID: ce74556f535d40fe2830bd0c3ad5d3204f035029ecfc3e34117c5e1b727882cb
Opcode Fuzzy Hash: bfda1789b9428397612b04b7ff0f872ca1d6b802b7eeb8ec54573c2fc28bb1a0
Instruction Fuzzy Hash: 1801BC35601308AFCB219F14EC85FAA7B76FB85325F18456AF8564B2E0C731AC02DB70

Function 00D0C65B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D0C66D
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D0C69D

Strings

@U=u, xrefs: 00D0C66D, 00D0C69D

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 2bbd8194bc4bc7ebd5d15a9d153dd085310acbf6d77a768348b1b8a34df60d57
Instruction ID: b32776cf98a5b138708ecc69f7d9e3bd2f4ea63f446f563db4d24263a3792170
Opcode Fuzzy Hash: 2bbd8194bc4bc7ebd5d15a9d153dd085310acbf6d77a768348b1b8a34df60d57
Instruction Fuzzy Hash: A6F08C71340308BBEB216F90EC86FAA7A29EB08792F105115FB495A1E0CAE25851A770

Function 00D0C7D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0C2DE: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D0C2F7
Part of subcall function 00D0C2DE: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D0C331

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00D0C7FC
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D0C80C

Strings

@U=u, xrefs: 00D0C7FC, 00D0C80C

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 943cde254eb6cba6c8e340865136f21543b51640afd8e95073e8af700e83e6ce
Instruction ID: 1c2f1b6103f0d033e8befc11101943fbb4f736b35715b272c0c955512e685127
Opcode Fuzzy Hash: 943cde254eb6cba6c8e340865136f21543b51640afd8e95073e8af700e83e6ce
Instruction Fuzzy Hash: 9CE0D87524430D7FF7211B619C4AFA73B6DEB48751F104035BB04551D1EEA38C525534

Function 00D17744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D17762
_wcscmp.LIBCMT ref: 00D17774

Strings

#32770, xrefs: 00D1776E

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 51965dd8c607cfa3c84fd112b8bc107600a927aea5ece237b780f28a7a191c0c
Instruction ID: cd5556b10e450baf41c4eb9c61e1168675d0ac198f35bce43dc70507f7d4a982
Opcode Fuzzy Hash: 51965dd8c607cfa3c84fd112b8bc107600a927aea5ece237b780f28a7a191c0c
Instruction Fuzzy Hash: 66E092776043286BD720AAA9AC0AED7FBACAB51B60F000016B915D3181E660A645C7F0

Function 00D0A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D0A63F

Part of subcall function 00CF13F1: _doexit.LIBCMT ref: 00CF13FB

Strings

AutoIt, xrefs: 00D0A633
Error allocating memory., xrefs: 00D0A638

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 66cdf370c6a7afba4afc73cb850a0469511788817d4d1086bd0927711e39873f
Instruction ID: 5cbe91877acd6e0714efad8ab481fefecd93b13911383c35bb23c001914a5d36
Opcode Fuzzy Hash: 66cdf370c6a7afba4afc73cb850a0469511788817d4d1086bd0927711e39873f
Instruction Fuzzy Hash: D3D05B313C571C37D215369D7C1BFD575488B15B51F180016FF0C955D249E3968552F9

Function 00D4AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00D4ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00D4AEBD

Strings

WIN_XPe, xrefs: 00D4ACD3

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: ec8106cbf3a22f469df3fabd23d125a417fa9859a1249fc12e947e1cf37a385d
Instruction ID: e25f939b2c38a9379b24e6c7086aa3796663173017e96ada275c7bab703b33f0
Opcode Fuzzy Hash: ec8106cbf3a22f469df3fabd23d125a417fa9859a1249fc12e947e1cf37a385d
Instruction Fuzzy Hash: BCE06D74C00749EFCB51DBA9DD889ECB7B8AB88301F148086E442B2260CB304A84DF32

Function 00D386CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D386E2
PostMessageW.USER32(00000000), ref: 00D386E9

Part of subcall function 00D17A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D17AD0

Strings

Shell_TrayWnd, xrefs: 00D386DB

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dd0e59efb71d9c6789ffeaf559b5ceaf92ad3ceebfbf3b85e28533edd81e69e1
Instruction ID: b700d026fb020b498459001515c7da7b5eb762d0bca995124b0f3195756cb95b
Opcode Fuzzy Hash: dd0e59efb71d9c6789ffeaf559b5ceaf92ad3ceebfbf3b85e28533edd81e69e1
Instruction Fuzzy Hash: E9D0C9313853187BE274A770AC0BFC67A199B05B12F100815BA49EA2E0C9A0A9408775

Function 00D38698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D386A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D386B5

Part of subcall function 00D17A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00D17AD0

Strings

Shell_TrayWnd, xrefs: 00D3869B

Memory Dump Source

Source File: 00000000.00000002.1369922964.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000000.00000002.1369902686.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1369980283.0000000000D7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370071928.0000000000D8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D99000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000D9E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1370096677.0000000000DA5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cd0000_RSLMZxqebl.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 49be56e237e1fac41d78dfef99493c61eb5ed08c46f87d520659d0a0f1e98211
Instruction ID: ff5527191686ddbef61150f9c6d8ab14c82576411bea1e80de4e8cb6939b3822
Opcode Fuzzy Hash: 49be56e237e1fac41d78dfef99493c61eb5ed08c46f87d520659d0a0f1e98211
Instruction Fuzzy Hash: 47D0C931384318BBE274A770AC1BFC67A199B04B12F100815BA49EA2E0C9A0A9408775

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RSLMZxqebl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut5A67.tmp

C:\Users\user\AppData\Local\Temp\snaith

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
RSLMZxqebl.exe

Function 00CFB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00CD3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00CEDDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 00CD406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00D1FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238
COMMON

Function 00CD3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00D1BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00CD3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00CD3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 01116720 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00CD49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 00CD36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00CF7B47 Relevance: 9.0, APIs: 6, Instructions: 45
threadCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre